I am all behind that theory. Also there is a Windows Storage Server option....
http://www.microsoft.com/windowsserversystem/wpnas/default.mspx Like I said in another note. The big thing with using products that emulate Windows is that they will always lag when Microsoft updates something, in some cases that could critically impact the functioning of your company. The example I like to give is some serious holes that comes out that you have to patch or risk being compromised with a worm type exploit that is released 3 days (or even 3 weeks) after the patch and the NAS product you are using breaks with the new fix and the Vendor is promising a 100 day delivery of a fix and can't even seem to hit 100 day time frames. I think this will always be the case when there is a disjoint between the Vendor/Product doing the authentication/auhtorization and the Vendor/Product doing the data storage. They are two tightly coupled and have to be for the security you need for your data. If the crap wasn't important, you wouldn't be saving it. That means it has to be secured well. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Tuesday, May 18, 2004 12:36 PM To: [EMAIL PROTECTED] Subject: RE: EMC Celerra (was: [ActiveDir] FATAL kerberos error on W2K3 se rver) While we are not running Celerra (thank goodness), when we implemented our SAN, our Dell rep told us we could connect our Dell NAS box to the SAN for added storage. When I asked why we would want to do that, I never got a good answer. Personnaly I prefer to run Windows as the file server. It is one less OS I need to keep up with and the performance meets our needs. Denny ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, May 18, 2004 11:20 AM To: [EMAIL PROTECTED] Subject: RE: EMC Celerra (was: [ActiveDir] FATAL kerberos error on W2K3 se rver) :) I wish I could get a clue-by-four for some of the folks where I am. They talk about cost cutting while we put this thing in. Cost savings is apparently not an issue. If you could just bottle and sell some of the wisdom that caused that step back and rethink, let me know. I have a willing market somewhere close by... ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, May 18, 2004 9:20 AM To: [EMAIL PROTECTED] Subject: EMC Celerra (was: [ActiveDir] FATAL kerberos error on W2K3 server) The lease is up on our Celerra, and we are shipping it back. We are replacing it with two win2k3 DL380s connected to an EMC SAN. Why? Because when we stepped back and looked at the bigger picture, we realized that what little benefit the Celerra provided just wasn't worth the added complexity. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 17, 2004 11:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server EMC seems to have several issues. Some of them are: Handling of disjoint namespaces. If you don't have a disjoint name space you don't have to worry about that one. Issues with it were the join process, the SPN writing (they don't right the correct SPNs) and the dnshostname attribute (the write the wrong value). They don't handle SMB Signing or signed secure channels. You need to disable those policies. Requires domain admin for a join - I.E. you can't delegate off the join process to your storage admins. Initially they didn't support delegated join at all. Now they do, however the only group that has admin rights after the join is the domain admins group so they have to modify the group anyway. I haven't looked at their schema mods they want to make for at least a year but when I last saw them they were ridiculous. They were creating a separate object for every single user which is not right (so every user had 2 objects in AD for them). Luckily you can run without those mods. I actually put together a paper last year March with something like 15 issues but my biggest concern is the 100 day promise from EMC. They seem to have issues hitting it. That promise the promise when something needs to be changed, they modify the code within 100 days. The question I always ask is... If MS makes a security change that adversely impacts EMC but must be deployed to the DCs due to a security hole that is in the progress of being slammed by worms/viruses do you compromise the security of your domain or do you kill your storage? I have seen first hand in production some Celerras stop authenticating when SP2 was applied. This was a while ago but shows the possible impact. The solution until the frames could be upgraded was to hold the data on W2K servers with internal disk. joe ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, May 17, 2004 7:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Care to expand on the comment about the EMC Celerra below?? We just recently 'upgraded' from NetApp frames to several EMCs. We had our domain upgrade to W2K3 scheduled for last fall but was put on hold until the EMC boxes would even support a W2K3 domain. Our Storage team has recently upgraded the frames to the EMC OS version DART 5.2 and have proclaimed them ready to handle the updated domain (with blessings from EMC of course). Now I am even more leery about this being a seemless update!!! Should I be worried?? mark "joe" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 05/17/2004 05:43 PM Please respond to [EMAIL PROTECTED] To <[EMAIL PROTECTED]> cc Subject RE: [ActiveDir] FATAL kerberos error on W2K3 server A disjoint namespace is when your machines don't have a domain suffix the same as the AD domain. For instance, lets say I decide to incorporate joeware and set up offices around the country and run everything from the AD domain joeware.net. I have two options for the setup... 1. Take the MS default and every single machine everywhere in the country has a domain suffix of joeware.net because they are part of the AD Domain, joeware.net. 2. Choose to use geographic logical domain suffixes for the machines like sanfran.joeware.net, newyork.joeware.net, atlanta.joeware.net, miami.joeware.net, orlando.joeware.net, deanshouse.joeware.net, dallas.joeware.net, kalaheo.joeware.net). Now all of those machines would be in the joeware.net domain but would have a disjoint on the dns domain suffix. This is fully supported by Active Directory / Windows. Various programs have various levels of support for it due to <ahem> lack of testing on the part of the developers/vendors. If you use 2, you may have to modify permissions in Active Directory so that the machines can properly register their dNSHostName and servicePrincipalName. If they don't have that permission, the machines will not have correct SPN's and kerberos can choke. Actually EMC has a nice issue with that right now with the Celerras. Domain controllers don't have the problem because the localsystem account of a DC can write whatever the heck it wants to write in AD. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Monday, May 17, 2004 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Hmmmm...I don't see any disjoint namespace...but don't know what do you mean under "proper permissions are not set on the computer object " But I've actually, took responsibility and done dcpromo now...so far everything looks normal... Maybe it was - a netdiag bug? [I hope it was!] Thanks for input. Lana -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 17 May 2004 21:50 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Do you have a disjoint name space? I have seen this when there is a disjoint namespace and the proper permissions are not set on the computer object so that it can update its own information properly. The UDP/TCP thing Al mentioned is a good thought too but usually when that is occurring you will see some hellacious slow downs. Like logons taking 30-40 minutes when they go fast. I have seen this occur when a Cisco CSM was throwing away fragmented kerberos packets because of too many group memberships and I have seen it when a NIC had bad configurations for (I think) max frame size. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Monday, May 17, 2004 11:46 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] FATAL kerberos error on W2K3 server Hello , I wonder if anyone seen this before: W2K active directory, few W2K3 member servers. All of them display kerberos error message when running netdiag kerberos test: "[FATAL] Kerberos does not have a ticket for host/domain.com" I am not receiving any errors or warnings in event logs; replication in AD is fine and no W2K domain controllers show this problem. Run Kerbtray - all tickets seems to be there. DC list test and all the rest of netdiag tests - "passed". Also some of W2K3 servers are happily running applications with no problems. The intention is to make W2K3 domain controller, but with this kind of error seems a little risky, unless this is a "feature by design" in W2K3... Thanks in advance for any ideas shared Lana List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
