STRSW Ed Ilt Cifsad Rev03 Exerciseguide

NetApp University
CIFS Administration on
Data ONTAP 7.3
Exercise Guide
NetApp University - Do not distribute or duplicate
NETAPP UNIVERSITY
CIFS Administration on Data ONTAP 7.3

Version Number: Version 5.0
Release Number: Release 7.3
Course Number: STRSW-ED-ILT-CIFSAD-REV03
Catalog Number: STRSW-ED-ILT-CIFSAD-REV03-EG
ATTENTION
The information contained in this guide is intended for training use only. This guide contains information
and activities that, while beneficial for the purposes of training in a closed, non-production environment,
can result in downtime or other severe consequences and therefore are not intended as a reference guide.
This guide is not a technical reference and should not, under any circumstances, be used in production
environments. To obtain reference materials, please refer to the NetApp product documentation located
at www.now.com for product information.
COPYRIGHT
2008 NetApp. All rights reserved. Printed in the U.S.A. Specifications subject to change
without notice.
No part of this book covered by copyright may be reproduced in any form or by any meansgraphic,
electronic, or mechanical, including photocopying, recording, taping, or storage in an electronic retrieval
systemwithout prior written permission of the copyright owner.
NetApp reserves the right to change any products described herein at any time and without notice.
NetApp assumes no responsibility or liability arising from the use of products or materials described
herein, except as expressly agreed to in writing by NetApp. The use or purchase of this product or
materials does not convey a license under any patent rights, trademark rights, or any other intellectual
property rights of NetApp.
The product described in this manual may be protected by one or more U.S. patents, foreign patents,
or pending applications.
RESTRICTED RIGHTS LEGEND

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.277-7103
(October 1988) and FAR 52-227-19 (June 1987).
TRADEMARK INFORMATION
NetApp, the NetApp logo, and Go further, faster, FAServer, NearStore, NetCache, WAFL, DataFabric,
FilerView, SecureShare, SnapManager, SnapMirror, SnapRestore, SnapVault, Spinnaker Networks,
the Spinnaker Networks logo, SpinAccess, SpinCluster, SpinFS, SpinHA, SpinMove, SpinServer, and
SpinStor are registered trademarks of Network Appliance, Inc. in the United States and other countries.
Network Appliance, Data ONTAP, ApplianceWatch, BareMetal, Center-to-Edge, ContentDirector, gFiler,
MultiStore, SecureAdmin, Smart SAN, SnapCache, SnapDrive, SnapMover, Snapshot, vFiler, Web Filer,
SpinAV, SpinManager, SpinMirror, and SpinShot are trademarks of NetApp, Inc. in the United States and/or
other countries.
Apple is a registered trademark and QuickTime is a trademark of Apple Computer, Inc. in the United States
and/or other countries.
Microsoft is a registered trademark and Windows Media is a trademark of Microsoft Corporation in the
United States and/or other countries.
RealAudio, RealNetworks, RealPlayer, RealSystem, RealText, and RealVideo are registered trademarks
and RealMedia, RealProxy, and SureStream are trademarks of RealNetworks, Inc. in the United States
and/or other countries.
All other brands or products are trademarks or registered trademarks of their respective holders and should
be treated as such.
NetApp is a licensee of the CompactFlash and CF Logo trademarks.
E0-2
CIFS Administration on Data ONTAP 7.3: M00_Welcome_Exercise
2008 NetApp. This material is intended for training use only. Not authorized for re-production purposes.
EXERCISE & ANSWER TABLE OF CONTENTS

MODULE 1: OVERVIEW ........................................................................................................... E1-1
MODULE 2: WORKGROUPS ................................................................................................... E2-1
MODULE 3: SHARES AND SESSIONS ................................................................................... E3-1
MODULE 4: ACCESS CONTROL ............................................................................................ E4-1
MODULE 5: DOMAINS ............................................................................................................. E5-1
MODULE 6: ADVANCED ADMINISTRATION ......................................................................... E6-1
MODULE 7: PERFORMANCE .................................................................................................. E7-1
MODULE 8: TROUBLESHOOTING ......................................................................................... E8-1
MODULE 9: APPENDIX A: ANSWER KEY ............................................................................. E9-1
MODULE 10: APPENDIX B: SIMULATOR INSTALLATION .................................................. E10-1
E0-3
CIFS Administration on Data ONTAP 7.3: M00_Welcome_Exercise
Overview
MODULE 1: OVERVIEW
Exercise
Module 1: CIFS Overview
Estimated Time: 15-60 minutes
EXERCISE
NOTE: This lab normally takes only 15 minutes. However, if you dont have an appropriate
storage system environment, the lab will refer you to Appendix B for instructions on how to set
up a Data ONTAP simulator. Setting up the simulator may take up to 60 minutes.
EXERCISE: EXPLORING THE EXERCISE ENVIRONMENT

OVERVIEW
The goal of this exercise is to give you an opportunity to explore the current exercise environment
with the instructors assistance. If you do not have a storage system environment, you will then be
redirected to Appendix B for the simulator setup.
OBJECTIVES
At the conclusion of the lab, you will be able to do the following:
Identify all the essential components of your exercise environment
TIME ESTIMATE
15 Minutes
E1-1
CIFS Administration on Data ONTAP 7.3: M01_Overview_Exercise
Check Your Understanding

In a network, which two abilities does a
Windows client user require?
What is the difference between authentication
and authorization?
What are the three types of storage system
CIFS service environments?
What is the purpose of a name resolution
server?
What kind of information is kept in the directory
that the domain controller stores and
maintains?
2008 NetApp. All rights reserved.
CHECK YOUR UNDERSTANDING
E1-2
37

In a Windows domain, how does a storage
system authenticate users?
In a non-Windows workgroup, how does a
storage system authenticate users?
E1-3
38
TASK I: EXPLORING THE EXERCISE ENVIRONMENT

This task will familiarize you with the exercise environment that you will use for all future
exercises. If you dont have an appropriate storage system environment, see Appendix B for the
steps required to set up the Data ONTAP simulator.
START OF EXERCISE
Execute the following steps:
STEP
ACTION
1.
With the assistance of your instructor, identify the following essential equipment:
Windows Workstation
Name: ______________________________
IP address: _________________________
Domain
Administrator
Password: __________________________
Local
Administrator
Password: __________________________
Domain Controller
Domain Name: _______________________

Controller
IP address: _________________________
DNS: ____________________________
IP address: _________________________
E1-4
STEP
ACTION
Storage System
Name: ___________________________________
Type: ___________________________________
Internal
IP address: _______________________________
Terminal
IP address: _______________________________
Root
Password: _______________________________
2.
Task complete.
END OF EXERCISE
E1-5
Workgroup
MODULE 2: WORKGROUPS
Exercise
Module 2: Workgroups
Estimated Time: 45 minutes
EXERCISE: CIFS SETUP

OVERVIEW
The goal of this lab is to give you an opportunity to configure a storage system for a Windows
workgroup environment. In a future exercise, you will repurpose the storage system for an Active
Directory Domain environment.
OBJECTIVES
Configure a storage system for a Windows Workgroup environment
Review the result of cifs setup in a Windows Workgroup environment
TIME ESTIMATE
45 minutes
Please refer to your Exercise Guide for more instruction.
E2-1
CIFS Administration on Data ONTAP 7.3: M02_Workgroups_Exercise

In cifs setup, what are the two security
style choices for which a storage system can
be configured?
During the initial questions in CLI cifs
setup, for which root user can you enter a
password?
What are the three default share volumes
created as a result of cifs setup?
What is the name of the NetBIOS alias file?
E2-2
36
TASK I: EXPLORING THE EXERCISE ENVIRONMENT

This task will familiarize you with the exercise environment that you will use for all future
exercises. If you dont have an appropriate storage system environment, see Appendix B for steps
to setup the Data ONTAP simulator.
TASK I: CONFIGURING CIFS SERVICES TO JOIN THE STORAGE SYSTEM TO A WINDOWS
WORKGROUP
In this lab, you run cifs setup to join your storage system to a Windows workgroup. The
commands in the lab are entered at the storage system prompt.
START OF EXERCISE
STEP
ACTION
1.
From your workstation,

a) Open a Telnet session to your storage system with the storage system IP
address or name. You can use TeraTermPro or PuTTY to open a Telnet
session to your storage system.
b) Log in as root with no password. NOTE: Verify with the instructor the
password for root.
2.
Type license at the storage systems command prompt to view the current list of
licenses registered.
License CIFS by entering the following command and using the CIFS license code
provided by your instructor:
system>license add {license_code_provided_by_instructor}
Confirm the license was successfully added by reissuing the license command at
the prompt.
3.
View the CIFS license with FilerView by performing the following:

a) Open an Internet browser and enter your storage system name
http://storage-system-name/na_admin to open the FilerView main navigational
page (or home page). The storage-system-name can be the IP address or the
DNS name for the storage system.
NOTE: Obtain the storage system IP address and name from the instructor.
NOTE: The FilerView main navigational page has the manual (man) pages for the
Data ONTAP commands. Click the Manual Pages icon when you need
information or the syntax for a command.
b) Click the FilerView icon.
c) Log in as root with no password. NOTE: Verify the password with the
instructor.
d) In the left column, choose Filer and then Manage Licenses.
e) Note that the CIFS license is displayed.
E2-3
STEP
ACTION
4.
Before configuring the CIFS services, at the storage system prompt (in your Telnet
session), enter the following command and view the default storage system security
style and NT administrator privileges:
system>options wafl
What is the volume (and all qtrees on the volume) default security style?
______________
Look at the wafl.default_security_style option.
Does the NT (Windows) administrator have privileges to map to the UNIX root
user? ___________________
Look at the wafl.nt_admin_priv_map_to_root option.
5
Enter the following command and view the security style of the root volume:
system>qtree status
What is the security style of your root volume? _________
6.
Configure the CIFS services by entering the following command:

system>cifs setup
Enter the following parameters:
Answer no [n] to WINS.
Configure the security style as (2) NTFS-only filer.
Press the Enter key twice for root password (meaning no password).
Press Enter to keep default CIFS server (storage system) name. (Obtain the storage system
name from your instructor.)
Choose 3 for Windows workgroup authentication using the storage systems local user
accounts.
Press Enter to keep the default name for the workgroup [WORKGROUP].
Answer yes [y] to create the local administrator (system\administrator) account.
Enter the password twice for the local administrator password. (Obtain the password from
your instructor.)
NOTE: The name and password for the local administrator on the storage system must
match the Windows workstation administrator and password for pass-through
authentication to work.
Example:
system > cifs setup
This process will enable CIFS access to the filer from a Windows system.
Use "?" for help at any prompt and Ctrl-C to exit without committing changes.
Your filer does not have WINS configured and is visible only to clients on the
same subnet.
E2-4
STEP
ACTION
Do you want to make the system visible via WINS? [n]:
A filer can be configured for multiprotocol access, or

as an NTFS-only filer. Since NFS, DAFS, VLD, FCP, and
iSCSI are not licensed on this filer, we recommend that
you configure this filer as an NTFS-only filer
(1) Multiprotocol filer
(2) NTFS-only filer
Selection (1-2)? [2]:
CIFS requires local /etc/passwd and /etc/group files and default files will be created.
The default passwd file contains entries for 'root', 'pcuser', and 'nobody'.
Enter the password for the root user [ ]:
Retype the password:
The default name for this CIFS server is ' system '.
Would you like to change this name? [n]:
Data ONTAP CIFS services support four styles of user authentication.
Choose the one from the list below that best suits your situation.
(1) Active Directory domain authentication (Active
Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or
Active Directory domains)
(3) Windows Workgroup authentication using the filer's
local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication
Selection (1-4)? [3]:
What is the name of the workgroup? [WORKGROUP]:
Fri Jun 23 19:32:53 GMT [wafl.quota.sec.change:notice]:
security style for /vol/vol0/ changed from unix to ntfs
CIFS - Starting SMB protocol...
It is recommended that you create the local administrator
account (system\administrator) for this filer.
Do you want to create the system\administrator account?
[y]:
Enter the new password for system\administrator:
Retype the password:
Welcome to the WORKGROUP Windows workgroup
CIFS local server is running.
SYSTEM> Fri Jun 23 19:33:18 GMT
[nbt.nbns.registrationComplete:info]: NBT: All CIFS name
registrations have been completed for the local server.
E2-5
STEP
ACTION
7.
After configuring the CIFS services, enter the following command and view the
default storage system security style and NT administrator privileges:
system>options wafl
___________________
Does the NT (Windows) administrator have privileges to map to the UNIX root user?
_______________
8.
system>qtree status
After configuring the CIFS services, what is the security style of your root volume?
__________________
9.
Task complete.
10.
Please proceed to the next task.
E2-6
TASK II: REVIEWING

In this lab, you will review the files modified during the process of configuring the storage
systems CIFS server for a Windows Workgroup environment. All commands in the lab are
entered at the storage system prompt.
START OF EXERCISE
STEP
ACTION
1.
At the storage system prompt, review the cifs configuration file with the
rdfile command by typing:
system>rdfile /etc/cifsconfig_setup.cfg
Notice how this file holds all the configurations entered during the wizard
questions of the cifs setup command.
2.
At the storage system prompt, review the following files with the rdfile
command:
/etc/usermap.cfg
/etc/passwd
/etc/nsswitch.conf
/etc/cifsconfig_share.cfg
We will discuss these files in more detail in future modules.

3.
As you recall, cifs setup created a local administrator. We will now

verify this new user was created.
system>useradmin user list administrator
Now, we will verify that this user was added to the lclgroups.cfg file under the
BUILTIN\Administrators group.
system>rdfile /etc/lclgroups.cfg
Notice, there is a SID under the BUILTIN\Administrators group. Because the
lclgroups.cfg file is a newly created, there should only be one SID. Now, lets
verify that this SID is the same as the administrator that we saw with the
useradmin command:
sytem>cifs lookup {copy the SID here}
This SID should resolve to the storage systems local administrator that was
created with cifs setup.
4.
Task complete.
5.
E2-7
TASK III: CREATING NEW VOLUMES AND QTREES

In this lab, you create an aggregate, a flexible volume, and a traditional volume that will be used
in a later lab. All commands in the lab are entered at the storage system prompt.
START OF EXERCISE
STEP
ACTION
1.
Determine if aggr0 (root volume) is configured for RAID type raid4 by entering
the following command at the storage system prompt:
system>aggr status
If aggr0 is raid4, then go to Step 3.
2.
If aggr0 is raid_dp, then change aggr0 to raid4 by entering the following

command:
system>aggr options aggr0 raidtype raid4
Verify that aggr0 is now raid4 and has 2 disks (-d option):
system>aggr status
system>aggr status aggr0 d
Zero out the previous double parity drive by using:
system> disk zero spares
3.
Create an aggregate aggr1 with RAID type raid4 and 3 disks:

system>aggr create aggr1 t raid4 3
Verify that the newly created aggr1 is raid4 and has 3 disks (-d option):
system>aggr status
system>aggr status aggr1 -d
4.
Create a flexible volume flexvol1 on aggr1 that is 10GB in size:

system>vol create flexvol1 aggr1 10g
Verify that the newly created flexvol1 exists:
system>vol status flexvol1
5.
Create a traditional volume tradvol1 with RAID type raid4 and 2 disks using
the aggr command:
system>aggr create tradvol1 -v t raid4 2
Verify that the newly created tradvol1 exists:
system>vol status tradvol1
Verify that the newly created aggregate (also called tradvol1) is raid4 and has
2 disks (-d option):
system>aggr status
system>aggr status tradvol1 -d
6.
View the status of all volumes by entering the following command:

system>vol status
E2-8
STEP
ACTION
7.
Create a qtree named datatree1_ntfs with NTFS security style on the volume
flexvol1 by entering the following command:
system>qtree create /vol/flexvol1/datatree1_ntfs
Verify that the newly created qtree datatree1_ntfs exists:
system>qtree status
What is the security style on the new qtree? __________________
Why is this the security style? ____________________________________
____________________________________________________________
8.
Create a qtree named datatree2_unix with UNIX security style on the volume
system>qtree create /vol/flexvol1/datatree2_unix
Verify that the newly created qtree datatree2_unix exists:
system>qtree status
Change the security style to UNIX by entering the following command:
system>
qtree security /vol/flexvol1/datatree2_unix unix
Verify that the security style for qtree datatree2_unix is UNIX:
system>qtree status
9.
Create a qtree named datatree3_mixed with mixed security style on the volume
system>qtree create /vol/flexvol1/datatree3_mixed
Change the security style to mixed by entering the following command:
system>
qtree security /vol/flexvol1/datatree3_mixed mixed
Verify that the security style for qtree datatree3_mixed is mixed:
system>qtree status
10.
Task complete.
END OF EXERCISE
E2-9
Shares
MODULE 3: SHARES
Exercise
Module 3: Shares
EXERCISE: SHARES
OVERVIEW
The purpose of this activity is to perform routine CIFS administration procedures on your storage
system in a Windows Workgroup environment. You will view the current list of shares, add a new
share, verify access to the share, and display session information.
OBJECTIVES
View current shares, add a new share and verify share access
Display session information
TIME ESTIMATE
15 minutes
E3-1
CIFS Administration on Data ONTAP 7.3: M03_Shares_Exercise.doc

For which storage objects can you create
shares?
What are three methods to manage CIFS
shares?
What command would you use to view the
connected CIFS users?
E3-2
48
TASK I: VIEWING THE LIST OF CURRENT SHARES

In this lab, you will display the current shares on your storage system.
START OF EXERCISE
STEP
ACTION
1.
If you are not already, use the Remote Desktop connection to log in to your Windows
workstation as Administrator.
NOTE: Use the IP address and password provided by the instructor.
2.
On your Windows workstation, go to StartRun. In the Run window, enter the

following to browse the shares on your storage system, and click OK:
\\IP_Address_of _Your_Storage_System
What share(s) display? _________________________
3.
In the address bar of the Web browser, change the address to the following:
\\IP_Address_of _Your_Storage_System\C$
What folder(s) display? __________________________
4.
At your storage system prompt, view the CIFS sessions by entering the following
command:
system>cifs sessions
What user currently has a session with the storage system?
__________________________________________________
What account is the user mapped to? _______________________
E3-3
STEP
ACTION
5.
At the storage system prompt, verify the user mapping by entering the following
command:
system>options wafl.nt_admin_priv_map_to_root
Is this option set to on? _________________
If wafl.nt_admin_priv_map_to_root is on, then the local administrators
user mapping is root.
Verify the default UNIX user name by entering the following command:
system>options wafl.default_unix_user
Is there a default UNIX user? If yes, what is the user name?
________________________________
If the wafl.default_unix_user is set to a user name (for example, pcuser),
then this is the default user mapping for any Windows user that is not explicitly
mapped.
Verify that the default UNIX user name is in the /etc/passwd file by entering the
following command:
system>rdfile /etc/passwd
Is the default UNIX user name in the /etc/passwd file? _____________
6.
Task complete.
7.
TASK II: CREATING A NEW SHARE

In this lab, you will create a new share on your storage system.
STEP
ACTION
1.
Create a new share called datatree1 ntfs (for the qtree datatree1_ntfs) on the storage
system by entering the following command at the storage system prompt:
system>
cifs shares add datatree1_ntfs /vol/flexvol1/datatree1_ntfs
Answer yes if you are asked whether you want to use this share name.
2.
View the newly created datatree1_ntfs share by entering the following command at the
storage system prompt:
system>cifs shares datatree1_ntfs

Which group has access to this share? _______________________
What are the share permissions? _______________________
3.
E3-4
On the Windows workstation, open Windows Explorer and, as the administrator, map
STEP
ACTION
a network drive to the new share datatree1_ntfs.
4.
After mapping the network drive to datatree1_ntfs in Windows Explorer
a) Right-click the datatree1_ntfs share mapping and choose Properties.

b) Click the Security tab and view the NTFS file permissions.
Note: You might receive a warning stating that the share name is not accessible by
some MS-DOS workstations. MS-DOS generally only allows eight characters in the
name along with a three character extension.
5.
On the Windows workstation, create a text file with WordPad and save the file to the
new share datatree1_ntfs.
c) Go to Start
Programs
Accessories
WordPad.
d) Open WordPad and type something to create a text document.
e) Save the file to the datatree1_ntfs share.
6.
On the Windows workstation using Windows Explorer, go to the mapped network

drive for the datatree1_ntfs share to view the newly created text file.
f) Right-click the text file and choose Properties.

g) Click the Security tab and view the NTFS file permissions for the text file.
h) What group has access to this file? ____________________________
List the file access permissions for the text file:_________________________
i)
7.
Close all the open windows.
Task complete.
END OF EXERCISE
E3-5
Access Control
MODULE 4: ACCESS CONTROL
Exercise
Module 4: Access Control
EXERCISE: ACCESS CONTROL

OVERVIEW
The purpose of this activity is to perform routine CIFS administration procedures on your storage
system in a Windows workgroup environment. You will create a local user account and
administer user access, add a new share, map a network drive to the new share and verify access
to the share, and create a local group.
OBJECTIVES
Add a new local user account and administer user access
Add a new share, map a network drive to the new share and verify share access, add a file to the share,
and access the file on the share
Create a local group
Remove a share
TIME ESTIMATE
30 minutes
E4-1
CIFS Administration on Data ONTAP 7.3: M04_AccessControl_Exercise

What is the purpose of a local administrator
account on a storage system, and why does
cifs setup recommend creating one?
What does it mean when a storage system is
configured for multiprotocol access?
What command adds local users and groups
to the storage system?
E4-2
50
TASK I: CREATING A LOCAL USER ACCOUNT ON THE STORAGE SYSTEM

In this lab, you will create a local user account on your storage system. All commands in the lab
are entered at the storage system prompt.
START OF EXERCISE
STEP
ACTION
1.
From your workstation

a) Open a Telnet session to your storage system with the storage system IP
address or name. You can use TeraTermPro or PuTTY to open a Telnet
session to your storage system.
b) Log in as root with no password. Note: Verify with the instructor the
password for root.
2.
Recall that the storage system currently is in a Windows workgroup. To verify that the
storage system is a server in a Windows workgroup, enter the following command:
Is the storage system in a Windows workgroup? ________________
3.
Before adding a local user to the storage system, check the current security options to
determine password rules by entering the following command:
system>options security
What is the value for the security.passwd.rules.enable? _________
If the security.passwd.rules.enable option is on, then in order to create
a local user, you will need to come up with a password using the following rules:
It must be at least 8 characters long
It must contain at least 2 alphabetic characters
It must contain at least 1 digit
If security.passwd.rules.enable.option is off, then the restrictions
will not be enforced when you create a password.
4.
Add a local user (your name) in the predefined Guests group to the storage system by
entering the following command:
User names are case insensitive.
system>useradmin user add your_name g Guests
Remember your password._________________________
E4-3
STEP
ACTION
5.
Verify that the local user (you) was added to the storage system by entering the
following command:
system>useradmin user list your_name
6.
Check the allowed capabilities for the local administrator account by entering the
following command:

What are the capabilities of the local administrator?
_______________________________________________
View the list of all local storage system users by entering the following command:
system>useradmin user list
7.
What local users are listed? _____________________________________
8.
Task complete.
9.
TASK II: MAPPING A NETWORK DRIVE TO A SHARE

In this lab, you map a network drive to a share. Recall that in a Windows workgroup, user
authentication is performed locally on the storage system.
STEP
ACTION
1.
On your Windows workstation, map a drive to a storage system share by opening

Windows Explorer and going to ToolsMap Network Drive. The Map Network
Drive window appears.
a) In the Drive list box, select any unused letter.
b) In the Folder list box, enter the following:
\\ IP_Address_of _Your_Storage_System \C$
Click the Finish button.
2.
E4-4
At the storage system prompt in your Telnet session, view the CIFS sessions by
From your Windows workstation, who has a session with the storage system?
STEP
ACTION
__________________________________________________
You logged in to the Windows workstation as Administrator with a password. This
Administrator was authenticated locally on the storage system with the local
Administrator account (note that the user names match). The local Administrator
account has the same password as the Windows Administrator.
This is called pass-through user authentication, and it works only if the
names and passwords match on both the storage system and Windows
workstation.
The Administrator account has permission to view the hidden C$ share.
3.
On the Windows workstation, open Windows Explorer and disconnect the network
drive that you just mapped in the browser by going to ToolsDisconnect Network
Drive.
a) Select the network drive to disconnect.
b) Click the OK button.
4.
On the Windows workstation, log off as the Administrator and then log back in as the
Administrator to clear the share cache.
a) Go to StartLog Off administrator and click the Log off button when
you are asked if you are sure that you want to log off.
b) Use the Remote Desktop connection to log back in to your Windows
workstation as the Administrator with the Administrator password.
5.
On your Windows workstation, map a drive to a storage system share for a different
local user (your name) by opening Windows Explorer and going to ToolsMap
Network Drive. The Map Network Drive window appears.
c) Click Connect using a different user name.
d) The Connect As...window appears.
e) Enter your User name.
(Name_of _Your_Storage_System \your_name).
f) Enter your Password. (password for your_name).
g) Click the OK button.
h) Click the Finish button.
E4-5
i)
The Connect to window appears.
j)
The user name matches
STEP
ACTION
Name_of _Your_Storage_System \your_name.
k) In the password text box, enter your password.
l)
Click the OK button.
Are you able to connect to C$ share? _____________________
If not, go to this step, 5 b), and in the Folder list box, enter
\\IP_Address_of _Your_Storage_System\Home and proceed again to
map the network drive to the share.
The Guests group has no capabilities and, therefore, you cannot access the C$ share,
but you can access the Home share since it is available to
the Everyone group.
At the storage system prompt, view the CIFS sessions by entering the following
command:
system> cifs sessions
6.
__________________________________________________
You now have successfully mapped a network drive to the Home share on the
storage system as a local user (your name) on the storage system that is a member
of the Guests group.
You were authenticated locally on the storage system with your name and
password.
7.
Task complete.
8.
TASK III: CREATING A LOCAL GROUP

In this lab, you will create a new local group on your storage system.
STEP
ACTION
1.
Before creating a new local group on your storage system, view the current groups on
the storage system by entering the following command at the storage system prompt:
System>useradmin group list
2.
At the storage system prompt, create a local group on the storage system called
friends with the Data ONTAP predefined role power by entering the following
command:
system>useradmin group add friends r power
3.
At the storage system prompt, verify the newly created group by entering the following
command:
system>useradmin group list friends
E4-6
STEP
ACTION
How many capabilities are assigned to the power role for the friends group?
__________________________
The Data ONTAP predefined power role grants the ability to:
4.
Invoke all cifs, exportfs, nfs, and useradmin CLI commands.
Make all cifs and nfs API calls.
Log in to Telnet, HTTP, rsh, and ssh sessions.
On the Windows workstation, change the security properties of the text file on the
datatree1_ntfs share.
a) Open Windows Explorer and go to the mapped datatree1_ntfs drive to view
the text file.
b) Right-click the text file and choose Properties.
c) Select the Security tab and under Group or user names, click the Add
button.
d) In the Enter the object names to select text box, enter friends.
e) Click the OK button.
f) Click the friends group. What permissions are displayed for the friends group?
g) Click the Everyone group. How do the friends permissions differ from the
permissions in the Everyone group?
___________________________________________________
h) Now, click the Apply button on the Security tab, and then click the OK
button.
5.
At the storage system prompt, modify the local user (your name) and add the friends
group to the user by entering the following command:
system>
useradmin user modify your_name g Guests,friends
6.
At the storage system prompt, verify the groups and capabilities of the newly changed
local user (your name) by entering the following command:
To which groups does the local user (your name) now belong?________________
Have the local user (your name) capabilities changed? If yes, how?
________________________________________________
7.
Task complete.
8.
Proceed to the next task.
TASK IV: CONFIGURING THE STORAGE SYSTEM FOR MULTIPROTOCOL

ACCESS
E4-7
In this lab, you will configure the storage system for multiprotocol access, and then view file
permissions for files in an NTFS qtree, UNIX qtree, and mixed qtree.
STEP
ACTION
1.
Before configuring your storage system for multiprotocol access, perform the
following from your Windows workstation:
a) Create a share on the storage system called datatree2_unix (for your
datatree2_unix qtree on flexvol1) and map a network drive to the share.
b) Create a share on the storage system called datatree3_mixed (for your
datatree3_mixed qtree on flexvol1) and map a network drive to the share.
Follow the steps outlined in Task 2 from the previous lab and Task 2 of this lab
respectively to create and map a share.
Note: You might need to disconnect all map drives, log out, and log back in to the
Windows machine to clear the security cache. Windows does not allow you to map
two separate shares with different security accounts.
2.
At the storage system prompt, view the current default security style by entering the
following command:
system>options wafl.default_security_style
What is the current default security style? ______________________
3.
Before changing to multiprotocol access, you must license NFS.

a) At the storage system prompt, enter the following command and look for the
NFS license:
system>license
b) If you do not have an NFS license, go to FilerViewManage Licenses, type
the NFS license (provided by your instructor) and click the Apply button.
4.
To change the storage system from NTFS-only to multiprotocol access without using
cifs setup, enter the following command at the storage system prompt:
system>options wafl.default_security_style unix
The effects of changing an NTFS-only storage system to a multiprotocol storage system

are the following:
1)
2)
3)
4)
5.
E4-8
Existing ACLs remain unchanged.

The security style of all volumes and qtrees remains unchanged.
When you create a volume, its default security style is UNIX.
The wafl.default_security_style option is set to UNIX.
NOTE: Even though the default security style is set to UNIX, the administrator can
manually change the default to a different security style (NTFS or mixed).
At the storage system prompt, enter the following command to view the security style
for each qtree on flexvol1:
system>qtree status flexvol1
STEP
ACTION
6.
On the Windows workstation, open Windows Explorer, go to the mapped network

drive for datatree1_ntfs share, and view the security of the datatree1_ntfs by
performing the following:
a) Right-click datatree1_ntfs share and choose Properties.
b) Click the Security tab.
Who has access to the qtree, and what are the NTFS permissions on the file system?
___________________________________________________________
c) Click the Cancel button.
d) Double-click the datatree1_ntfs share in the console tree to view the contents
of the share.
e) Right-click the previously created text file and choose Properties.
f) Click the Security tab.
Who has access to the file and what are the file permissions?
_______________________________________________
g) Click the Cancel button.
7.
Recall that the datatree1_ntfs qtree has a designated security style of NTFS. This means
that files have Windows NTFS ACLs (permissions).

drive for datatree2_unix share, and view the security of the datatree2_unix by
a) Right-click datatree2_unix share and choose Properties.
Is there a Security tab? ________________________
b) Click the Cancel button.
c) Double-click the datatree2_unix share in the console tree to view the contents
of the share.
d) Create a new text file in this share by right-clicking in the right windowpane
and choosing NewText Document.
e) Right-click the New Text Document.txt file and choose Properties.
f) Click the Cancel button.
E4-9
Recall that the datatree2_unix qtree has a designated security style of UNIX, and that files
and directories have UNIX permissions.
You are a Windows user accessing a UNIX qtree and a UNIX file. The Properties window
STEP
ACTION
(in Microsoft Windows) is not designed to interpret the UNIX permissions on the share and
file and hence the Security tabs are missing. However, starting with Data ONTAP 7.2,
changes have been made to the multiprotocol functionality. Now administrators can both
display and change UNIX permissions from the Windows Security tab.
E4-10
STEP
ACTION
8.

drive for datatree3_mixed share, and view the security of the datatree3_mixed by
a) Right-click datatree3_mixed share and choose Properties.
b) Click the Security tab.
Who has access to the qtree, and what are the NTFS permissions on the file
system?
__________________________________________________
d) Double-click the datatree3_mixed share in the console tree to view the
contents of the share.
e) Create a new text file in this share by right-clicking in the right windowpane
and choosing NewText Document.
f) Right-click the New Text Document.txt file and choose Properties.
g) Click the Security tab.
Who has access to the file, and what are the file permissions?
_______________________________________________
h) Click the Cancel button.
9.
Recall that the datatree3_mixed qtree has a designated security style of mixed. This means
that the default security style of a file is the style most recently used to set permission on
that file. With mixed security style, the volume or qtree can have UNIX or NTFS file
security in play.
Since the mixed qtree was created when the storage system was NTFS-only and the parent
volume was NTFS, the mixed qtree inherited the effective security style of the parent
volume that was created with NTFS.
To view the UNIX permissions on the files in this multiprotocol environment, enter the
following option at the storage system prompt:
system>options cifs.preserve_unix_security on
10.
Enabling this option allows you to manipulate a files UNIX permissions using the
Security tab on a Windows client, or using any application that can query or set Windows
ACLs. When enabled, this option causes UNIX qtrees to appear as NTFS volumes. The
default for this option is off.

drive for datatree1_ntfs share, and view the security of the previously created text file
by performing the following:
a) Right-click the previously created text file and choose Properties.
b) Click the Security tab and view the permissions for the Everyone and friends
group.
E4-11
STEP
ACTION
11.

drive for datatree2_unix share, and view the security of the New Text Document.txt
file by performing the following:
a) Right-click the New Text Document.txt file and choose Properties.
b) Click the Security tab and view the UNIX group, user names, and permissions
for this file whose file security is UNIX.
In the Group or user names list box, list the first 4 entries:
____________________________________________________
c) Click the Advanced button in the lower right corner in the Security tab.
d) In the Advanced Security Settings window in the Permissions tab, select
pcuser and click the Edit button. (Do not actually edit the permissions.)
In the Permission Entry window, what permissions does pcuser have?
______________________________________________________
e) Click the Cancel button in the Permission Entry window.
f) In the Advanced Security Settings window, click the Owner tab.
Who are the owners for this text file?
___________________________________________________
g) Click the Cancel button in the Advanced Security Settings window.

h) Click the Cancel button in the Properties window.
12.
You are a Windows user accessing this UNIX file with your mapped UNIX credentials.
Your UNIX credentials are used when evaluating your access requests by comparing your
credentials against the file or folder UNIX access permissions.

drive for datatree3_mixed share, and view the security of the New Text Document.txt
a) Right-click New Text Document.txt file and choose Properties.
b) Click the Security tab and view the permissions for the Everyone group.
13.
E4-12
Recall that the mixed qtree was created when the storage system was NTFS-only and the
parent volume was NTFS, so the mixed qtree inherited the effective security style of the
parent volume that was created with NTFS.
The effective Windows NTFS ACLs (permissions) are shown in the Security tab. The
effective security style of the qtree, folders with the qtree, or files may be changed if a
UNIX administrator sets permissions on the qtree, subfolders, or files by issuing the
chmod (to change file permissions) or chown (to change the file or group ownership)
command from a UNIX host.
Task complete.
STEP
ACTION
14.
Proceed to the next task.
TASK V: REMOVING A SHARE

In this task, you delete a share on your storage system.
STEP
ACTION
1.
On the Windows workstation, open Windows Explorer and disconnect the network
drive that you just mapped in the browser by going to ToolsDisconnect Network
Drive.
a) Select the network drive associated with datatree3_mixed to disconnect.
2.
Do you remember the command to view the current shares? _____________

Remove the datatree3_mixed share by type the following at the prompt:
system> cifs shares delete datatree3_mixed
3.
Verify that datatree3_mixed is removed.
4.
Do you think when you remove a share that you delete the underlying qtree?
_____________
Go check. Do you remember the command to view the current qtrees and volumes?
_____________
5.
Task complete.
END OF EXERCISE
E4-13
Domains
MODULE 5: DOMAINS
Exercise
Module 5: Domains
EXERCISE: DOMAINS
OVERVIEW
The purpose of this activity is to reconfigure the storage systems CIFS server for an Active
Directory environment. You will then create a domain user, create shares, and administrate those
shares.
OBJECTIVES
Terminate CIFS services
Reconfigure the CIFS services using FilerView to join your storage system to a Windows Active
Directory domain.
Create a domain user
Create shares and manage the permissions of the shares
TIME ESTIMATE
60 Minutes
E5-1

For which objects can you create shares?
What are three methods used to manage CIFS
shares?
CIFS Kerberos-based authentication fails if the
time difference between the storage system
and the domain controller is more than how
many minutes?
Which command or commands allow you to
configure the preferred domain controllers?
E5-2
42
TASK I: CONFIGURING CIFS SERVICES TO JOIN THE STORAGE SYSTEM

TO AN ACTIVE DIRECTORY DOMAIN
In this lab, you reconfigure the CIFS services using FilerView to join your storage system to a
Windows Active Directory (Windows 2000 or later) domain.
START OF EXERCISE
STEP
ACTION
1.
View the CIFS license with FilerView by performing the following:

a) Open an Internet browser and enter your storage system name
http://storage-system-name/na_admin to open the FilerView main navigational
page (or home page). The storage-system-name can be the IP address or the
DNS name for the storage system.
Note: Obtain the storage system IP address and name from the instructor.
b) Click the FilerView icon.
c) Log in as root with no password.
NOTE: Verify the password with the instructor.
Reconfigure the CIFS services to join your storage system to a Windows Active
Directory (Windows 2000 or later) domain.
2.
You will need to know the following information:

Name of your storage system (Obtain the name from your instructor if you dont
already know it.)
Description of your storage system Windows Server
No WINS servers
Type of authentication: Windows 2000 domain
Fully qualified domain name (Obtain the name from your instructor.)
Name of Windows domain administrator: administrator
Password for the Windows domain administrator (Obtain the password from your
instructor.)
Security style: NTFS only
NOTE: Currently, CIFS services are running. The CIFS services must be terminated
first before reconfiguration can occur. The CIFS Setup Wizard terminates the CIFS
services, reconfigures the storage system, and then restarts the CIFS services. The CLI
command for stopping the CIFS services is cifs terminate.
E5-3
STEP
ACTION
The following example demonstrates the steps for joining your storage system to a
Windows Active Directory (Windows 2000 or later) domain:
a) Go to FilerViewCIFSConfigureSetup Wizard. The CIFS Setup

Wizard window is displayed.
b) Click the Next button to run the CIFS Setup Wizard.
c) In the Filer Name text box, enter the name of your storage system.
d) In the Description text box, enter Windows Server and click the Next
button.
E5-4
STEP
ACTION
e) Under Domain, click the Windows 2000 radio button and then click the Next
button.
f) In the Domain Name text box, enter the fully qualified domain name.
g)
In the Windows 2000 Administrator Name text box, enter

administrator.
h)
In the Windows 2000 Administrator Password text box, enter the

administrator password. (Obtain the password from your instructor.)
i)
E5-5
Click the Next button.
STEP
ACTION
j)
For Security Style, click the NTFS Only radio button and then click the Next
button.
k) Review the summary of your changes and, if correct, click the Commit button.
E5-6
STEP
ACTION
l)
3.
Congratulations. Your storage system has now joined a Windows 2000 (or
later) Active Directory domain. Click the Close button.
To test the storage system connection to the Windows domain controller, go to

FilerViewCIFSTest Domain Controller and view the results. This is equivalent
to the CLI cifs testdc command. Additional domain information is available with
the cifs domaininfo command.
a) To run these commands on the CLI, open a Telnet session on your storage
system and log in as root with no password. Verify the password with your
instructor.
b) At the storage system prompt, enter the following commands and view the
results:
system>cifs testdc
The cifs testdc command tests the FilerView's ability to connect with
Windows NT domain controllers. The output of the cifs testdc command
is useful in the diagnosis of CIFS-related network problems.
system> cifs domaininfo
The cifs domainfo command determines whether the storage system is
associated with a NT4 or Windows Active Directory domain. When CIFS is
running, additional information about current domain controller connections
and known domain controller addresses for the specified domain are displayed.
In addition, the current Active Directory LDAP server connection and known
Active Directory LDAP servers are also displayed for the specified domain.
4.
Task complete.
5.
E5-7
TASK II: CREATING A NEW USER IN THE DOMAIN

In this lab, you create a new user in the domain that will be used in later labs.
STEP
ACTION
1.
On the Remote Desktop connection, log in to your Windows workstation by entering

the IP address and password provided by the instructor.
2.
a) In the Active Directory Users and Computers window, create a new domain
user using the following user name format: user_<first_initial><last_name>.
For example, the user name for Jane Doe is user_jdoe. This creates a unique
user name for you in the domain.
NOTE: For this lab, enter the new domain user name in the First name text
box and in the User logon name text box.
b) In the console tree on the left, beneath the Domain_name folder, click the
Users folder.
c) In the right windowpane, look for the domain user name that you just created.
d) Right-click on your new user and select Properties.
e) Select the Member Of tab. In a future lab, we are going to need to log in as
this user. If you are using a remote desktop application, you need to add this
user to the Domain Admins group. To do this:
f) Select Add.
g) Type Domain Admins in the object name textbox and click OK.
3.
Task complete.
4.
E5-8
TASK III: VIEWING THE CURRENT SHARES, SESSIONS, AND LOCAL

GROUPS USING THE COMPUTER MANAGEMENT GUI AND GIVING THE
NEW DOMAIN USER SHARE-LEVEL ACCESS
In this lab, you display all the current shares, sessions, local groups, and users on your storage
system using the Windows Computer Management GUI.
STEP
ACTION
1.
You are currently logged in to your Windows workstation as the administrator. Before
viewing the shares using the Windows workstation Computer Management, disconnect
any mapped network drives.
a) Open Windows Explorer and disconnect any mapped network drives by
going to ToolsDisconnect Network Drive.
b) Select the network drive to disconnect.
c) Click the OK button.
d) On the Windows workstation, log off as the administrator and then log back in
as the administrator to clear the share cache.
e) Go to StartLog Off administrator and click the Log off button when
you are asked if you are sure that you want to log off.
f)
2.
E5-9
Use the Remote Desktop connection to log back in to your Windows

workstation as the administrator with the administrator password. Make
sure you log in to the Active Directory domain instead of the local
machines domain.
On your Windows workstation (logged in as the administrator using your Remote

Desktop connection), open the Computer Management GUI to view the current shares
on your storage system by performing the following steps:
a) Right-click the My Computer icon on your desktop and choose Manage. The
Computer Management window opens.
b) Right-click the top of the console tree, where it says Computer Management
(Local) and choose Connect to another computer
c) In the Select Computer window, mark the Another computer radio button
and type the storage system name (or IP address) in the text box, then click the
OK button.
d) In the console tree in the left windowpane, select System ToolsShared
FoldersShares folder.
STEP
ACTION
3.
Which shares are displayed in the right windowpane?
____________________________________________________________
Computer Management enables you to view shares that you have permission to
view. You cannot see the folders or files in the share from this GUI.
4.
To view the share permission for the datatree1_ntfs share, right-click the
datatree1_ntfs share, choose Properties, and then click the Share Permissions tab.
Which group has access to see this share? ________________________
5.
Give the new domain user (that you created in the previous lab
user_<first_initial><last_name>) access to the datatree1_ntfs share by performing the
following:
a) In the datatree1_ntfs Properties window, on the Share Permissions tab, click
the Add button.
b) In the Enter the object names to select text box, enter the new domain user
name.
c) Click the OK button.

What are the share permissions for the new domain user? _______________
d) In the Share Permissions tab, modify the share permissions for the new
domain user to Full Control by marking the Full Control check box in the
Allow column.
e) Click the Apply button.
f) Click the OK button.

E5-10
STEP
ACTION
The CLI equivalent entered at the storage system prompt that modifies share-level
access control to Full Control is demonstrated in the following example, for which
datatree1_ntfs is the name of the share:
system>
cifs access datatree1_ntfs domain_user_name Full Control
6.
Click the Sessions folder (beneath the Shares folder in the console tree) to view the
current sessions.
Which user or users have current session(s) with the storage system?
_________________________________________
7.
Click the Local Users and Groups folder in the console tree.
a) Click the Users folder. Who are the local users in your storage system?
________________________________________________________
b) Click the Groups folder. Which group is not a predefined group?
__________________________________________________
8.
With the Groups folder open, right-click the Guests account and choose Properties to
view the Guests properties.
Which users are members of the Guests group?
___________________________________________________
Click the Cancel button.
NOTE: The Guests account has domain and local storage system users.
9.
With the Groups folder open, right-click the friends account and choose Properties to
view the friends group properties.
Which user or users are members of the friends group?
_________________________
10.
With the Groups folder open, right-click the friends account and choose Add to
Group to add the new domain user to the friends local group by performing the
following:
a) In the friends Properties window, click the Add button.
b) In the Enter the object names to select text box, type the new domain user
(user_<first_initial><last_name>).
c) Click the Check Names button.
d) Click the OK button.
E5-11
STEP
ACTION
e) In the friends Properties window, view the newly added domain user to the
Members list for the friends share.
f) Click the Apply button.
g) Click the OK button.

11.
With the Groups folder open, right-click the Administrators account and choose
Properties to view the Administrators properties.
Which members can fully administer the storage system?
________________________________________________
12.
Task complete.
13.
TASK IV: VIEWING SHARES AND SESSIONS AND ADDING A NEW SHARE
USING FILERVIEW
In this lab, you display the current shares and sessions on your storage system and create a new
share using FilerView.
STEP
ACTION
1.
Use an Internet browser to open FilerView and log in as root with no password. Note:
Verify the password with the instructor.
2.
To view all current CIFS shares, go to FilerViewCIFSSharesReport.

Who has access to the datatree1_ntfs share, and what is their share-level access?
_________________________________________________________
3.
To view the current sessions with the storage system, go to

FilerViewCIFSSession Report.
a) Click the Sessions button to view the overall session information.
b) Click the Security button to view the overall security information.
c) In the User/PC text box, type the name of your Windows workstation and
click the Sessions button.
(The name and IP address are displayed in the overall security information.)
d) With your Windows workstation name in the User/PC text box, click the
Security button.
Your Windows workstation user is mapped to the UNIX UID 65534. To whom does
this UID belong? ____________________ (challenge question)
E5-12
STEP
ACTION
4.
Create a qtree called datatree4_ntfs on vol0 by performing the following:

a) Go to FilerViewVolumesQtreesAdd.
b) For Volume, select vol0 in the list box.
c) For QTree Name, type datatree4_ntfs in the text box.
d) For Security Style, select NTFS.
e) For Oplocks, mark the Oplocks check box.
f) Click the Add button.
You receive an informational message saying Success.
Go to FilerViewVolumesQtreesManage and view the newly created qtree
datatree4_ntfs on vol0.
5.
Add a new share called datatree4_ntfs (for the qtree datatree4_ntfs) on volume vol0 by
a) Go to FilerViewCIFSSharesAdd.
b) For Share Name, type datatree4_ntfs.
c) For Mount Point, type /vol/vol0/datatree4_ntfs.
d) For Share Description, type NTFS Qtree on Traditional Volume.
e) Leave Max. Users and Force Group blank.
f) Click the Add button.
You receive a caution message that the share name datatree4_ntfs will not be
accessible from some MS-DOS workstations.
6.

Notice that there is no difference in creating a share on a traditional volume
or a flexible volume.
7.
Task complete.
8.
E5-13
TASK V: ADDING A NEW SHARE USING COMPUTER MANAGEMENT

In this lab, you create a new share on your storage system using the Computer Management GUI
connected to the storage system.
STEP
ACTION
1.
On your Windows workstation (logged in as the administrator using your Remote

Desktop connection), open the Computer Management GUI and connect to your
storage system. Then add a new share on your storage system by performing the
following steps:
a) Right-click the Shares folder in the console tree and choose New Share....
The Share a Folder Wizard appears.
b) Click the Next button to start the wizard.
E5-14
STEP
ACTION
c) The Computer name should be your storage system name or IP address.

d) In the Folder path text box, type the following path:
C:\vol\flexvol1\datatree3_mixed. Click the Next Button.
e) The Share name value is datatree3_mixed (for the qtree datatree3_mixed).

f) In the Description text box, type Mixed Qtree on Flexvol1, and click
the Next button.
E5-15
STEP
ACTION
g) For Permissions, click the Use custom share and folder permissions radio
button.
h) Click the Customize button.
i)
E5-16
For the Everyone group, mark the Allow check boxes for Full Control,
STEP
ACTION
Change, and Read.
Note: The Windows default is Everyone to Read only when the storage
system default is Everyone to Full Control.
j) Click the OK button.
k) Click the Finish button on the Permissions page.
l)
You receive the message that sharing was successful.
m) Click the Close button to close the wizard.

2.
In the Computer Management GUI with the Shares folder opened:

a) View the newly created datatree3_mixed share in the right windowpane.
b) Right-click the datatree3_mixed share and choose Properties.
c) Click the Share Permissions tab and view the group Everyone and the
permissions.
d) Click the Cancel button.
3.
To view all current CIFS shares with FilerView, go to

FilerViewCIFSSharesReport.
4.
Task complete.
5.
E5-17
TASK VI: MAPPING A NETWORK DRIVE TO A SHARE

In this lab, you map a network drive to your new share on the storage system.
STEP
ACTION
1.
On your Windows workstation desktop, right-click My Computer, and select Map


NOTE: Your letter must be different than that of your Windows
workstation partner.
b) In the Folder list box, enter:
\\Storage_System_name \datatree3_mixed
c) The Storage_System_name can be the name or IP address.
d) Click the Finish button.
2.
To view the new network drive mapped to the datatree3_mixed share:

a) On your Windows workstation desktop, right-click My Computer and select
Explore. The My Computer window appears, displaying the console tree
contents of My Computer.
b) View the network drive to the mapped datatree3_mixed share in the console
tree.
c) In the right windowpane, view more details about the mapped network drive to
datatree3_mixed, including the type, total size, and free space.
3.
To view the CIFS sessions with FilerView, go to FilerViewCIFSSessions
E5-18
STEP
ACTION
Report.
Who has a session with the storage system? _______________________

How many shares are being accessed? _____________________
How many files are being accessed? _______________________
4.
Task complete.
END OF EXERCISE
E5-19
Advanced Administration
MODULE 6: ADVANCED ADMINISTRATION
Exercise
Module 6: Advanced Administration
Estimate Time: 90 minutes
EXERCISE: ADVANCED ADMINISTRATION

OVERVIEW
The purpose of this activity is to set up event logging, configure a storage system for Auto Home
Shares, and to configure a Group Policy Object to automatically map the Auto Home Share to a
network drive. Then we will configure the native file blocking to prevent users from saving a
MP3 file on the storage system.
OBJECTIVES
Set up event logging
Configure Auto Home Shares for a user base
Define a Group Policy Object to automatically map the Auto Home Share to a network drive
Define a Group Policy Object to apply a security policy to a directory structure on a storage system
TIME ESTIMATE
90 minutes
E6-1
CIFS Administration on Data ONTAP 7.3: M06_AdvancedAdmin_Exercise

What triggers can be set to autosave the event
file?
What command(s) is/are used to reload the
CIFS GPOs?
What command(s) is/are used to configure
virus scanning on a storage system?
Name three operations a FPolicy can be
configured to monitor.
Share caching is disabled by default.
True/False
E6-2
60
TASK I: ENABLING EVENT LOGGING

In this lab, you enable CIFS event auditing on your storage system.
START OF EXERCISE
STEP
ACTION
1.
At the storage system prompt, enter the following command to view the current
cifs.audit options:
system>options cifs.audit
What is your cifs.audit.autosave.onsize.enable setting?
____________________________
off
What is your cifs.audit.enable setting? ___________
off
If cifs.audit.enable is set to off, then enable auditing by entering the
following command at the storage system prompt:
system> options cifs.audit.enable on
What is your cifs.audit.autosave.ontime.interval setting? ___________
2.
Set your cifs.audit.file_access_events.enable to on by

entering the following command at the storage system prompt:
NetApp>
options cifs.audit.file_access_events.enable on
3.
At the storage system prompt, check the status of the login events by entering the
following command:
NetApp> options cifs.audit.logon_events.enable
If the option is off, turn it on.
4.
Change the name of the audit log file by entering the following command:
system> options cifs.audit.saveas
/etc/log/storage_system_your_initials.evt
NOTE: Use your initials to make your .evt file different from your partner. The file
name is the complete path name of the file where Data ONTAP logs audit event
information. Use .evt as the file extension.
5.
Enter the following command to save the audit file:

system> cifs audit save
Note: Since auditing has not been enabled for long, you may receive an error message
stating that the event log is empty. We will cause events to write to the log next.
[cifs.auditfile.logFile.IOWarning.warning]: ALF I/O waring
E6-3
STEP
ACTION
for file /etc/log/cifsaudit.alf: the audit log is empty
6.
Task complete.
7.
TASK II: SETTING A SACL ON THE FILE YOU WANT TO AUDIT

In this lab, you set a System Access Control List (SACL) on a file that you create.
STEP
ACTION
1.
Map a drive to the C$ share of your storage system and log in to this share as the
administrator.
2.
Access the C$ share and create a test text file in the home directory named
access_test_your_name.txt.
NOTE: Your file name should be different from your partner.
3.
Right-click the file and select Properties. The file Properties window appears.
4.
Click the Security tab, and then click the Advanced button. The Advanced Security
Settings window appears.
5.
Click the Auditing tab, and then click the Add button. The Select User, Computer, or
Group window appears.
To add the Everyone group in the Enter the object name to select text box, type
Everyone, and then click the OK button. The Auditing Entry window for the text file
appears.
6.
For the Everyone group in the Access list box, mark a few events to audit and click the
OK button.
NOTE: Checks in the boxes indicate what events are to be audited. Both failures and
successes can be audited.
E6-4
STEP
ACTION
7.
The Advanced Security Settings window for the text file appears.
Click the Apply button and then the OK button.
E6-5
STEP
ACTION
8.
In the Properties window, click the OK button.
9.
Task complete.
10.
TASK III: ENABLING AUTOSAVE OF EVENT FILES

In this lab, you adjust the cifs.audit.autosave options on your storage system.
STEP
ACTION
1.
At the storage system prompt, enter the following command to save the audit log via a
timer:
system>
options cifs.audit.autosave.ontime.interval 1m
system> options cifs.audit.autosave.ontime.enable on
2.
Enter the following commands to set the extension and limit:

system> options cifs.audit.autosave.file.extension timestamp
system> options cifs.audit.autosave.file.limit 25
E6-6
STEP
ACTION
3.
Experiment with the cifs.audit.autosave.onsize.enable settings

and have the storage system autosave on a threshold value.
NOTE: You will have to create actions that are being audited such as logging on and
logging off or events configured in Task II with your access_test_your_name.txt file.
Were you successful?
____________________
Answers may vary.

What settings did you adjust to have this happen?
______
You must turn the option cifs.audit.autosave.onsize.enable on.
4.
Task complete.
5.
TASK IV: VIEWING SAVED FILES AND FILE ACCESS

In this lab, you view the audit logs using Windows Event Viewer.
STEP
ACTION
1.
Open the access_test_your_name.txt file that you created, and leave it open for two to
three minutes. Make some changes to the file by adding some text. Now, save the file.
2.
At the storage system prompt, enter the following command:

system> options cifs.audit.autosave.file.extension
counter
Allow autosave to save a few files by monitoring the syslog messages.
3.
To open the event logs stored on the storage system, perform the following:
a) On your Windows workstation, go to the Computer Management GUI and
connect to your storage system.
b) In the Computer Management GUI console tree go to System Tools
Event
Viewer.
c) Right-click Event Viewer and choose Open Log File.
d) In the Open window, choose My Computer and go to the mapped C$ drive.
Open the etc folder and log folder to view the event logs.
e) Select one of the event (.evt) files and in the Log Type list box, select
Security. Click the Open button to display the audit files.
f) Double-click the first audit file and read a description of the event. You can
continue to read all the audit files.
4.
5.
E6-7
Task complete.
TASK V: VIEWING AUDIT RECORDS WITH LIVEVIEW

In this lab, you view the audit logs using Windows Event Viewer.
STEP
ACTION
At the storage system prompt, enter the following command:
1.
system> options cifs.audit.liveview.enable on

This will turn on the LiveView feature.
To open LiveView access on the storage system, perform the following:
2.
a) On your Windows workstation, go to the Computer Management GUI and

connect to your storage system.
b) In the Computer Management GUI console tree go to System Tools
Event
Viewer
Security.
c) The Security Viewer will be updated every minute.
3.
Note the system time and now open the access_test_your_name.txt file that you
created. Make some changes to the file by adding some text. Now, save the file.
4.
Go back to the Computer Management GUI and refresh the Security Event Viewer.
Do you see new audit records?
If not, wait a minute and then refresh it again. If you are still having difficultly, make
sure you are performing an action that you designated in the System ACL to be
auditing.
Turn off CIFS auditing by entering the following command at the storage system
prompt:
5.
system> options cifs.audit.enable off

Task complete.
6.
7.
TASK VI: SETTING UP THE AUTO HOME SHARE FEATURE

In this task, you will learn how to set up the home directories for users in a qtree on your storage
system.
STEP
ACTION
1.
Before setting up the home directories for users, view the contents of the
/etc/cifs_homedir.cfg file by entering the following command at the storage system
prompt:
system>rdfile /etc/cifs_homedir.cfg
2.
E6-8
Go to FilerView
Volumes
Qtrees
Add and by performing the following, create
the qtree called users_home on flexvol1 with security style NTFS that stores the CIFS
STEP
ACTION
user home directories:
a) For Volume, choose flexvol1.

b) For QTree Name, type users_home.
c) For Security Style, choose NTFS.
d) For Oplocks, mark the Oplocks check box.
e) Click the Add button.
NOTE: If you want to use a tree quota on these home directories, you must create a
qtree; otherwise, you can create a directory.
Go to FilerViewQtreesManage to view the new users_home qtree.
3.
Create a share to users_home qtree called users_home.

a) Task 5 of the Domains Module describes how to create share with the
Computer Management GUI if you have forgotten.
b) The Folder path is C:\vol\flexvol1\users_home.
c) Give the Everyone group Full Control.
4.
5.
Map a network drive to the users_home share. Task VI of the Domains Module
describes how to map a network drive to a share.
In the mapped users_home share, create a folder with the domain user name.
a) In Windows Explorer, click on the users_home share.
b) In the right window pane, right-click and choose NewFolder.
c) Make the folder name the domain user name that follows the format
user_<first_initial><last_name>. An example is user_jdoe.
The folder name for the user is determined by your choice in the
cifs.home_dir_name_dir_namestyle option.
NOTE: Make sure that the user (user_first_initial+last_name) has Full Control.
6.
Go to FilerView
Volumes
Qtrees
Manage to view the new user_home qtree.
7.
To add a user home directory, go to FilerView

CIFS
Configure
Home
Directories and perform the following:
d) The Home Directory Name Style box is left blank.
e) For the Home Directories, click the Add button.
In the Home Directory, to Add text box, type the path /vol/flexvol1/users_home.
8.
At the storage system prompt, view the CIFS home-directory paths by entering the
following command:
system>rdfile /etc/cifs_homedir.cfg
Which CIFS home-directory path displays? __________________________
/vol/flexvol1/users_home
E6-9
STEP
ACTION
9.
following command:
system>cifs homedir
At the storage system prompt, force the storage system to process the new homedirectory path entry by entering the following command:
10.
system>cifs homedir load

Verify that the path loaded by entering the following command:
system>cifs homedir
When you create a users folder for the users home directory, Data ONTAP
automatically searches the paths in the cifs_homedir.cfg file for the user name that
matches the login name and dynamically creates the share for that user. The auto home
share is now configured. Log in as your domain user.
NOTE: If you are using Remote Desktop, select the Options button, then the General
tab. Select your remote computer from the combo box and then check the Always ask
for credentials checkbox. Then hit Connect.
Verify that a share is available by typing //<storage_system>/<user_name> in the Run
dialog box located under the Start menu.
The Auto Home Share is now configured. Log in as your domain user and verify that a
share is available by typing //<storage_system>/<user_name> in the Run dialog box
located under the Start menu.
11.
In the next task, we will configure this share to automatically be mapped to a network
drive by a Group Policy Object.
Task complete.
12.
13.
TASK VII: GROUP POLICY OBJECTS AUTO HOME SHARE EXAMPLE

In this task, you will learn how to configure a Group Policy Object so that the Auto Home Share
is automatically mapped to a network drive.
STEP
ACTION
1.
Use the Remote Desktop connection to log in to your Windows workstation as

Administrator. NOTE: Use the IP address and password provided by the instructor.
2.
E6-10
On the Windows workstation, start the Active Directory Users and Computers.
a) Go to StartProgramsAdministrative ToolsActive Directory Users

and Computers. (The Active Directory Users and Computers allows
management of users, groups, organizational units, and all other Active
STEP
ACTION
Directory objects. This tool enables you to administer and publish
information in the directory.)
b) Select the domain icon from the tree pane. Your domain might be named
netappu.com.
c) From the menu bar, choose ActionNewOrganizational Unit.
d) In the New Object User window, create a new organization unit in the
domain using the following name format: ou_<first_initial + last_name>. An
example OU name for Jane Doe is ou_jdoe. This creates a unique user name
for your OU in the domain.
e) Click the OK button.
3.
E6-11
In the Active Directory Users and Computers window, right-click on the new OU
and select Properties from the drop-down menu. Navigate to the Group Policy tab as
shown.
STEP
4.
5.
E6-12
ACTION
Select the New button to create a new Group Policy Object. Give it the name
user_logonscript_gpo.
Make sure the user_logonscript_gpo object is selected and press the Edit button.
STEP
ACTION
The Group Policy Object Editor should appear.
6.
Navigate to the logon scripts by selecting User Configuration > Windows Settings >
Scripts (Logon/Logoff).
Select the Logon script in the main panel. Right-click on it and select Properties.
7.
E6-13
Add a new logon script by pressing the Add button.
STEP
ACTION
In the Add a Script dialog box, add the script name: user_logonscript.cmd and press
the OK button.
8.
Now, select the Show Files button from the Logon Properties. A new explorer should
open to the location where the script needs to be created.
9.
Right-click in the new Explorer window and select New and then Text Document
from the drop-down menus. Name the file user_logonscript.cmd and confirm that you
want to change its extension from txt to cmd.
10.
Right-click on the new cmd file and choose Edit. Confirm the Open File Security
Warning dialog box if it appears by clicking the Run button.
11.
Within Notepad, type in the following line, substituting your own storage appliance
name within the path:
net use o: \\<storage_system>\%username%
NOTE: There is a space between the o: and the \\<storage_system>\%username%
This will create an O drive that is mapped to the users Auto Home Share.
NOTE: The storage system name must be properly resolved within DNS for this to
work.
E6-14
STEP
ACTION
Save the file and close it.
Close the Windows Explorer window and close the Logon Properties dialog box by
clicking the OK button. Close the Group Policy Object Editor as well. Finally, close
the OU Properties dialog box by clicking the Close button.
12.
One final step associates our domain user with the OU:
13.
Within Active Directory Users and Computers, select the Users node from the tree
pane.
Find your user account and drag-and-drop it to the OU you just created. Confirm any
warning messages that might appear.
Close the Active Directory User and Computers utility.
14.
Now from a Windows machine, log in with your user account. Open up Windows
Explorer. You should see a mapped drive O that is associated with the Auto Home
Share.
15.
Finally, copy a file to your new O drive.
16.
Is it successful? ________________
Yes.
Task complete.
17.
18.
TASK VIII: GROUP POLICY OBJECTS SECURITY EXAMPLE

In this task, you will learn how to configure a Group Policy Object to control file security on a
directory structure in the storage system. NOTE: If you are sharing your storage system, only
one person can perform this task. You might want to work together. Your instructor will divide
the groups up appropriately.
STEP
ACTION
1.
Use the Remote Desktop connection to log in to your Windows workstation as your
user account (user_<first_initial><last_name>) that you created in the last module.
Map a drive to the HOME share on your assigned storage system.
You should have Full Control over this directory structure. Create a test file to verify
that you have Write access to the location. If you dont see the Security tab, you are
probably working on a storage system that has the qtree or volume set to unix or mixed
with an effective security of unix. You must have an NTFS file system to create a
filesystem security GPO. Use qtree status to verify your filesystem on vol0 and
if it is not ntfs, use qtree security command to set it.
E6-15
STEP
ACTION
Now, we will create a Security Setting GPO that will grant only Read permission to
this user in this directory.
2.

Administrator.
3.
Go to StartProgramsAdministrative ToolsActive Directory Users and
Computers. (The Active Directory Users and Computers allows management of users,
groups, organizational units, and all other Active Directory objects. This tool enables
you to administer and publish information in the directory.)
Select the domain icon from the tree pane. Your domain might be named netappu.com.
Select the organization unit that you created in the previous task. If you followed
procedure in the previous task, the name of the organization unit is ou_<first_initial +
last_name>. Right-click on this OU and select Properties from the drop-down menu.
4.
Select the New button to create a new Group Policy Object. Give it the name
security_gpo.
5.
Make sure the security_gpo object is selected and press the Edit button.
The Group Policy Object Editor should appear.
6.
E6-16
Navigate to the Security Settings by selecting Computer Configuration > Windows

Settings > Security Settings > File System.
STEP
ACTION
7.
Add a new security setting by pressing the Add File button.

The Add a file or folder box appears.
E6-17
STEP
ACTION
In the folder field, enter the storage system path on which to apply the GPO
(/vol/vol0/home), then click OK.
8.
E6-18
The Database Security window opens. We will set the permissions for the user account
(user_<first_initial><last_name>) so that this user only has Read permission of the
/vol/vol0/home share.
STEP
ACTION
Click OK. Next select Propagate inheritable permissions to all subfolders and files
and click OK.
9.
E6-19
The new security group policy object is now complete. Close the Group Policy Editor.
We now must make sure that your assigned storage system is in this OU.
STEP
ACTION
Click on Computers. Find your storage system and drag and drop its computer icon
into your designated OU as shown below.
10.
Using a console prompt, enter the following command:

system>
options cifs.gpo.enable on
This turns on the GPO services on the storage system. Now apply the new GPO:
system>
cifs gpupdate
NOTE: If you do not explicitly apply the new GPO with the cifs gpupdate
command, the storage system applies the new GPO the next time it queries the Active
Directory server (usually every 90 minutes).
11.
Using a console prompt, enter the following command:

system>
cifs gpresult
Verify that the GPO is in the list.
12.
E6-20
Use the Remote Desktop connection to log back into your Windows workstation as
your user account (user_<first_initial><last_name>) that you created in the last
module. Map a drive to the home directory on your assigned storage system.
STEP
ACTION
What are your permissions?
Your new GPO should be applied to restrict this user to Read Only.
NOTE: You might still be able to have Full Control. In most lab environments, you
might logged in to the domain controller using a terminal server. Microsoft only allows
Administrators to log in via a terminal server without the licensing server. The GPO
permissions have been applied, but your user might also belong to another group that
overrides the Read Only setting.
Now, let us place the storage system back in the main OU. Log back in as the
Administrator and move your storage systems object back into the Computers folder
of the main domain OU.
13.
You might want to run cifs gpupdate and verify that your security_gpo is no
longer applied to your storage system.
NOTE: If you go back and look, the security permission has not changed. Your user
still has Read only in the ACL. Removing the GPO from the storage system does not
change the ACLs back to the way they were before we applied the GPO.
14.
Task complete.
15.
TASK IX: DELETING THE DOMAIN USER AND ORGANIZATION UNIT

In this task, you delete the domain user and organization unit that you created.
STEP
ACTION
1.

Administrator, using the IP address and password provided by the instructor.
2.
a) Go to Start
Programs
Administrative Tools
Active Directory Users
and Computers.
b) Open your organization unit folder (beneath the domain folder) in the console
tree.
c) In the right windowpane, locate the domain user that you created with the
format user_<first_initial><last_name>.
d) Right-click the domain user name and choose Delete. Confirm the warning
box.
The result is that the domain user is deleted.
3.
Right-click the OU and choose Delete. Confirm the warning box.
The result is that the organization unit is deleted.
4.
Task complete.
END OF EXERCISE
E6-21
Performance
MODULE 7: PERFORMANCE
Exercise
Module 7: Performance
EXERCISE: PERFORMANCE
OVERVIEW
The purpose of this exercise is to familiarize you with generating and collecting performance
information on the storage system and the Windows host.
OBJECTIVES
Analyze CIFS performance in a storage system environment.
Utilize the sio utility to generate load for CIFS and sysstat to display, monitor, and collect
performance data.
TIME ESTIMATE
60 Minutes
E7-1
CIFS Administration on Data ONTAP 7.3: M07_Performance_Exercise

How is performance management described in
this module?
List three factors that affect the performance of
a storage system.
What is the difference between sysstat and
cifs stat?
E7-2
32
TASK I: ANALYZING READ PERFORMANCE

This lab will show that monitoring the cache age, number of blocks read, and number of blocks
read ahead is the best strategy for analyzing the read performance of your system.
START OF EXERCISE
STEP ACTION
1.
Begin data collection. From the Windows host command prompt, type the following
commands:
rsh <storagesystemX> -l root priv set advanced;
wafl_susp z
rsh <storagesystemX> -l root priv set advanced; statit
b
2.
End system utilization statistics collection.

NOTE: if you are using windows cmd, you might want to set the following
command prompt properties:
Screen Buffer Size Height = 800
Window Size Width = 150 (if possible with your monitor)
These properties may be set by right-clicking on the title bar of the window and
selecting Properties.
From your storage system, execute sysstat 1 (one-second update intervals):
system> sysstat x 1
3.
Read files from the storage system to the client.

Copy the /etc directory to your desktop.
4.
Examine the sysstat output. Has the cache age changed?

__________________________________________________________________
5.
Repeat reads using larger files and compare sysstat output.
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
E7-3
STEP ACTION
6.
From the Windows host, type:

rsh <storagesystemX> -l root priv set advanced; statit
e
From which disk is the data being read? ___________________________________
What can you conclude from this information?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
7.
Analyze performance changes. From the Windows host type:

rsh <storagesystemX> l root priv set advanced;
wafl_susp w
How many blocks were read?
____________________________________
How many blocks were read ahead?
_____________________________
What can you conclude from this information?
_____________________________
8.
Task complete.
9.
TASK II: INTRODUCTION TO THE SIO_NTAP_WIN32.EXE UTILITY

This lab will show how to use the sio utility to generate a workload from a Windows
environment to analyze performance. Future exercises will be break down read and write
performance.
STEP ACTION
1.
From the storage system prompt, enter the following command to view statistics:
system>sysstat 1
2.
From your Windows desktop copy a 30 MB file to your storage systems vol0.
Rename and copy the file two more times. The files should be named or renamed
testfile1, testfile2, and testfile3. View the performance based on
the output.
3.
Copy those files from your vol0 to your flexvol1 with the same name.
Did you notice anything different in the copy operations?
E7-4
STEP ACTION
4.
Click Start, then select Run and type cmd and press Enter.
5.
Ensure you are at the root of the C: drive.
6.
Enter the following at the command prompt to display the sio_ntap_win32 help
file:
C:\>sio_ntap_win32
Read the output and view the sample command.
7.
Note which of the mapped drives are which and add the letters below:
_______ 2-disk vol0
_______ Flexible flexvol1
You will use these drive letters to read from and write to the storage system. When
you encounter a command like <flex>:\testfile1, insert your mapped drive
letter: for example, F:\testfile1
8.
Enter the following command at the Windows command prompt:

C:\>sio_ntap_win32 100 100 4K 25M 10 2 <2D>:\testfile1
This command is going to perform a 100% read, 100% random, with a 4 kB
blocksize, start at the 0 byte and go to 25 MB/sec, run for 10 seconds, use two
threads, and read from testfile1 on the two-disk volume.
9.

C:\>sio_ntap_win32 100 100 4K 25M 10 2 <flex>:\testfile1
This command will perform the same 100% read, 100% random, with a 4 kB
blocksize, start at 0 bytes and go to 25 MB/sec, run for 10 seconds, use two threads,
and read from testfile1, but on the flexible volume.
10.

<2D>:\testfile2
This command is going to perform 100% write, 100% sequential, with a 64 kB
threads, and write to testfile1 and testfile2 of the two-disk volume.
View the Net kB/s in and the Disk kB/s write
Do you notice anything that looks peculiar?
11.

<flex>:\testfile2
E7-5
threads, and write to testfile1 and testfile2 of the flexible volume.

View the Net kB/s in and the Disk kB/s write.
Do you see a difference in the number of flexible volume writes versus writes to the
two-disk volume?
Why do you suppose the data is different?
12.
Task complete.
13.
TASK III: WRITE PERFORMANCE

This lab will show how to use the sio utility to generate a workload from a Windows
environment to analyze write performance.
STEP ACTION
1.
system> sysstat x 1
2.

This command is going to perform 100% writes, 100% sequential, with a 4 kB
threads, and write to testfile1 on the two-disk volume.
3.

This command is going to perform 100% writes, 100% sequential, with a 4 kB
threads, and write to testfile1 on the flexible volume.
4.
At the storage system prompt, enter CRTL-C to stop the sysstat output.
Are there any differences in the two outputs?
5.
What types of differences can you see in the following:

CIFS operations? _____________________________________________________
Net kB/s in _________________________________________________________
Disk kB/s write _____________________________________________________
6.
system> sysstat 1
E7-6
STEP ACTION
7.
Let us see the effect of changing the randomness of the writes. Enter the following
command at the Windows command prompt:
This command is going to perform 100% writes, 100% random, with a 4 kB
8.

9.
Let us now see what effect the block size has on writes. Enter the following command
at the Windows command prompt:
10.

blocksize, start at 0 bytes and go to 25 MB/sec, run for 10 seconds, use two threads,
and write to testfile1 on the flexible volume.
11.
Experiment on your own with different random percentages, blocksize values, and
numbers of threads. Run these tests and change only one parameter at a time.
See if you can determine the performance impacts.
12.
Now use some tests that you are familiar with and change multiple files:
C:\>sio_ntap_win32 value value <flex>:\testfile1
<2D>:\testfile1
C:\>sio_ntap_win32 value value <2D>:\testfile
<2D>:\testfile1 <2D>:\testfile2 <flex>:\testfile1
<flex>:\testfile2 <flex>:\testfile3
13.
Task complete.
14.
E7-7
TASK IV: READ PERFORMANCE

This lab will show how to use the sio utility from a Windows environment to analyze read
performance.
STEP ACTION
1.
You may experience some client caching. If you run a read command for 10 seconds,
and the sysstat output shows reads on the storage system for only 5 seconds, this
usually means the client is caching the data.
system>sysstat 1 or sysstat x 1
2.

This command is going to perform 100% read, 100% random, with a 4 kB blocksize,
start at the 0 byte and go to 25 MB/sec, run for 10 seconds, use two threads, and read
testfile1 on the two-disk volume.
NOTE: If using a start byte of 0 fails, enter a nonzero value as the start byte. For
example:
C:\>sio_ntap_win32.exe 100 100 4K 2 25M 10
2<2D>:\testfile1
3.

This command is going to perform 100% read, 100% random, with a 4 kB blocksize,
start at the 0 byte and go to 25 MB/sec, run for 10 seconds, use two threads, and write
to testfile1 on the flexible volume.
4.
5.

CIFS operations ______________________________________________________
Net kB/s in __________________________________________________________
Disk kB/s write ______________________________________________________
6.
7.
To view the effects of sequential versus random reads, enter the following command
This command is going to perform 100% read, 100% sequential, with a 4 kB
E7-8
STEP ACTION
8.

9.
Lets now see what effect the block size has on reads. Enter the following command
10.

11.
See if you can detect and determine the performance impacts.
12.
<2D>:\testfile1
C:\>sio_ntap_win32 value value <2D>:\testfile1
13.
Task complete.
14.
E7-9
TASK V: READ/WRITE PERFORMANCE

This lab will show how to use the sio utility from a Windows environment to analyze
performance when users are simultaneously reading and writing to volumes.
STEP ACTION
1.
system> sysstat 1 or sysstat x 1
2.

C:\>sio_ntap_win32 50 100 4K 0 25M 10 2 <2D>:\testfile1
This command is going to perform 50% writes, 50% reads, 100% random, with a 4
kB blocksize, start at the 0 byte and go to 25 MB/sec, run for 10 seconds, use two
NOTE: If using the 0 byte fails, use a nonzero value; make sure there is a comma
between the nonzero value and the 25 MB value.
3.

C:\>sio_ntap_win32 50 100 4K 0 25M 10 2 <flex>:\testfile1
This command is going to perform 50% writes, 50% reads, 100% random, with a 4
kB blocksize, start at the 0 byte and go to 25 MB/sec, run for 10 seconds, use two
4.
5.

CIFS operations _______________________________________________________
Net kB/s in ___________________________________________________________
Disk kB/s write _______________________________________________________
6.
7.
Lets see what effect changing the randomness of the writes has. Enter the following
command at the Windows command prompt:
C:\>sio_ntap_win32 50 50 4K 0 25M 10 2 <2D>:\testfile1
This command is going to perform 50% writes, 50% reads, 50% random, 50%
sequential, with a 4 kB blocksize, start at the 0 byte and go to 25 MB/sec, run for 10
seconds, use two threads, and write to testfile1 on the two-disk volume.
E7-10
8.

C:\>sio_ntap_win32 50 50 4K 0 25M 10 2 <flex>:\testfile1
seconds, use two threads, and write to testfile1 on the flexible volume.
9.
Lets now see what effect the block size has on writes. Enter the following command
C:\>sio_ntap_win32 50 50 64K
0 25M 10 2 <2D>:\testfile1
seconds, use two threads, and write to testfile1 on the two-disk volume.
10.

C:\>sio_ntap_win32 50 50 64K
0 25M 10 2
<flex>:\testfile1
seconds, use two threads, and write to testfile1 on the flexible volume.
11.
See if you can detect and determine the performance impacts.
12.

<flex>:\testfile2
C:\>sio_ntap_win32 value value <2D>:\testfile1
13.
Task complete.
END OF EXERCISE
E7-11
Troubleshooting
MODULE 8: TROUBLESHOOTING
Exercise
Module 8: Troubleshooting
EXERCISE
E5-1

When communication from a storage system to
a domain controller fails or trust across
multiple domains fails, what steps are useful to
resolve the problem?
When the NT account does not map or the
UNIX user name does not exist, what steps are
useful to resolve the problem?
When the user does not have access to the
share, what steps are useful to resolve the
problem?
E5-2
50

When the storage system and the Active
Directory domain controller time clocks differ
more than 5 minutes, what steps are useful to
During cifs setup, if you enter the short
name for the Active Directory domain, what
error occurs and how do you resolve the
problem?
E5-3
51
Answers
ANSWERS
E5-4
Check Your Understanding - Answers

When communication from a storage system to a
domain controller fails or trust across multiple domains
fails, what steps are useful to resolve the problem?
On the storage system, run the following commands:
cifs testdc to test the storage system
connection to the domain controller
options cifs.trace_dc_connection on to
log all DC address discovery and connectivity
cifs resetdc to disconnect the storage
system from the DC and then re-establish a new
CIFS connection with the DC
Check the results of the trace log to determine the
problem.
CHECK YOUR UNDERSTANDING ANSWERS
E5-5
53 53

When the NT account does not map or the UNIX user name
does not exist, what steps are useful to resolve the
problem?
cifs session s winname to check the NT account
credentials; verify winname maps to the expected UNIX
name
rdfile /etc/usermap.cfg to check the user mapping
for the NT account and the UNIX user name; if necessary,
edit the file
rdfile /etc/passwd to check for the existence of the
UNIX user name; if necessary, edit the file
If using an NIS server: nis info and
options nis.group_update_schedule
E5-6
54 54

problem?
Check the share-level ACL (access control list)
system> cifs shares to view the shares
On the Windows client, use the Computer
Management GUI (Windows 2000 or later) to view
the shares
The Windows client user must have rights to connect to
the storage system
E5-7
55 55

Configure the storage system time to match the
domain controller time; use the date command.
Synchronize both the storage system and
domain controller to a central time-server.
E5-8
56 56

problem?
The error is that cifs setup cannot find a
necessary DNS service record for the domain.
The resolution is to enter the Fully Qualified
Domain Name (FQDN) for the name of the
Active Directory domain.
E5-9
57 57
Appendix A
NETAPP UNIVERSITY

Appendix A: Answer Key
APPENDIX A: ANSWER KEY TABLE OF CONTENTS

MODULE 1: OVERVIEW ........................................................................................................... E9-3
MODULE 2: WORKGROUPS ................................................................................................... E9-6
MODULE 3: SHARES AND SESSIONS ................................................................................... E9-9
MODULE 4: ACCESS CONTROL .......................................................................................... E9-12
MODULE 5: DOMAINS ........................................................................................................... E9-20
MODULE 6: ADVANCED ADMINISTRATION ....................................................................... E9-24
MODULE 7: PERFORMANCE ................................................................................................ E9-27
MODULE 8: TROUBLESHOOTING ....................................................................................... E9-28
E9-2
CIFS Administration on Data ONTAP 7.3: M09_AppendixA_Exercise
MODULE 1: OVERVIEW
Answers
Module 1: CIFS Overview

In a network, which two abilities does a
Windows client user require?
Find other computers
Request resources from a server
What is the difference between user

authentication and authorization?
User authentication = user identity verification
User authorization = allows certain functionality
at the share or file level
E9-3
40

What are the three types of storage system
CIFS service environments?
Windows workgroup
Non-Windows workgroup
Windows domain
What is the purpose of a name resolution

server?
To resolve machine names to IP addresses
41

What kind of information is kept in the directory
that the domain controller stores and
maintains?
Machine accounts
User names/passwords/rights
Group membership info
Group policies
In a Windows workgroup, how does a storage

Locally
E9-4
42

In a Windows domain, how does a storage
By means of a domain controller
In a non-Windows workgroup, how does a

storage system authenticate users?
Via UNIX mechanisms:
Local /etc/passwd file
NIS server
LDAP server
E9-5
43
MODULE 2: WORKGROUPS
Answers
Module 2: Workgroups

In cifs setup, what are the two security style
choices for which a storage system can be
configured?
NTFS-only
Multiprotocol
During the initial questions in CLI cifs setup,
for which root user can you enter a password?
The UNIX root user in the /etc/passwd file

Used in a non-Windows workgroup only
E9-6
38
Check Your Understanding Answers

What are the three default share volumes
created as a result of cifs setup?
C$
ETC$
HOME
What is the name of the NetBIOS alias file?
cifs_nbalias.cfg
39
TASK I: CONFIGURING CIFS SERVICES TO JOIN THE STORAGE SYSTEM

TO A WINDOWS WORKGROUP
Step
Action
4.
Before configuring the CIFS services, at the storage system prompt (in your Telnet
session), enter the following command and view the default storage system security
style and NT administrator privileges:
system>options wafl
______________
unix
Look at the wafl.default_security_style option.
___________________
on
Look at the wafl.nt_admin_priv_map_to_root option.
system>qtree status
What is the security style of your root volume? _________
unix
E9-7
7.
After configuring the CIFS services, enter the following command and view the
default storage system security style and NT administrator privileges:
system>options wafl
___________________
ntfs
_______________
No, the setting is off.

8.
system>qtree status
After configuring the CIFS services, what is the security style of your root volume?
__________________
ntfs
TASK III: CREATING NEW VOLUMES AND QTREES
5.
Create a qtree named datatree1_ntfs with NTFS security style on the volume flexvol1
by entering the following command:
system>qtree create /vol/flexvol1/datatree1_ntfs

Verify that the newly created qtree datatree1_ntfs exists:
system>qtree status
ntfs
Why is this the security style? ____________________________________
____________________________________________________________
Because this is the default security which was set to the ntfs by cifs setup.
6.
Create a qtree named datatree2_unix with UNIX security style on the volume flexvol1
by entering the following command:
system>qtree create /vol/flexvol1/datatree2_unix

Verify that the newly created qtree datatree2_unix exists:
system>qtree status
ntfs
Change the security style to UNIX by entering the following command:
system>
qtree security /vol/flexvol1/datatree2_unix unix
Verify that the security style for qtree datatree2_unix is UNIX:
system>qtree status
E9-8
MODULE 3: SHARES AND SESSIONS
Answers
Module 3: Shares

For which storage objects can you create
shares?
folders
qtrees
volumes
What are three methods to manage CIFS

shares?
CLI
Microsoft tools such as Computer Management
FilerView
What command would you use to view the

connected CIFS users?
cifs sessions
E9-9
50
TASK I: VIEWING THE LIST OF CURRENT SHARES

2.
On your Windows workstation, go to StartRun. In the Run window, enter the

following to browse the shares on your storage system, and click OK:
\\IP_Address_of _Your_Storage_System
What share(s) display? _________________________
Home share appears because it is a default, nonhidden share.

3.
In the address bar of the Web browser, change the address to the following:
What folder(s) display? __________________________
The root volume appears.

4.
At your storage system prompt, view the CIFS sessions by entering the following
command:
What user currently has a session with the storage system?
__________________________________________________
Storage Systems local administrator account.
What account is the user mapped to? _______________________
5.
The local administrator is mapped to pcuser.

At the storage system prompt, verify the user mapping by entering the following
command:
system>options wafl.nt_admin_priv_map_to_root
Is this option set to on? _________________
No.
If wafl.nt_admin_priv_map_to_root is on, then the local administrators user
mapping is root.
Verify the default UNIX user name by entering the following command:
system>options wafl.default_unix_user
Is there a default UNIX user? If yes, what is the user name?
________________________________
pcuser
If the wafl.default_unix_user is set to a user name (for example, pcuser), then this is
the default user mapping for any Windows user that is not explicitly mapped.
Verify that the default UNIX user name is in the /etc/passwd file by entering the
following command:
E9-10
system>rdfile /etc/passwd
Is the default UNIX user name in the /etc/passwd file? _____________
Yes.
TASK II: CREATING A NEW SHARE

2.
View the newly created datatree1_ntfs share by entering the following command at
the storage system prompt:
system>cifs shares datatree1_ntfs
Which group has access to this share? _______________________
The Everyone is the default.
What are the share permissions? _______________________
The Everyone group has Full Control.
6.
On the Windows workstation using Windows Explorer, go to the mapped network

drive for the datatree1_ntfs share to view the newly created text file.
a) Right-click the text file and choose Properties.
b) Click the Security tab and view the NTFS file permissions for the text file.
c) What group has access to this file? ____________________________
Everyone.
List the file access permissions for the text file:_________________________
Full control
d) Close all the open windows.
E9-11
MODULE 4: ACCESS CONTROL
Answers
Module 4: Access Control

What is the purpose of a local administrator account on
a storage system, and why does cifs setup
recommend creating one?
Local administrator can administer CIFS Access
the storage system when the domain controller is down
What does it mean when a storage system is

configured for multiprotocol access?
Any file can be accessed by NFS (UNIX users) and CIFS
(Windows users) protocols
Both NFS and CIFS must be licensed
What command adds local users and groups to the

storage system?
useradmin
E9-12
52
TASK I: CREATING A LOCAL USER ACCOUNT ON THE STORAGE SYSTEM

5.
Verify that the local user (you) was added to the storage system by entering the
following command:
What are your allowed capabilities? __________________________
None, because this user is a guest.
6.
Check the allowed capabilities for the local administrator account by entering the
following command:
What are the capabilities of the local administrator?
_______________________________________________
7.
The administrator has all (*) the login, cli, api and security capabilities by default
because the administrator is part of the Administrators group.
View the list of all local storage system users by entering the following command:
system>useradmin user list
What local users are listed? _____________________________________
Answers may vary.
TASK II: MAPPING A NETWORK DRIVE TO A SHARE

2.
At the storage system prompt in your Telnet session, view the CIFS sessions by
__________________________________________________
Administrator
You logged in to the Windows workstation as Administrator with a password. This
Administrator was authenticated locally on the storage system with the local
Administrator account (note that the user names match). The local Administrator
account has the same password as the Windows Administrator.
This is called pass-through user authentication, and it works only if the
names and passwords match on both the storage system and Windows
workstation.
The Administrator account has permission to view the hidden C$ share.
5.
On your Windows workstation, map a drive to a storage system share for a different
local user (your name) by opening Windows Explorer and going to ToolsMap
E9-13
c) Click Connect using a different user name.

The Connect As...window appears.
d) Enter your User name.
(Name_of _Your_Storage_System \your_name).
e) Enter your Password. (password for your_name).
f) Click the OK button.
g) Click the Finish button.
The Connect to window appears.
h) The user name matches
Name_of _Your_Storage_System \your_name.
i)
In the password text box, enter your password.
j)
Are you able to connect to C$ share? _____________________

No
If not, go back up to step 5b), and in the Folder list box, enter
\\IP_Address_of _Your_Storage_System\Home and proceed again to
map the network drive to the share.
The Guests group has no capabilities and, therefore, you cannot browse
the C$ share, but you can browse the Home share since it is available to
the Everyone group.
At the storage system prompt, view the CIFS sessions by entering the following
command:
system> cifs sessions
6.
__________________________________________________
The account you created with your name is the current session.
You now have successfully mapped a network drive to the Home share on the storage
system as a local user (your name) on the storage system that is a member of the
Guests group.
You were authenticated locally on the storage system with your name and password.
TASK III: CREATING A LOCAL GROUP

3.
At the storage system prompt, verify the newly created group by entering the following
command:
system>useradmin group list friends
How many capabilities are assigned to the power role for the friends group?
__________________________
Eleven capabilities or capability families (i.e., cli-cifs*) are listed.
The Data ONTAP predefined power role grants the ability to:
E9-14
Invoke all cifs, exportfs, nfs, and useradmin CLI commands.

Make all cifs and nfs API calls.
Log in to Telnet, HTTP, rsh, and ssh sessions.
4.
On the Windows workstation, change the security properties of the text file on the
datatree1_ntfs share.
Open Windows Explorer and go to the mapped datatree1_ntfs drive to view the
text file.
Right-click the text file and choose Properties.
Select the Security tab and under Group or user names, click the Add button.
In the Enter the object names to select text box, enter friends.
Click the friends group. What permissions are displayed for the friends group?
_____________________________________________________
Default for friends group is Read & Execute and Read.
k) Click the Everyone group. How do the friends permissions differ from the
permissions in the Everyone group?
___________________________________________________
Everyone has more allowed permissions.
l)
Now, click the Apply button on the Security tab, and then click the OK
button.
5.
At the storage system prompt, modify the local user (your name) and add the friends
group to the user by entering the following command:
system>
useradmin user modify your_name g Guests,friends
6.
At the storage system prompt, verify the groups and capabilities of the newly changed
local user (your name) by entering the following command:
To which groups does the local user (your name) now belong?
Guests and friends
How have the local user (your name) capabilities changed?
________________________________________________
Yes. Now your user account has all the allowed capabilities of both groups.
E9-15
TASK IV: CONFIGURING THE STORAGE SYSTEM FOR MULTIPROTOCOL

ACCESS
1.
At the storage system prompt, view the current default security style by entering the
following command:
system>options wafl.default_security_style
What is the current default security style? ______________________
ntfs
6.

drive for datatree1_ntfs share, and view the security of the datatree1_ntfs by
Right-click datatree1_ntfs share and choose Properties.
Click the Security tab.
system?
___________________________________________________________
Everyone has Full Control.
Double-click the datatree1_ntfs share in the console tree to view the contents of
the share.
Right-click the previously created text file and choose Properties.
Who has access to the file and what are the file permissions?
_______________________________________________
Everyone has Full Control. The group friends has Read & Execute and Read.
Recall that the datatree1_ntfs qtree has a designated security style of
NTFS. This means that files have Windows NTFS ACLs (permissions).
7.

drive for datatree2_unix share, and view the security of the datatree2_unix by
Right-click datatree2_unix share and choose Properties.
No.
Double-click the datatree2_unix share in the console tree to view the contents of
the share.
Create a new text file in this share by right-clicking in the right windowpane and
E9-16
choosing NewText Document.

Right-click the New Text Document.txt file and choose Properties.
No.
Recall that the datatree2_unix qtree has a designated security style of UNIX, and that
files and directories have UNIX permissions.
You are a Windows user accessing a UNIX qtree and a UNIX file. The Properties
window (in Microsoft Windows) is not designed to interpret the UNIX permissions on
the share and file and hence the Security tabs are missing. However, starting with Data
ONTAP 7.2, changes have been made to the multiprotocol functionality. Now,
administrators can both display and change UNIX permissions from the Windows
Security tab.
8.

drive for datatree3_mixed share, and view the security of the datatree3_mixed by
Right-click datatree3_mixed share and choose Properties.
system?
__________________________________________________
The Everyone group has full control.
Double-click the datatree3_mixed share in the console tree to view the contents
of the share.
Create a new text file in this share by right-clicking in the right windowpane and
choosing NewText Document.
Who has access to the file, and what are the file permissions?
_______________________________________________
The Everyone group has full control.
Recall that the datatree3_mixed qtree has a designated security style of
mixed. This means that the default security style of a file is the style most
recently used to set permission on that file. With mixed security style,
the volume or qtree can have UNIX or NTFS file security in play.
Since the mixed qtree was created when the storage system was NTFSonly and the parent volume was NTFS, the mixed qtree inherited the
effective security style of the parent volume that was created with NTFS.
E9-17
9.
To view the UNIX permissions on the files in this multiprotocol environment, enter the
following option at the storage system prompt:
system>options cifs.preserve_unix_security on
Enabling this option allows you to manipulate a files UNIX permissions
using the Security tab on a Windows client, or using any application that
can query or set Windows ACLs. When enabled, this option causes UNIX
qtrees to appear as NTFS volumes. The default for this option is off.
10.

drive for datatree1_ntfs share, and view the security of the previously created text file
by performing the following:
Right-click the previously created text file and choose Properties.
Click the Security tab and view the permissions for the Everyone and friends
group.
11.

drive for datatree2_unix share, and view the security of the New Text Document.txt
m) Click the Security tab and view the UNIX group, user names, and permissions
for this file whose file security is UNIX.
In the Group or user names list box, list the first 4 entries:
____________________________________________________
_____________________________________________________
Answers may vary.
n) Click the Advanced button in the lower right corner in the Security tab.
o) In the Advanced Security Settings window in the Permissions tab, select
pcuser and click the Edit button. (Do not actually edit the permissions.)
In the Permission Entry window, what permissions does pcuser have?
______________________________________________________
______________________________________________________
Traverse Folder/Execute File, List Folder/Read Data, Create Files/Write Data
p) Click the Cancel button in the Permission Entry window.
q) In the Advanced Security Settings window, click the Owner tab.
Who are the owners for this text file?
___________________________________________________
pcuser
r) Click the Cancel button in the Advanced Security Settings window.
s) Click the Cancel button in the Properties window.
E9-18
You are a Windows user accessing this UNIX file with your mapped UNIX
credentials. Your UNIX credentials are used when evaluating your access requests by
comparing your credentials against the file or folder UNIX access permissions.
TASK V: REMOVING A SHARE

2.
Do you remember the command to view the current shares? _____________

cif shares
Remove the datatree3_mixed share by type the following at the prompt:
system> cifs shares delete datatree3_mixed
3.
Verify by that datatree3_mixed is removed.
4.
Do you think when you remove a share that you delete the underlying qtree?
_____________
The qtree is not deleted.
Go check. Do you remember the command to view the current qtrees and volumes?
_____________
qtree status
E9-19
MODULE 5: DOMAINS
Answers
Module 5: Domains

For which objects can you create shares?
Folders
Qtrees
volumes
What are three methods used to manage CIFS

shares?
CLI
Microsoft Tools such as Computer Management
FilerView
CIFS Kerberos-based authentication fails if the time

difference between the storage system and the domain
controller is more than how many minutes?
Five minutes
Which command or commands allow you to configure

the preferred domain controllers?
cifs prefdc
E9-20
44
TASK III: VIEWING THE CURRENT SHARES, SESSIONS, AND LOCAL

GROUPS USING COMPUTER MANAGEMENT GUI AND GIVING THE NEW
DOMAIN USER SHARE-LEVEL ACCESS
3.
What shares are displayed in the right windowpane?

____________________________________________________________
The shares that were previous created.
Computer Management enables you to view shares that you have permission to view.
You cannot see the folders or files in the share from this GUI.
4.
5.
To view the share permission the datatree1_ntfs share, right-click the datatree1_ntfs
share, choose Properties, and then click the Share Permissions tab.
Which group has access to see this share? ________________________
Everyone
Give the new domain user (that you created in the previous lab
user_<first_initial>_+_<last_name>) access to the datatree1_ntfs share by performing
the following:
a. In the datatree1_ntfs Properties window, in the Share Permissions tab,
click the Add button.
b. In the Enter the object names to select text box, enter the new domain user
name.
c. Click the OK button.
What are the share permissions for the new domain user? _______________
Read & Execute and Read
d. In the Share Permissions tab, modify the share permissions for the new
domain user to Full Control by marking the Full Control check box in the
Allow column.
e. Click the Apply button.
f.
The CLI equivalent entered at the storage system prompt that modifies share-level
access control to Full Control is demonstrated in the following example, where
datatree1_ntfs is the name of the share:
NetApp>
cifs access datatree1_ntfs domain_user_name Full Control
6.
7.
E9-21
Click the Sessions folder (beneath the Shares folder in the console tree) to view the
current sessions.
Which user or users have current session(s) with the storage system?
_________________________________________
Administrator
Click the Local Users and Groups folder in the console tree.
a. Click the Users folder. Who are the local users in your storage system?
________________________________________________________
Answers may vary. The local user created earlier is here.
b. Click the Groups folder. Which group is not a predefined group?
__________________________________________________
Answers may vary. The local group friends created earlier is here.
8.
With the Groups folder open, right-click the Guests account and choose Properties to
view the Guests properties.
Which users are members of the Guests group?
___________________________________________________
The local user that was added earlier as well as Domain Guests
NOTE: The Guests account has domain and local storage system users.
9.
With the Groups folder open, right-click the friends account and choose Properties to
view the friends group properties.
Which user or users are members of the friends group?
_________________________
The local user that was added earlier.
10.
With the Groups folder open, right-click the friends account and choose Add to
Group to add the new domain user to the friends local group by performing the
following:
a. In the friends Properties window, click the Add button.
b. In the Enter the object names to select text box, type the new domain user
(user_<first_initial>_+_<last_name>).
c. Click the Check Names button.
d. Click the OK button.
e. In the friends Properties window, view the newly added domain user to the
Members list for the friends share.
f.
Click the Apply button.
g. Click the OK button.
11.
With the Groups folder open, right-click the Administrators account and choose
Properties to view the Administrators properties.
Which members can fully administer the storage system?
________________________________________________
Administrator and Domain Admins are here.
E9-22
TASK IV: VIEWING SHARES AND SESSIONS AND ADDING A NEW SHARE
USING FILERVIEW
2.
3.

Who has access to the datatree1_ntfs share, and what is their share-level access?
_________________________________________________________
Everyone at Full Control
To view the current sessions with the storage system, go to
FilerViewCIFSSession Report.
a. Click the Sessions button to view the overall session information.
b. Click the Security button to view the overall security information.
c. In the User/PC text box, type the name of your Windows workstation and
click the Sessions button.
(The name and IP address are displayed in the overall security information.)
d. With your Windows workstation name in the User/PC text box, click the
Security button.
Your Windows workstation user is mapped to the UNIX UID 65534. To whom does
this UID belong? ____________________ (challenge question)
pcuser
TASK VI: MAPPING A NETWORK DRIVE TO A SHARE

3.
To view the CIFS sessions with FilerView, go to FilerViewCIFSSessions

Report.
Who has a session with the storage system? _______________________
Domain administrator
How many shares are being accessed? _____________________
Answers may vary.
How many files are being accessed? _______________________
Answers may vary.
E9-23
MODULE 6: ADVANCED ADMINISTRATION
Answers
Module 6: Advanced Administration

What triggers can be set to autosave the event
file?
File size threshold
Time interval
Both
What command(s) is/are used to reload the

CIFS GPOs?
cifs gpupdate
cifs restart
E9-24
62

What command(s) is/are used to configure
virus scanning on a storage system?
vscan
Name three operations a FPolicy can be

configured to monitor.
all, none, close, create, cre_ate_dir, delete,
delete_dir, getattr, link, lookup, open, read,
rename, rename_dir, setattr, symlink, write
Share caching is disabled by default.

True/False
False
63
TASK I: ENABLING EVENT LOGGING

1.
At the storage system prompt, enter the following command to view the current
cifs.audit options:
system>options cifs.audit
What is your cifs.audit.autosave.onsize.enable setting?
____________________________
off
What is your cifs.audit.enable setting? ___________
off
If cifs.audit.enable is set to off, then enable auditing by entering the following
command at the storage system prompt:
NetApp> options cifs.audit.enable on
What is your cifs.audit.autosave.ontime.interval setting?
___________
Not set.
E9-25
TASK III: ENABLING AUTOSAVE OF EVENT FILES

3.
Experiment with the cifs.audit.autosave.onsize.enable settings and have the storage

system autosave on a threshold value.
Were you successful?
____________________
Answers may vary.

What settings did you adjust to have this happen?
______
You must turn the option cifs.audit.autosave.onsize.enable on.
TASK VI: SETTING UP THE AUTO HOME SHARE FEATURE

8.
following command:
NetApp>rdfile /etc/cifs homedir
9.
following command:
system>cifs homedir
TASK VII: GROUP POLICY OBJECTS

16.
Finally, copy a file to your new O drive.

Is it successful? ________________
Yes.
E9-26
MODULE 7: PERFORMANCE
Answers
Module 7: Performance

How is performance management described in this module?
MonitoringTracks activities
ControllingAllows for adjustment to enhance performance
Capacity planningEnsures a healthy network that can grow to
meet future needs
List three factors that affect the performance of a storage system.
CPU
Memory
Network
Network interface
System bus
NVRAM
I/O devices
Disk controllers
Disks
What is the difference between sysstat and cifs stat?
sysstat monitors storage system statistics,
whereas cifs stat reports CIFS statistics
E9-27
34
TASK I-V:
Results will vary.
MODULE 8. TROUBLESHOOTING
Answers

When communication from a storage system to a
domain controller fails or trust across multiple domains
fails, what steps are useful to resolve the problem?
cifs testdc to test the storage system
connection to the domain controller
options cifs.trace_dc_connection on to
log all DC address discovery and connectivity
cifs resetdc to disconnect the storage
system from the DC and then re-establish a new
CIFS connection with the DC
Check the results of the trace log to determine the
problem.
E9-28
59 59

When the NT account does not map or the UNIX user name
does not exist, what steps are useful to resolve the
problem?
cifs session s winname to check the NT account
credentials; verify winname maps to the expected UNIX
name
rdfile /etc/usermap.cfg to check the user mapping
for the NT account and the UNIX user name; if necessary,
edit the file
rdfile /etc/passwd to check for the existence of the
UNIX user name; if necessary, edit the file
If using an NIS server: nis info and
options nis.group_update_schedule
60 60

problem?
Check the share-level ACL (access control list).
system> cifs shares to view the shares
On the Windows client, use the Computer
Management GUI (Windows 2000 or later) to view
the shares.
The Windows client user must have rights to connect to
the storage system.
E9-29
61 61

Configure the storage system time to match the
domain controller time; use the date command.
Synchronize both the storage system and
domain controller to a central time-server.
62 62

problem?
The error is that cifs setup cannot find a
necessary DNS service record for the domain.
The resolution is to enter the Fully Qualified
Domain Name (FQDN) for the name of the
Active Directory domain.
E9-30
63 63
Appendix B
NETAPP UNIVERSITY

Appendix B Simulator Installation
EXERCISE: SIMULATOR INSTALLATION

OVERVIEW
The goal of this lab is to give you an opportunity to install and set up the Data ONTAP
simulator. The simulator environment will allow you to test commands and functionality before
deploying in a production environment.
OBJECTIVES
Configure a Linux virtual machine to work with the Data ONTAP simulator
Install the Data ONTAP simulator
TIME ESTIMATE
60 Minutes
E9-2
TASK I: CONFIGURE THE VIRTUAL MACHINE

This task will familiarize you with the virtual machine environment in which the Data ONTAP
simulator will be installed. You will configure the environment to ensure a proper functioning
simulator.
Execute the following steps to configure the virtual machine:
START OF EXERCISE
STEP
ACTION
1.
Log in to your Windows environment with the user name and password provide by
your instructor.
Your instructor will inform you whether the Windows environment is local or remote.
If it is remote, your instructor will explain how to access the remote machine.
Locate the VMware Workstation icon on your desktop and double-click it. You should
see the VMware Workstation interface.
You now are going to launch a Red Hat Linux virtual machine, which is going to host
your Data ONTAP simulator. A Red Hat Linux tab may appear within the VMware
Workstation window. If it does, go to the next step. If the Red Hat Linux tab does not
appear, select File from the menu and then Open and then browse to the location of the
.vmx file.
The path might be C:\Red Hat Linux\Red Hat Linux\redhat.vmx. If you cant find it,
ask your instructor.
2.
3.
4.
Once the Red Hat Linux tab appears within VMware Workstation, locate the
Commands section within the main page and click the Start this virtual machine link.
Answer OK to any pop-up message box that might appear. Your virtual machine
should launch. This could take five minutes or longer depending on your environment.
5.
Once the graphical interface is displayed, single-click your mouse in the virtual
machine environment. Notice that your mouse gets trapped within the virtual machine.
To release it and work with your Windows environment, press Ctrl and Alt buttons at
the same time. Please type in your user name and password provided by your
instructor.
Red Hat Linux user name: _________________ (usually root)
Red Hat Linux user password: _____________ (usually netapp)
Once logged in, you should see the Red Hat desktop.
E9-3
STEP
ACTION
6.
There are now some preliminary configurations you need to do before you launch your
Data ONTAP simulator. The Data ONTAP simulator gets its time from its hosted
operating system in this case, Red Hat Linux. You are going to ensure that your
virtual machine is in sync with your Windows environment.
Right-click on the date and time in the lower right-hand corner and select Adjust Data
& Time from the pop-up menu.
7.
8.
9.
The Data/Time Properties box should appear. Within the Date/Time tab, notice that
you can synchronize Red Hats clock with a remote time server. Check the Enable
Network Time Protocol in the IP address of your Windows domain controller. Then
select the Time Zone tab at the top of the Date/Time Properties and make sure that the
configured time zone is the same as the Windows environment. Select OK to commit
any changes.
Next, right-click on the Red Hat desktop and select New Terminal from the pop-up
menu.
You will need to be familiar with the new Red Hat environment, particularly the
interfaces, before you install the Data ONTAP simulator.
Type ifconfig -a and press Enter.
Notice that there are at least three interfaces: eth0, eth1, and the loopback called
lo.
You will use the eth0 interface for the Data ONTAP simulator.
The Red Hat virtual machine will use the eth1 interface.
10.
Task complete.
11.
E9-4
TASK II: INSTALL THE SIMULATOR

This task will familiarize you with the process of installing the Data ONTAP simulator on your
Linux environment. You then will use the Data ONTAP simulator or your assigned FAS system
(if available) for the reminder of the exercises.
Execute the following steps to install the Data ONTAP simulator:
STEP
ACTION
1.
Go to the Red Hat virtual machine. A terminal window should be open. If not, right
click on the Red Hat desktop and select New Terminal from the pop-up menu.
In your lab environment, the Data ONTAP simulator should already be downloaded
and the tar file extracted in the Red Hat environment. If you were setting up the
simulator in your own environment, you would need to download the simulator and
extract the file yourself. The simulator can be downloaded at http://now.netapp.com.
2.
3.
Change the directory by issuing the command cd /sim_install, then type ls to

list the directory.
Now you will run setup.sh to install the simulator. Type in ./setup.sh and
press Enter.
4.
The first question that pops up is Where to install to? Press Enter to accept the
default unless your instructor tells you otherwise.
5.
For Would you like to install as a cluster?, press Enter to accept the default.
6.
For Would you like full HTML/PDF FilerView documentation to be installed?,

press Enter to accept the default.
7.
For Continue with installation?, type in Yes and press Enter. At this time, the
simulator will be installed into the new local Red Hat directory.
8.
For Use DHCP on first boot?, type in No and press Enter.
9.
For Ask for floppy boot?, press Enter to accept the default.
10.
For Which network interface should the simulator use?, verify that the default is
eth0 and press Enter.
11.
For How much memory would you like the simulator to use?, press Enter to accept
the default.
12.
For Create a new log for each session?, press Enter to accept the default.
13.
For Overwrite the single log each time?, press Enter to accept the default.
14.
Note that the simulator installs only three disks by default. You need to increase this
amount so you have plenty of disks to work with in future labs. For How many more
would you like to add?, type in 11 and press Enter. Notice your will have a total of
14 disks that you will add to a single shelf, which is just like having a full DS14 shelf
in the real world.
15.
In the What disk size would you like to use? question, select e and press Enter.
Notice that each disk will only have 450 MB of disk space. This will limit the size of
E9-5
STEP
ACTION
the files you will work with during the labs.
16.
For Disk adapter to put disks on?, press Enter to accept the default. The disks will
be created.
17.
The setup.sh script now is completed and you have successfully set up the Data
ONTAP simulator. Keep the simulator running if you dont have a FAS system
assigned. This is will be your controller for the subsequent exercises.
18.
Task completed.
19.
TASK III: APPLYING THE CONFIGURATIONS

This task will familiarize you on how to configure your simulator.
NOTE: Your instructor will provide you the information needed for your particular environment.
Please ask your instructor for a completed configuration worksheet. A sample configuration
worksheet is provided at the end of this exercise.
Execute the following steps to configure the Data ONTAP simulator:
STEP
ACTION
1.
Your instructor should have provided a completed configuration worksheet for your
particular environment. If not, please ask the instructor for it now.
Now that you have all the relevant information that is needed to configure your new
Data ONTAP simulator, type in the following command /sim/runsim.sh in the
Red Hat terminal window and press Enter. Notice as the simulator boots that there are
11 broken disks with bad labels. You will fix this in a future step.
2.
3.
When your storage system boots the first time, it immediately will go into the setup
command. If you make any mistakes, you can also run the setup command again
and enter the correct value.
The first question is the new host name of your storage system.
Please enter the value you recorded in the Configuration Worksheet and then press
Enter.
4.
The next question is whether you will configure any virtual network interfaces. As
you might recall, you will not be using VIFS at this time.
Press Enter to access the default.
5.
The next question is the IP address for ns0. Remember, this is the IP address of eth0
on the Linux simulator.
Enter.
6.
The next question is the netmask for ns0. Remember, this is the netmask address of
E9-6
STEP
ACTION
eth0 on the Linux simulator.
Enter.
7.
The next question is the IP address for ns1.

Enter.
8.
For Would you like to continue setup through the Web interface?, press Enter to
accept the default.
9.
The next question is the IP address for the default gateway.

Enter.
10.
The next question is the name of the administration host.

Enter.
11.
The next question is the IP of the administration host. If you recall, the Linux virtual
machine has at least two main interfaces: eth0 and eth1.
The interface eth0 is used for the Data ONTAP simulator, which you recorded in
Step 5.
The interface eth1 is used for the Linux virtual machine itself. This is the value you
will record here. The Linux virtual machine will become your administration host.
Enter.
12.
The next question is the time zone of the simulator.

Enter.
13.
The next question is the system location. This is just a text field. Type in any value
you wish.
14.
The next question is the systems language. You will not be configuring the language
for thtis simulator.
Press Enter to not set the language.
15.
The next question is whether you will be using DNS resolution.

Type yes and press Enter.
16.
The next question is the DNS domain name.

Please enter the value you recorded in the Configuration Worksheet.
17.
The next question is the IP of the nameserver.

Enter.
18.
The next question is Do you want another nameserver? Press Enter to accept the
default value.
E9-7
STEP
ACTION
19.
The next question is Do you want to run NIS client? Press Enter to accept the
default value.
20.
The next question is for the new password for root. Type in netapp and press Enter.
21.
Re-enter the root password again.
22.
Setup is now complete. Because the simulator already has CIFS licensed, it will go
into the cifs setup command.
23.
The first question is whether you are using WINS. Press Enter to accept the default
value because you are not using WINS.
24.
The next question is whether you are using multiprotocol (NTFS and Unix File
System) or Windows NTFS only.
Press Enter to accept the default value because you are going to use multiprotocol.
25.
The next two questions are asking for the roots password.
Please type netapp and press Enter twice.
26.
Next, the system defaults the CIFS server name to the hostname of the system. The
question then asks you whether you would like to change this.
Press Enter to accept the default.
27.
The next question concerns how you are going to authenticate users. You are going to
use Active Directory domain authentications in this environment.
28.
The next question concerns the name of the Active Directory domain. This is the
same as your DNS domain.
29.
You then need to configure the time services, so press Enter to accept the default.
30.
The name of the time server should be the IP address of your Windows domain
controller.
Type in the IP address of the Windows domain controller and press Enter.
31.
You only have one time server, so press Enter to accept the default.
32.
You need to authenticate, as a domain administrator, to add your system account to

Active Directory.
Press Enter to accept the default user.
33.
Type in the password of the domain administrator as provided by your instructor and
press Enter.
34.
The question concerns how you are going to identify the system with Active
Directory.
Press Enter to accept the default of CN=computers.
35.
The next question is whether the simulator should create the Windows local
E9-8
STEP
ACTION
administrator account in the local /etc/passwd file.
36.
Type in the password of the Windows administrator and press Enter.

Repeat this step to configure the password.
37.
You will not be using any other users or groups to administrate your system so press
Enter to accept the default.
38.
The CIFS server should be running now and the simulator should be requesting a
login.
Log in using root with the password netapp.
You should now be at the systems prompt. You have successfully set up the Data
ONTAP simulator.
39.
Task complete.
40.
E9-9
TASK IV: PREPARING ADDITIONAL DISKS

If you recall, you added 11 more disks to the environment in Task II. You now will ensure that
those disks are prepared for future exercises.
Execute the following steps to fix the broken disks:
STEP
ACTION
Preparing additional disks
1.
At the console prompt, type in sysconfig -r and press Enter.
2.
Notice the broken disks that have bad labels. The names of the broken disks are
displayed in the second column and begin with v. For example, v4.19 all the way
through v4.29. These are the disks you added when you installed the simulator.
At the prompt, type in priv set advanced and press Enter.
3.
You are going to use the disk unfail command along with the disk name to fix
the disks.
Type in disk unfail s <disk name> and press Enter.
For example, disk unfail s v4.19
4.
Repeat this for all disk names that you identified in Step 1.
Type in sysconfig -r and press Enter and verify that all the broken disks are now
spares that are not zeroed.
5.
At the prompt, type in priv set admin and press Enter to take the system out of
advanced mode.
6.
Now type disk zero spares at the prompt and press Enter so that these disks
will be available for use in future labs.
7.
You simulator should be successfully set up.
8.
Task complete.
END OF EXERCISE
E9-10
CONFIGURATION WORKSHEET
TYPES OF INFORMATION
Storage system
YOUR VALUES
MAC address for the storage system's

built-in Ethernet interface
Host name
Password
Time zone
Storage system location
Language used for multiprotocol storage
systems
Administration host
Host name
IP address
Virtual interfaces
Link names (physical interface names,

such as e0, e5a, or e9b)
Number of links (number of physical
interfaces to include in the vif)
Name of virtual interface (Name of vif,
such as vif0)
Ethernet interfaces
Interface name
IP address
Subnet mask
Partner IP address
Media type (network type)
Are jumbo frames supported?
MTU size for jumbo frames
Router (if used)
Gateway name
IP address
E9-11
Location of HTTP directory

DNS
Domain name
Server address 1
Server address 2
Server address 3
NIS
Domain name
Server name 1
Server name 2
Server name 3
Windows domain
WINS servers
1
2
3
Windows Active Directory domain administrator user name

Windows Active Directory domain administrator password
Active Directory (command line setup only)
RMC
MAC address
IP address
Network mask (subnet mask)
Gateway
Media type
Mail host
RLM
MAC address
IP address
E9-12
Network mask (subnet mask)

Gateway
AutoSupport mail host
AutoSupport recipient(s)
E9-13
This page intentionally left blank.
E9-14

STRSW Ed Ilt Cifsad Rev03 Exerciseguide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

STRSW Ed Ilt Cifsad Rev03 Exerciseguide

Uploaded by

Copyright:

Available Formats

NetApp University

NetApp University - Do not distribute or duplicate

CIFS Administration on Data ONTAP 7.3

NetApp University - Do not distribute or duplicate

RESTRICTED RIGHTS LEGEND

CIFS Administration on Data ONTAP 7.3: M00_Welcome_Exercise

NetApp University - Do not distribute or duplicate

EXERCISE & ANSWER TABLE OF CONTENTS

CIFS Administration on Data ONTAP 7.3: M00_Welcome_Exercise

NetApp University - Do not distribute or duplicate

NetApp University - Do not distribute or duplicate

EXERCISE: EXPLORING THE EXERCISE ENVIRONMENT

At the conclusion of the lab, you will be able to do the following:

Identify all the essential components of your exercise environment

CIFS Administration on Data ONTAP 7.3: M01_Overview_Exercise

NetApp University - Do not distribute or duplicate

Check Your Understanding

CHECK YOUR UNDERSTANDING

CIFS Administration on Data ONTAP 7.3: M01_Overview_Exercise

NetApp University - Do not distribute or duplicate

Check Your Understanding

2008 NetApp. All rights reserved.

CHECK YOUR UNDERSTANDING

CIFS Administration on Data ONTAP 7.3: M01_Overview_Exercise

NetApp University - Do not distribute or duplicate

TASK I: EXPLORING THE EXERCISE ENVIRONMENT

Execute the following steps:

Domain Name: _______________________

CIFS Administration on Data ONTAP 7.3: M01_Overview_Exercise

NetApp University - Do not distribute or duplicate

CIFS Administration on Data ONTAP 7.3: M01_Overview_Exercise

NetApp University - Do not distribute or duplicate

NetApp University - Do not distribute or duplicate

EXERCISE: CIFS SETUP

At the conclusion of the lab, you will be able to do the following:

Configure a storage system for a Windows Workgroup environment

Review the result of cifs setup in a Windows Workgroup environment

CIFS Administration on Data ONTAP 7.3: M02_Workgroups_Exercise

NetApp University - Do not distribute or duplicate

Check Your Understanding

2008 NetApp. All rights reserved.

CHECK YOUR UNDERSTANDING

CIFS Administration on Data ONTAP 7.3: M02_Workgroups_Exercise

NetApp University - Do not distribute or duplicate

TASK I: EXPLORING THE EXERCISE ENVIRONMENT

From your workstation,

View the CIFS license with FilerView by performing the following:

CIFS Administration on Data ONTAP 7.3: M02_Workgroups_Exercise

NetApp University - Do not distribute or duplicate

Configure the CIFS services by entering the following command:

Answer no [n] to WINS.

Configure the security style as (2) NTFS-only filer.

Answer yes [y] to create the local administrator (system\administrator) account.

CIFS Administration on Data ONTAP 7.3: M02_Workgroups_Exercise

NetApp University - Do not distribute or duplicate

A filer can be configured for multiprotocol access, or

CIFS Administration on Data ONTAP 7.3: M02_Workgroups_Exercise

NetApp University - Do not distribute or duplicate

Please proceed to the next task.

CIFS Administration on Data ONTAP 7.3: M02_Workgroups_Exercise

NetApp University - Do not distribute or duplicate

TASK II: REVIEWING

We will discuss these files in more detail in future modules.