CIFS and Data Domain Systems Tech Note

CIFS and Data Domain Systems
Tech Note
Applications Engineering
Data Domain LLC
2421 Mission College Boulevard, Santa Clara, CA 95054
866-WE-DDUPE; 408-980-4800
Version 1 Revision B
July 11, 2011
Data Domain Proprietary and Confidential
Copyright 2011 EMC Corporation. All Rights Reserved.

EMC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC
CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND
SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication
requires an applicable software license.
EMC, Data Domain, and Global Compression are registered trademarks or trademarks of
EMC Corporation in the United States and/or other countries.
All other trademarks used herein are the property of their respective owners.
CIFS and Data Domain Systems

Tech Note
EMC Data Domain expects users to customize installation of third-party software for use
at a particular site, but EMC Data Domain is not responsible for the usability of thirdparty software after installation.
This document covers the topics shown in the following table:
Related Documents
Page 4
Information Relating to all CIFS Backup Servers
Page 5
Windows 2000/2003 Backup Servers
Page 5
Windows NT Backup Servers
Page 6
CIFS Access to the system
Page 6
User Setup for Active Directory and Domain Authentication
Page 7
Setup on a Data Domain System
Page 9
Setup Legato NetWorker
Page 12
Restrictions and Limitations
Page 13
Best Practices for Replication in a CIFS Environment
Page 13
CIFS and Data Domain Systems Tech Note
Related Documents
Data Domain Documents
The Documentation page at https://my.datadomain.com/documentation provides
access to three categories of documents that are related to use of Data Domain products:
End user documents, under Product Documentation.
Documents about how to integrate Data Domain systems with third party backup
applications, under Integration Documentation.
Matrices that show which components are compatible with each other, under
Compatibility Matrices.
View Data Domain documents
1. Log into the support portal at: https://my.datadomain.com/documentation.

2. To view user documents, click Product Documentation and then perform the
following steps:
a. Select the Data Domain model from the Platform list and click View.
b. On the row for the correct Data Domain operating system (DD OS) version, click
View under Documentation.
c. Click the desired title.

3. To view integration-related documents, perform the following steps:
a. Click Integration Documentation.
b. Select the vendor from the Vendor menu.
c. Select the desired title from the list and click View.
4. To view compatibility matrices, perform the following steps.
a. Click Compatibility Matrices.
b. Select the desired title from Product menu and click View.
Information Relating to all CIFS Backup Servers

Internal activities on a Data Domain system can take longer than a default CIFS timeout,
leading to an error message from the media server. The message is similar to Network
name no longer existed. Change the SESSTIMEOUT value from the default of 45 seconds
to 3600 (one hour). (2478.)
See the following web page for background information:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/
support/kb/articles/Q102/0/67.asp&NoWebContent=1
Open REGEDT32 and navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstatio
n\parameters.
If the SESSTIMEOUT key does not exist, click in the right panel and select New and
DWORD value. Create a new DWORD Value, SESSTIMEOUT. Note: The registry is
case sensitive. Use all caps for the new DWORD name.
Double click on the DWORD Value (or existing) DWORD Value.
Click the Decimal button and then, in the Base box, set the DWORD value to 3600.
With CIFS configured for Active Directory mode, be sure that the realm is fully
qualified. For example: domain_name.yourcompany.com *. The domain name alone
does not allow connectivity. Use the cifs show config command to check the realm
entry. Use the cifs set authentication command to reset the realm.
Windows 2000/2003 Backup Servers

Note: If Windows NT is used anywhere in the backup environment, do not use the
values given in this section. With Windows NT, use the values given in Windows NT
Backup Servers on page 6.
1. Open REGEDT32 and navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters
2. Add a new DWORD value named DefaultSendWindow and set the value to 262144
(decimal).
3. Add a new DWORD value named DefaultReceiveWindow and set the value to
262144 (decimal).
4. Within REGEDT32, navigate to the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\Tcpip\Parameters
\Interfaces
5. A list of randomly generated NIC IDs appears under INTERFACES.
a. If you know which interface is active, add a new DWORD value named
TCPWindowSize and set the value to 262144 (Decimal).
b. If you do not know which interface is active, add a new DWORD value named
TCPWindowSize in each listed interface and set each value to 262144 (Decimal).
6. Within REGEDT32, navigate to the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
7. Add a new DWORD value named GlobalMaxTcpWindowSize and set the value to
262144 (decimal).
8. Add a new DWORD value named TcpWindowSize and set the value to 262144
(decimal).
9. Add a new DWORD value named Tcp1323Opts and set the value to 3.
10. Restart the Windows server.
Windows NT Backup Servers

1. Edit the registry and navigate to the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\Tcpip\Parameter\
Interfaces
2. A list of randomly generated NIC IDs appears under INTERFACES.
a. If you know which interface is active, add a new DWORD value named
TcpWindowSize and set the value to 65536 (Decimal).
b. If you do not know which interface is active, add a new DWORD value named
TcpWindowSize in each listed interface and set each value to 65536 (Decimal).
3. Navigate to the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\Tcpip\Parameters
4. Add a new DWORD value named GlobalMaxTcpWindowSize and set the value to
65536 (decimal).
5. Add a new DWORD value named TcpWindowSize and set the value to 65536
(decimal).
6. Add a new DWORD value named Tcp1323Opts and set the value to 3.
7. Restart the Windows server.
CIFS Access to the system

Note: All files on a system are owned by the UNIX user root. A CIFS administrative user
cannot be mapped to root and can never have all root permissions. Permissions changes
made to /backup or /ddvar from a CIFS administrative account may cause unexpected
limitations in access to the system and may not be reversible from the CIFS account.
The CIFS section of the config setup process on the system has already created two shares
on the system: /backup and /ddvar. All Windows-based backup packages use
/backup and should also use a sub-directory under /backup.
Note: With a system using Data Domain 1.x software: If you do not completely configure
CIFS the first time that you use config setup, do not use config setup to complete the
configuration. Use the cifs command to complete or change the CIFS configuration.
User Setup for Active Directory and Domain

Authentication
The user account on a Data Domain system that is used for access from a Windows
domain controller can be either an administrative account (an account on the system with
admin privilege) or a non-administrative account.
With either an administrative or non-administrative account, delete the account in the

original domain if the system is moved to another domain.
For an administrative account, all necessary permissions are available with no setup
needed beyond creating the account on both the system and in the Windows domain.
For non-administrative accounts, follow the steps in the rest of this section before
using the cifs set authentication command or the config setup process on the system.
Setting up accounts for Active Directory and Domain

authentication
Follow the steps in this sub-section for both Active Directory and Domain set ups. Active
Directory set ups require more steps that are detailed in the next sub-section.
For new accounts on a Windows 2000 domain controller:
1. On the Windows server, click Start .. Programs .. Administrative Tools .. Active
Directory Users and Computers.
2. Right click an existing container to which to you want to add the system.
3. Select New .. Computer.
4. Enter a name in the Computer name field.
5. Select Change.
6. Select the user or group. For example, the group might be backup.
7. Click OK.
Setting up new accounts on a Windows 2003 domain controller

2. Right click an existing container to which to you want to add the system.
3. Select New .. Computer.
4. Enter a name in the Computer name field.
5. Select Change.
6. Put the cursor in the window labeled Enter the object name to select and enter a user
or group key word or part of a name.
7. Click Check Names to bring up a list with all names that contain the key word.
8. Select a name from the list.
9. Click OK on the Multiple Names Found window.

10. Click OK on the Select User or Group window.
11. Click OK on the <name> Properties window.
12. Click Next on the New Object - Computer window.
13. With no changes, click Next on the Managed window.
14. Click Finish.
Set necessary permissions, Windows 2000

For existing accounts on a Windows 2000 domain controller, set the necessary
permissions:
2. From the View menu, select Advanced Features.

3. Select the computer account to edit.
4. Double click on the domain.
5. Double click on Computers.
6. Right click the account and select Properties.
7. Select the Security tab.
8. Select Add.
9. Add the following permissions:
Reset Password
Validated write to DNS host name
Validated write to service principal name
Write Account Restrictions
10. Click OK.
Set necessary permissions, Windows 2003

For existing accounts on a Windows 2003 domain controller, set the necessary
permissions:
2. From the View menu, select Advanced Features.

3. Select the computer account to edit.
4. Double click on the domain.
5. Double click on Computers.
6. Right click the account and select Properties.
8
7. Select the Security tab.

8. Select from the Group or user names list.
9. Select Add.
10. Add the following permissions:
Reset Password
Validated write to DNS host name
Validated write to service principal name
Write Account Restrictions
11. Click OK.
Further steps for Active Directory authentication

For Active Directory authentication, the account needs more permissions than given in
the previous steps. On the existing account for either Windows 2000 or Windows 2003,
take the actions detailed in one of the following bullets:
For less secure sites, include the Write permission. The account then has all write
permissions. See the procedures above for adding permissions to existing accounts.
For sites with security policies that do not allow all write permissions, add the
following specific write permissions. See the procedures above for adding
permissions to existing accounts.
Write dNSHostName
Write Operating System
Write Operating System Version
Write servicePrincipalName
Write userPrincipalName
Setup on a Data Domain System

On the system, set the CIFS option maxxmit value to 65536:
# cifs option set maxxmit 65536
Setting up CIFS with Active Directory authentication differs depending on whether or

not the site is using a WINS server.
With a WINS server

Run the config setup command, enter Active Directory for authentication and give the
name of a WINS server.
With no WINS server

At a site with no WINS server, setting up Active Directory authentication depends on
whether or not anyone has already run the config setup command.
If config setup has not been run on the system:
1. Create a NetBIOS name on the system.
cifs set nb-hostname netbiosname
2. Run the config setup command and enter Active Directory for authentication.
3. Wait for a couple of minutes for the domain controllers to sync up.
4. Disable and enable CIFS on the system.
cifs disable
cifs enable
If the config setup command was run before creating a NetBIOS name on the system or if
the domain controller for any other reason already has an entry for the system in the
Active Directory User list:
1. On the Data Domain controller, delete the system hostname from the Active
Directory Users list.
2. On the system, use the cifs show config command to check for a NetBIOS name on the
system.
3. If the system has no NetBIOS name, create a NetBIOS name on the system: cifs set nb-
hostname netbiosname.
4. On the system, set the authentication mode to active directory: cifs set authentication
active directory realm.
5. Wait for a couple of minutes for the domain controllers to sync up.
6. Disable and enable CIFS on the system.
cifs disable
cifs enable
A reminder from the help page for the cifs command: The system must meet all active
directory requirements, such as a clock time that is no more than five minutes different
than the domain controller.
Setup Veritas NetBackup

1. On the backup server, create a new storage unit with a Type of disk (not disk staging).
For the Absolute pathname to directory, specify the backup share. For example:
\\rstr01\backup
2. Leave the maximum fragment size at the default.

3. Increase maximum concurrent jobs to 10 or more.
4. Use this storage unit in a new or existing Policy.
10
NetBackup versions 4.5 or earlier:

1. Check for the following two entries under %VERITAS_HOME%\NETBACKUP\DB
\CONFIG. If either or both do not exist, create them and enter the values given
below. If the entries do exist, make sure that the values are at least as high as the
values given below. The entries and values are:
a. SIZE_DATA_BUFFERS With a value of at least 262144 (which is 256K bytes).
However, the value should not exceed the maximum tape I/O size supported by
the tape drives or operating system.
b. NUMBER_DATA_BUFFERS With a value of at least 16. Note that the entries are
used globally by NetBackup version 4 and below for tape and disk drives. The
entries degrade performance with tape drives.
NetBackup version 5 and later

Using NetBackup version 5 and later, disks have specific entries that do not affect tape
performance:
1. Check for the following two entries under %VERITAS_HOME%\NETBACKUP\DB
\CONFIG. If either or both do not exist, create them and enter the values given
below. If the entries do exist, make sure that the values are at least as high as the
values given below. The entries and values are:
a. SIZE_DATA_BUFFERS_DISK With a value of at least 262144 (256K bytes).
However, the value should not exceed the maximum tape I/O size supported by
the tape drives or operating system.
b. NUMBER_DATA_BUFFERS_DISK With a value of at least 16.
NetBackup with Windows 2000 and 2003

Consider the following for tuning clients and the media server when using NetBackup
version 4.5 and above with Windows 2000 and Windows 2003. Go to the next section of
this document if using Windows NT anywhere in the backup environment.
1. Increase the network buffer size of the client. On the client, use regedt32. Go to
HKEY_LOCAL_MACHINE\Software\Veritas\NetBackup\Current
Version\Config.
2. Add or modify the Buffer_Size value, a REG_DWORD value, to 0x20, which is
equivalent to 128.
3. On the media server, add the following file, which improves communication between
clients and the media server. In the file, enter a single line with the value 131072.
VERITAS uses the file for rsize and wsize over the network.
%VERITAS_HOME%\NETBACKUP\NET_BUFFER_SZ.
11
NetBackup with Windows NT

Consider the following for tuning clients and the media server when using Windows NT
anywhere in the backup environment:
1. Increase the network buffer size of the client. On the client, use regedt32. Go to
HKEY_LOCAL_MACHINE\Software\Veritas\NetBackup\Current
Version\Config.
2. Add or modify the Buffer_Size value, a REG_DWORD value, to 0x20, which is
equivalent to 128.
3. On the media server, add the following file, which improves communication between
clients and the media server. In the file, enter a single line with the value 65536.
VERITAS uses the file for rsize and wsize over the network.
%VERITAS_HOME%\NETBACKUP\NET_BUFFER_SZ.
Display disk performance

The VERITAS utility bpbkar32 gauges the disk performance of a NetBackup client (or
media server that also has client software installed).
1. Use the utility to determine whether or not the client (or media server) is the
performance bottleneck. Before using the command: Create a log directory for the
command output. The location and directory name are:
%VERITAS_HOME%\NETBACKUP\LOGS\bpbkar
2. Initialize the command by opening the NetBackup GUI and going to NetBackup
Management, Host Properties, and Clients. Click on the client name and select
Logging.
3. Set the parameters as needed.
The command and syntax are:

%VERITAS_HOME%\NETBACKUP\BIN\bpbkar32 -nocont filepath> NUL 2 > NUL
The filepath is the path to the data to read for the test.
4. View the resulting performance statistics in the bpbkar debug log file or use a
stopwatch to time the operation and manually calculate the performance statistics.
Defragment disks
The Windows defragmenter utility can improve disk performance. Find the utility under
Start, Settings, Administrative Tools, Computer Management, Disk Defragmenter.
Setup Legato NetWorker

The CIFS section of config setup has already created two shares on the system: /backup
and /ddvar. NetWorker uses /backup. The system supports only NetWorker 7.x and
above.
1. Install NetWorker from a user account that is in either the Domain Administrators or
Backup Operators group. The account name:
12
Must start with an alpha character.

In Data Domain software versions 2.0.1.0 and later, can include only alpha and
numeric characters and the underbar ( _ ), exclamation point (!), and dollar sign
($).
Can have the dollar sign only as the last character
2. Add the system in NetWorker as an adv_file device.

3. Run the NetWorker service from the same user account that you used for NetWorker
installation.
4. On the backup server create a new NetWorker media device.

a. The Name is the path to the share. For example: \\rstr01\backup
b. The device type is adv_file.
c. On the Miscellaneous tab, set the Ndmp box to No and for Remote user and
Password, use the same account used for NetWorker installation.
5. Do a NetWorker Label operation for the new device.

6. Do a NetWorker Mount operation for the new device.
7. A recommendation for NetWorker configuration is to set the auto mount feature.
With the feature set, if the system is not mounted when a request that involves the
system comes into the backup server, then the system is automatically mounted.
a. Open the NetWorker console.
b. Go to Devices and select the system.
c. Select Details for the device.
d. Click the checkbox for Auto media management, which by default is not set.
Restrictions and Limitations

Limit the number of files, including directories, in a directory to 1000. Any more than this
can lead to undesired behavior from the application's perspective, for example, timeouts
and operational failures.
Best Practices for Replication in a CIFS Environment

When possible, set up both the originator and the replica in the same workgroup or
domain. When both are in the same domain, Data Domain recommends that users who
access either system also be in the same domain as the originator and replica.
When the originator and replica are in the same workgroup or domain, replicated files
always have the correct CIFS ownership. The user account that backs up files to the
originator can access the replica directly from a Windows client (media server).
When the originator and replica are not using the same authentication mode or domain,
some restrictions apply:
Originator in a workgroup, replica in a domain (including an Active Directory

domain):
13
Files owned by ORIGINATOR\user on the originator are owned by REPLICA\user

on the replica because when the originator is in Workgroup mode, the password
database from the originator is copied to the replica. Files are not owned by the
DOMAIN\user, which has a different user ID than the workgroup
ORIGINATOR\user whose ID is copied to the replica. The DOMAIN\user cannot
access files on the replica if permissions on the replica are set to owner-readable only.
The originator and the replica are in the same domain, but a user from a different
(and trusted) domain does the backup; or, the originator and the replica are in
different domains:
The same user may be mapped to different system user IDs on the originator and on
the replica and, as the originator is not in Workgroup mode, the password database is
not copied to the replica. When ownership is different on the replica, the
DOMAIN\user that wrote files to the originator cannot access the files on the replica
if the default, world-readable permissions are changed.
The DOMAIN\user is able to login to the replica using the domain/active directory
password and can access all files if the files have default, world-readable permissions.
Originator in a domain, replica in a workgroup:

This mode has the same limitations as #1 above plus, domain users are not honored
by a system in workgroup mode. A DOMAIN\user cannot login to the replica. So a
new REPLICA\user has to be created to allow access.
For all of above situations, recovery from a replica to an originator can be done in the
same way. If recovery is done over a network, set up the originator (the recovery target)
authentication mode or domain to match the replica (the recovery source). After the
recovery, change the originator authentication mode or domain back to the previous
setting. If recovery to an originator is done offline with tape, make sure that the same
backup user that did the original backup to the originator is used by the backup software
that does the recovery.
14

CIFS and Data Domain Systems Tech Note

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CIFS and Data Domain Systems Tech Note

Încărcat de

Drepturi de autor:

Formate disponibile

CIFS and Data Domain Systems

Copyright 2011 EMC Corporation. All Rights Reserved.