Applies To:

Show Versions Show Versions

Manual Chapter: Global Server
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

23 
A Windows client typically provides a service-principal name (SPN, such as fs1 or fs1.medarch.org) when connecting to a virtual server. An Active-Directory (AD) SPN, as opposed to an IP address, is required for Kerberos authentication. Use the active-directory alias command to set an official SPN (or multiple SPNs) for this server.
Use the no form of the command to remove one of this servers SPNs from the AD database.
name (1-256 characters; optional in the no form) is a SPN for the current global server. If you omit this from the no form of the command, it removes all SPNs for the virtual server. The CLI prompts for confirmation before removing all of the servers SPNs.
This command is only relevant to a virtual server whose global server offers cifs service, and whose clients use Kerberos authentication.
The ARX software sets both a HOST SPN and a CIFS SPN, mapping them back to the virtual servers VIP. This occurs if (and only if) both the virtual server and the global server are enabled (enable (gbl-gs, gbl-gs-vs)). You can run this command to store the SPN in the ARX database, and then enable the global and virtual server later to set the SPN at the DC. While both servers are running, you can re-set the SPN at the DC by removing it (with no active-directory alias) and adding it back.
from gbl-cifs mode, use dynamic-dns to register aliases with a DNS server;
from gbl-gs mode, use wins-name or wins-alias to register aliases with a WINS server.
Conversely, if a DNS-based name exists for this global server that is different from the global servers FQDN, clients can connect to the ARX service but Kerberos authentication always fails. In this case, use the active-directory alias command to create the SPNs for the servers DNS-based FQDN. For example, if clients can use the DNS-based ac1.wwmed.com to reach the ac1.medarch.org global server, use active-directory alias ac1.wwmed.com to create the SPNs for that DNS-based name.
A Windows client typically provides a service-principal name (SPN, such as insur.medarch.org) when connecting to a global server. Kerberos authentication fails if the SPN is unregistered in the Active-Directory (AD). You use the active-directory alias command to register a SPN (or multiple SPNs) for this server. Use this command to assign Windows credentials (username, password, and Windows domain) for setting these SPNs.
Use the no form of the command to remove the proxy-user from this global server. This makes it impossible to set any more SPNs with the active-directory alias command.
name (1-32 characters) is the Windows proxy user to associate with the current global server.
From gbl mode, use the proxy-user command to add a proxy-user configuration to the ARX. Use the show proxy-user command to view all configured proxy-users and their associated usernames and Windows domains.
bstnA(gbl-gs[ac1.medarch.org])# active-directory proxy-user acoProxy2
Use the optional description command to set a descriptive string for the current global server. This appears in the show command.
Use the no form of the command to delete the description.
text (1-255 characters) is your description. Surround the text with quotation marks () if it contains any spaces.
bstnA(gbl-gs[www.wwmed.com])# description global NFS server for network hospitals
Use the enable command to activate the current global or virtual server.
Use no enable to shut down the current server.
The gbl-gs no enable command shuts down the global server. This stops all front-end services (nfs or cifs) for the global server. This is a graceful shutdown: the services block any new connections and wait for current clients to complete their current transactions.
The gbl-gs-vs no enable command shuts down the virtual server. This stops all services, too.
Each virtual server listens for clients at a Virtual-IP (VIP) address. After enabling a virtual server and its global server, you can use the wait-for vip-enable command to wait for a particular VIP to come online. You can use the wait-for vip-disable command to wait for a particular VIP to shut down.
A global server links a front-end NFS and/or CIFS service to a virtual-IP (VIP) address. Clients can access the front-end service(s) through the VIP. Use the global server command to create a global server.
Use the no form of the command to delete a global server.
fqdn (1-128 characters) is the fully-qualified domain name (for example, eng-nfs.company.com) that you choose for the global server. By convention, this is the name that clients use to access the global server.
This command places you in gbl-gs mode. From there, you must use the virtual server command to bind the global server to the ARX. The virtual server runs the global servers front-end services on its virtual-IP (VIP) address. Once you have a virtual server, you must configure and enable at least one front-end service to run on the global server; for example, you can use the nfs command to instantiate NFS service or the cifs command for CIFS service. You then use the enable (gbl-gs, gbl-gs-vs) command in gbl-gs mode to start the global server.
Global servers that offer CIFS as a front-end service require a Windows domain; configure the Windows domain with the windows-domain (gbl-gs) command. To support Kerberos authentication for multiple CIFS-service aliases, you will need to set each alias as a service-principal name (SPN); use active-directory proxy-user to choose a proxy user with permission to set these SPNs. (You can later use active-directory alias, in gbl-gs-vs mode, to set each SPN.)
You can configure an indeterminate number of global servers, but the number of useful global servers is limited by the maximum number of front-end services. The ARX-500 supports a maximum of 16 front-end services, and the remaining platforms support up to 64. This limit applies to the sum of all cifs services and nfs services.
To remove a global server, use the no enable command from gbl-gs mode, then exit to gbl mode and use the no global server command.
Use show global server to view the current configuration of the global server. To map the global server to the physical servers (filers) behind it, use show server-mapping. The show statistics global server command shows the volume of client traffic to the global server.
bstnA(gbl)# global server www.wwmed.com
bstnA(gbl)# global server www.defunctcompany.com
bstnA(gbl)# no global server www.defunctcompany.com
Use the show global server command to display configuration information about global servers.
fqdn (1-128 characters) is the fully-qualified domain name (for example, www.organization.org) for one global server.
Domain Name is the FQDN name for the global server.
State is the global servers administrative state (enabled or disabled). Use enable (gbl-gs, gbl-gs-vs) to enable the global server.
Windows Domain is the Windows Domain through which cifs service (if any) is provided. By default, the short-domain name for the service is the first component of this domain (for example, MYCO is the short name for MYCO.COM). If something other than the default is used for this, it appears in parentheses after the name. Use the windows-domain (gbl-gs) command to change the domain and/or the short-domain name.
Switch is hostname for the virtual servers host switch. The virtual server runs the front-end services (NFS and/or CIFS) on behalf of the global server. The virtual server has its own administrative state, VIP, and VMAC.
State is enabled or disabled. Use enable (gbl-gs, gbl-gs-vs) to enable the virtual server.
VIP is the virtual IP (VIP) address, where clients connect to the virtual server. Use virtual server to set this.
VLAN is the VIPs VLAN number, also set with virtual server.
VMAC is the virtual MAC (VMAC) address for the VIP.
Two additional sub-tables, labeled Aliases, show the various CIFS aliases for the service.
The SPNs table shows the servers Active-Directory aliases. These are also known as Service-Principal Names (SPNs). If any are defined, the table contains two columns:
Name is an alias for this global server. If a client uses this name to connect to the global server, the client can authenticate with Kerberos. Each alias (or SPN) has two instances: one CIFS instance and one HOST instance. You can use the active-directory alias command to add an alias for the global server.
Active Directory Status indicates the status of the SPN in both the AD database and the ARX database. OK indicates that the alias is in both databases, Not Found indicates that the AD database is missing the SPN, Unmanaged means that the AD database has the SPN but it was not configured on the ARX, and Unknown appears when the ARX failed to contact the DC or the DC returned an empty list of SPNs.
The WINS table shows the WINS alias for the global server.
WINS Name is the NETBIOS name of the CIFS service, set by the wins-name command.
WINS Server is the address of the local WINS server, set by the wins command.
Description is a string to describe the global server. You can set this with the description (gbl-gs) command.
bstnA> show global server
bstnA> show global server www.wwmed.com
bstnA# show global server
Use the show server-mapping command to map shares on the client side of the switch to the physical servers behind it.
show server-mapping [namespace name | virtual-ip vip] [ip-addresses]
name (optional, 1-30 characters) identifies one namespace on which to focus.
vip (optional) specifies that you want to focus on the chosen Virtual IP (VIP) address.
ip-addresses (optional) converts all external-filer names into IP addresses in the output.
status (optional) shows a one-word status for each back-end server.
Virtual Server is the VIP address and name for one share on one virtual server. Use virtual server to create a virtual server. Then use cifs and export (gbl-cifs) to create a CIFS share, and/or use nfs and export (gbl-nfs) to create an NFS export.
Namespace/Volume is served by the front-end share. This is a virtual storage pool behind the share which connects to the Physical Server(s) below.
Virtual Path appears only for a direct volume. This is the attach point from the volume to a mount point or CIFS share on one of the filers. Clients see each of these paths as a sub-tree under the root of the front-end export/share. You can use the attach command to create an attach point to a filer share.
Physical Server is one of the server shares behind a namespace. If this has an asterisk (*) at the end, it is used as a metadata-only share (created with metadata share). A double-asterisk (**) indicates that the server is a managed volume that a direct volume is using as though it were a back-end filer; you can use the managed-volume command to use a managed volume this way.
For the status command, the output shows the status of each Virtual Server and Physical Server in the above output. A new field, Status, has a different interpretation for each server type:
Status for the Virtual Server is an abbreviation for the show virtual service status. A status of Ready indicates that the service is functional. Refer to that commands documentation for details.
Status for the Physical Server is an abbreviation for the shares import status, as seen in show namespace. See Table 21.1 on page 21-49 for details. A status of Online indicates that the back-end share is functional.
bstnA> show server-mapping
bstnA> show server-mapping namespace medarcv ip-addresses
bstnA> show server-mapping status
bstnA> show server-mapping
bstnA> show server-mapping namespace medarcv ip-addresses
bstnA> show server-mapping status
A virtual server is the ARX that hosts a global server. Each virtual server has a virtual IP (VIP) address where the global servers front-end services listen for clients. Use the virtual server command to create a virtual server for the current global server.
Use the no form of the command to delete a virtual server from the current global server.
virtual server switch-name vip mask [vlan vlan-id]
[cluster cluster-name]
no virtual server switch-name vip [cluster cluster-name]
switch-name (1-128 characters) is host name for the ARX.
vip is the IP address for the ARX to use when it runs front-end services for the current global server.
mask reveals the subnet-part of the VIP. All clients for this VIP should reside on this subnet or be reachable through this subnet via a static route (ip route).
vlan vlan-id (optional; 1-65535) identifies the VLAN that carries the above subnet.
cluster-name (optional, 1-64 characters) is only relevant if the ARX is part of a disaster-recovery (DR) configuration. In a DR configuration, there is an active ARX cluster with one set of filers and a backup cluster with a mirrored set of filers. This determines which cluster uses the vip and mask. Run the virtual server command twice per global server if you use DR: once to designate the vip and mask at the active cluster, and again to determine the vip and mask at the backup cluster. Use show cluster for a list of configured clusters. If you omit this, the CLI applies the change to the local cluster.
This command places you in gbl-gs-vs mode. From there, you can establish the servers presence in your Windows network (if necessary), and start the virtual server. If there is a local WINS server, you can use the wins command to identify it. The default NetBIOS name for the virtual server is derived from the global servers FQDN (for example, \\MYSERVER); you can use wins-name to change the NetBIOS name. The wins-alias command registers one or more additional names for the server. To start the server, use the enable (gbl-gs, gbl-gs-vs) command.
Clients can access the global servers front-end service(s) through the VIP configured in this command. They must be on the same subnet established by the vip and mask, or they must be reachable through a static route (see ip route) where the next-hop gateway is in that subnet.
The CLI prompts you for confirmation if you use no virtual server to delete a virtual server; enter yes to proceed.
Clients can access the same front-end services through the global servers FQDN (for example, www.mybusiness.com) if you use a naming service (such as DNS) to map the global servers FQDN to the VIP address. Set up an alias on your external name server.
For virtual servers that offer CIFS service and use Kerberos authentication, the above naming-service configuration is required. Kerberos does not allow the use of IP addresses for connecting with the virtual IP. To simplify maintenance, you can configure dynamic DNS as part of the CIFS service: use name-server to identify the DNS server for each domain in the Active-Directory (AD) forest, then use dynamic-dns to map a host name to the VIP. Finally, use active-directory alias to register the same name as a valid SPN for this server. With this configuration, the CIFS service automatically updates the local DNS servers with any configuration changes.
bstnA(gbl-gs[www.wwmed.com])# virtual server bstnA 192.168.25.10 255.255.255.0 vlan 25
provA(gbl-gs[provmed.medarch.org])# virtual server newptA 192.168.8.145 255.255.255.0 vlan 80 cluster newport
bstnA(gbl-gs[www.wwmed.com])# no virtual server bstnA 192.168.25.14
When you use no enable to disable a virtual server, its Virtual IP (VIP) is disabled in the background while you continue to use the CLI. Use the wait-for vip-disable command to wait until the VIP is disabled.
wait-for vip-disable vip [timeout timeout]
vip (ipV4: 0.0.0.0. to 255.255.255.255) is the VIP.
timeout (optional, 1-2096) is the timeout value in seconds.
timeout - 0 (zero, meaning that the command should wait indefinitely)
You can use this command after you use no enable (gbl-gs, gbl-gs-vs) to stop a virtual server. The CLI blocks until the virtual server is offline and unavailable to clients.
If you set a timeout and it expires before the VIP is offline, the command exits with a warning. To interrupt the wait-for vip-disable command, press <Ctrl-C>.
bstnA(gbl-gs-vs[www.wwmed.com~192.168.25.10])# wait-for vip-disable 192.168.25.10
Use the wait-for vip-enable command to wait until the Virtual IP (VIP) is ready.
wait-for vip-enable vip [timeout timeout]
vip (0.0.0.0. to 255.255.255.255) is the VIP.
timeout (optional, 1-2096) is the timeout value in seconds.
timeout - 0 (zero, meaning that the command should wait indefinitely)
You can use this command after you use enable (gbl-gs, gbl-gs-vs) to start a virtual server. The CLI blocks until the VIP is available on the network.
If you set a timeout and it expires before the VIP is available, the command exits with a warning. To interrupt the wait-for vip-enable command, press <Ctrl-C>.
bstnA(gbl-gs-vs[www.wwmed.com~192.168.25.10])# wait-for vip-enable 192.168.25.10
For global servers running CIFS as a front-end service (see cifs), use the windows-domain command to set the global servers Windows domain.
Use no windows-domain to remove any Windows domain from the global server.
windows-domain domain [pre-win2k-name short-name]
domain (1-64 characters) is the domain name (for example, MYCOMPANY.COM).
short-name (optional, 1-15 characters) is the short, pre-Windows 2000 name for the domain. This is the domains NetBIOS name. The default (below) should suffice for most situations, and this option should be unnecessary.
short-name - The old-style name discovered with active-directory update seed-domain. If the old-style name was never discovered for this domain, the ARX uses the first part (before the first ., up to 15 characters) of the FQDN in the domain-name.
The default for the short-domain name (sometimes called an NT domain name) is sufficient for most installations. This name is automatically discovered with the active-directory update seed-domain operation. If that operation did not run or discovered no short name for this domain, this uses the first component in the long domain name, converted to uppercase: for example, if the domain is group.bigco.com the short domain name is GROUP. You can use the pre-win2k-name option for rare cases where the short name is not one of these options (for example, the short name is TEAM instead of GROUP, and the TEAM name is not set in the AD).
If short-name is completely different from the domain name, and the cifs service does not use constrained delegation (see domain-join), each backing namespace requires an additional ntlm-auth-server. The second ntlm-auth-server object is a copy of the one for the long-domain name (group.bigco.com), where the windows-domain (gbl-ntlm-auth-srv) is the short-domain name (TEAM) and all other parameters are the same. Use the ntlm-auth-server (gbl-ns) command to associate the additional ntlm-auth-server object to the backing namespace.
bstnA(gbl-gs[insur.medarch.org])# windows-domain MEDARCH.ORG
Use the wins command to identify the local WINS server.
wins ip-address
ip-address is the IP address of the WINS server (for example, 192.168.70.65). This address must be on the proxy-IP subnet (established with the ip proxy-address command) or reachable through a gateway on that subnet (via static route: see ip route to create a static route).
The virtual server registers its NetBIOS names with the WINS server when you use enable (gbl-gs, gbl-gs-vs) to enable the virtual server. The registered NetBIOS names are the computer name and the group name. The default computer name is the first component of the global servers FQDN (for example, \\FS1 is the default for a global server at fs1.mycompany.com). You can use the wins-name command to reset this computer name and wins-alias to add additional NetBIOS computer names. The NetBIOS group name is the pre-win2k-name from the windows-domain (gbl-gs) command (for example, MYCOMPANY).
You can use the wins-name command to set the NetBIOS computer name for the virtual server, and you can use the wins-alias command to add an additional NetBIOS alias.
Use no wins-alias to remove one or all NetBIOS aliases.
alias (1-15 bytes; see below) is a NetBIOS alias you choose for the current virtual server. The alias must start with a letter, but can contain numbers and underscores (_) after the first character.
If you omit the alias from the no form of the command, the CLI deletes all aliases.
CIFS clients can connect to the virtual server using either the wins-name or any aliases you set with this command. You can issue the command multiple times to create multiple NetBIOS aliases.
When you run enable (gbl-gs, gbl-gs-vs) for the virtual server, the virtual server registers its computer name and all aliases with the WINS server.
If any of the CIFS front-end services support Kerberos authentication, additional configuration is required in the Active Directory for these WINS aliases. The domain-join command registers its CIFS-service FQDN at the Active-Directory (AD) domain; if a client connects to the service using a WINS alias, the local Domain Controller (DC) must be able to translate the WINS alias into the registered FQDN. Otherwise, Kerberos authentication fails.
You can use the active-directory alias command to set a SPN for the CIFS services global server.
Use no wins-name to revert to the default NetBIOS name.
name (1-15 bytes; see below) is the NetBIOS name you choose for the current virtual server. The name must start with a letter, but can contain numbers and underscores (_) after the first character.
The virtual server registers its NetBIOS names with the WINS server when you enable (gbl-gs, gbl-gs-vs) the virtual server. The registered NetBIOS names include both the computer name and the domain name.
If any of the CIFS front-end services support Kerberos, additional configuration is required in the Active Directory for this WINS name. The domain-join command registers its CIFS-service FQDN at the Active-Directory (AD) domain; if a client connects to the service using a different WINS name, the local Domain Controller (DC) must be able to translate the WINS name into the registered FQDN. Otherwise, Kerberos authentication fails.
You can use the active-directory alias command to set a SPN for the CIFS services global server.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)