Symantec on a Domain Controller – Safe Mode

I need a solution

Hello.

We have a (physical) Windows 2016 Domain Controller with Symantec Endpoint Protection on it, version 14.0.3929.1200.

We can install SEP and it works, but we have experienced twice in a few months now that after a reboot, the DC will enter Safe Mode and refuses to work anymore. We need to deinstall SEP, use bcdedit to restore normal boot mode before it functions again.

We have configured all exceptions for Domain Controllers and 5 other DC’s are working without any problems with the same Server OS and SEP version.

Does anybody have any idea how to troubleshoot this?

0

Related:

  • No Related Posts

Leveraging Role Based Access Controls (RBAC) in Unisphere for PowerMax

Feature Overview



The Role Based Access Control (RBAC) or User Authorization feature released in Unisphere for PowerMax 9.0 enables you to restrict the management operations that individual users or groups of users may perform on their Storage Arrays.

In previous versions of Unisphere authentication was array wide. This set of enhancements will provide the following:

  • More granular support by giving the rights to operate on individual applications (Storage Groups) to application administrators, but not the entire array.
  • Provides the administrator with the ability to further target user access to specific replication roles whether that is local or remote.
  • RESTAPI integration allowing associated scripts to take advantage of these RBAC controls to simplify the management stack and overall maintenance as well as eliminate the need to deploy Solutions Enabler gatekeeper devices.

RBAC Roles

It is managed using Unisphere for VMAX, Unisphere for PowerMax, or the Solutions Enabler CLI symauth command. Using symauth, a user or group of users, may be mapped to a specific access role, which defines the operations that these users are permitted to perform on the entire VMAX array.

There are currently 7 user defined roles that are available with RBAC: None, Monitor, PerfMonitor, StorageAdmin, SecurityAdmin, Admin, and Auditor. Listed below are the base capabilities of these current roles:

  • None No capabilities
  • Monitor Performs read-only operations on an array excluding the ability to read the audit log or Access Control definitions.
  • PerfMonitor Includes Monitor role permissions and grants additional privileges within the performance component of Unisphere for VMAX application to set up various alerts and update thresholds to monitor array performance.
  • StorageAdmin Perform all management and control functions. Please see specific section pertaining to this role below.
  • Auditor Grants the ability to view, but not modify, security settings for an array (including reading the audit log, symacl list and symauth) in addition to all monitor operations. This is the minimum role required to view the array audit log.



It’s important to clarify that your Storage_Admin role will remain your “Super user” and will remain sole control of provisioning storage on the array. To clarify this further here is a diagram which will outline the various roles and how they interact with one another:



RBAC Overview.png



How to configure RBAC



In order to set RBAC you will need go to the settings section and then Users and Groups and then Local Users.

RBAC-settings.png

To outline the feature I will now outline a number of the potential use cases it will be used for.

Performance Monitor Role



In a situation whereby a new junior storage administrator joins the team you want them to learn more about the array but you are also conscious of giving them too much responsibility before they have a good understanding of the storage. By allowing them these privileges you enable them to do performance troubleshooting within Unisphere and also adjust various thresholds and alerts if required. This will allow them to get a good grounding of the architecture before they move on to active management of the array.

security.png

perfmonitor.png

Security Role



Increasingly security plays an integral part of the management of the today’s data center. In order to allow the security team to do their job they need the ability to view certain logs and run certain query commands such as symaudit in order to check the system to see if there are any potential vulnerabilities or if some user has been doing something they should not have been performing due to the incorrect permissions being set. The 2 roles SecurityAdmin and Auditor should satisfy the security team’s needs in this respect. They will not have any active management or replications roles as they don’t require them to do their jobs.



Application Owner Role



Storage Administrators can have responsibility for managing a lot of backups for application owners and this work can be time consuming even with using scripts as they may get unique requests that fall outside defined windows. In order to reduce their workload and hand a certain degree of responsibility over to application owners we have created 2 new roles LocalReplication and RemoteReplication in order to provide them with the ability to perform their local and/or remote backups. These roles are strictly replication based and as always active management falls under the admin role.

appowner.png

For these replication roles we allow you the granularity of selecting individual SG’s. Here I have selected App1_SG as that is the one the user is responsible for. Here you also have a wildcard option whereby if you had an application owner with multiple sg’s that were labelled oracle_trading you could assign privileges to all of these in 1 click.

sglevel.png

You also have the ability to manage RBAC through your RESTAPI or symcli as required. For a useful video on RBAC please check this out: https://www.youtube.com/watch?v=2V7KidifeA4

For a more detailed deep dive on RBAC please see this whitepaper: https://www.emc.com/collateral/technical-documentation/h17132-role-based-access-controls-rbac-technical-overview-and-enhancements.pdf

Related:

  • No Related Posts

Re: Gen6 serial port different to Gen5?

pwp,



Are you using a NULL modem cable? They don’t work with Gen6 nodes.

simple 3-wire null modem cable that doesn’t support hardware flow control:

(From https://en.wikipedia.org/wiki/Null_modem)

No hardware handshaking

The simplest type of serial cable has no hardware handshaking. This cable has only the data and signal ground wires connected. All of the other pins have no connection. With this type of cable flow control has to be implemented in the software. The use of this cable is restricted to data-traffic only on its cross-connected Rx and Tx lines. This cable can also be used in devices that do not need or make use of modem control signals.

Hardware flow control was listed in the requirements for gen5 and earlier too, but somehow that cable was working with those nodes.



Full handshaking

This cable is incompatible with the previous types of cables’ hardware flow control, due to a crossing of its RTS/CTS pins. With suitable software, the cable is capable of much higher speeds than its predecessors. It also supports software flow control.

This is the one that works:

Related:

  • No Related Posts

Re: does nfs switch for –manage-gids exist

By default, the nfs client sends on the wire a list of max 16 gid’s the uid is a member of. This can be discarded and a lookup forced from the server by using –manage-gids on the nfs daemon.

An example from a VNX is

server_param server_2 -facility nfs -info manageGids

server_2 : name = manageGids

facility_name = nfs

default_value = 0

current_value = 0

configured_value =

user_action = none

change_effective = immediate

range = (0,1)

description = Rebuild the list of groups ids from the resolvers

this will presumably have an impact on response time as you are effectively throwing away the cached answer provided on the wire ( as its

potentially wrong, ie < 16 groups ) and doing a lookup of group membership from the NFS server.

Has anyone configured in such a way, and if so, can they comment on performance impact ?

Related:

  • No Related Posts

URGENT, Our business can not email our bank who are using messagelabs

I need a solution

I see from the forums a few people having similar issues so I’ll cut to the chase;

Our details (sender);

198.54.121.121 > server1.ssab.ws
198.54.121.122 > mail.ssab.ws

Our Bank details (receiver);

anz.com MX preference = 10, mail exchanger = cluster3vk.eu.messagelabs.com
anz.com MX preference = 20, mail exchanger = cluster3vka.eu.messagelabs.com

The issue;

When we send emails from ____@ssab.ws they are not being received by ____@anz.com ; No bounce back error.

Our hosting services have confirmed that the emails snet has been received by the bank’s email server.

We can receive bank emails fine.

Please whitelist us or whatever needs to be done so we can resolve this issue, crtitical that we have email comms with the bank!

I hope that is enough info, please email rick@ssab.ws if you need more details

Thanks in advance and hope to have resolved within 8 hours 🙂

0

Related:

  • No Related Posts

does nfs switch for –manage-gids exist

By default, the nfs client sends on the wire a list of max 16 gid’s the uid is a member of. This can be discarded and a lookup forced from the server by using –manage-gids on the nfs daemon.

An example from a VNX is

server_param server_2 -facility nfs -info manageGids

server_2 : name = manageGids

facility_name = nfs

default_value = 0

current_value = 0

configured_value =

user_action = none

change_effective = immediate

range = (0,1)

description = Rebuild the list of groups ids from the resolvers

this will presumably have an impact on response time as you are effectively throwing away the cached answer provided on the wire ( as its

potentially wrong, ie < 16 groups ) and doing a lookup of group membership from the NFS server.

Has anyone configured in such a way, and if so, can they comment on performance impact ?

Related:

  • No Related Posts