SSH Public Key Authentication
SSH Public Key Authentication
Putty and Pageant
see also http://docs.google.com/Doc?id=dfxjbxcc_12hc8k38
-----------------------------------------------------------------------------------
On the SSH Server
Verify that the following settings are defined in /etc/ssh/sshd_config
#Protocol 2,1
Protocol 2
#AddressFamily any
ListenAddress 192.168.0.10 # substitute correct IP here
HostKey /etc/ssh/id_dsa # Defines your private key name
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
MaxAuthTries 3
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
MaxStartups 5
# no default banner path
Banner /etc/ssh/banner
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
--------------------------------------------------------------------------------
Verify that there are no settings in /etc/ssh/ssh_config that prevent PubkeyAuthentication:
i.e. you should not see
PubkeyAuthentication no in the file anywhere
--------------------------------------------------------------------------------
On Windows - Use puttygen to generate a SSH-2 DSA key and save the public and private keys.
YOU must then copy the public key directly from the puttygen key window and paste it directly into file called ~/.ssh/authorized_keys on the remote linux box (There can be no extra white space or newline characters in the file!)
chown user.user authorized_keys
chmod 755 .ssh
chmod 644 authorized_keys
On Unix
$ ssh-keygen -t dsa -b 1024 -f /home/bb/.ssh/id_dsa
### note that you can change the properties ############
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa So you could add something like ~/.ssh/servername_dsa
#### in /etc/ssh/ssh_config ########################
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): leave blank
Enter same passphrase again: leave blank
Your identification has been saved in /home/localuser/cron/id_dsa.
Your public key has been saved in /home/localuser/cron/id_dsa.pub.
The key fingerprint is:
2e:28:d9:ec:85:21:e7:ff:73:df:2e:07:78:f0:d0:a0 localuser@localhost
Now we have a key in the two files mentioned above. Make sure that no other unauthorized user can read the private key file (the one without the '.pub' extension). Chmod 600 on the id_dsa file.
This key will not work until we put the public portion (id_dsa.pub) into the 'authorized_keys' file on remotehost, specifically the one for remoteuser:
/home/remoteuser/.ssh/authorized_keys
chmod 644 on authorized_keys
Use scp to copy the file to the remotehost:
$ scp /home/localuser/cron/id_dsa.pub remoteuser@remotehost:/home/remoteuser/
SSH to the remotehost:
$ ssh remoteuser@remotehost
Make sure the necessary directory and files exist to authorize connections with this key:
$ if [ ! -d .ssh ]; then mkdir .ssh ; chmod 755 .ssh ; fi
$ mv localhost-rsync-key.pub .ssh/
$ cd .ssh/
$ if [ ! -f authorized_keys ]; then touch authorized_keys ; chmod 644 authorized_keys ; fi
$ cat localhost-rsync-key.pub >> authorized_keys
DenyHosts
RSYNC Setup and RSYNC with SSH Setup
/usr/bin/rsync -auv --delete /apps/data/mysql/ 10.0.0.2::mysql/you should see a copy of all the mysql files on the secondary in /apps/data/mysql. If not, then your rsync installation isn't correct yet. RSYNC WITH SSH requirements:
- rsync
- openssh
- cron (or vixie-cron)
Make sure that a remoteuser has read permissions to a /remote/dir/ on a remotehost, and that a local user has write permissions to /local/dir/ on localhost. Also, 'rsync' and 'ssh' should be in the local user's path (use "which ssh" and "which rsync"), 'rsync' should also be in remoteuser's path, and 'sshd' should be running on the remotehost. Test rsync with ssh with: $ rsync -avz -e ssh remoteuser@remotehost:/remote/dir /local/dir/ Generate a private/public pair of keys to allow a 'ssh' connection without asking for a password. This may sound insecure, and it is, but it is better than storing a user password (or key password) as clear text in the script. Furthermore, I can put some limitations on what connections made with this key may do. Anyway, I generate the key I will use on localhost as localuser with: $ ssh-keygen -t dsa -b 1024 -f /home/localuser/cron/id_dsa Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): leave blank Enter same passphrase again: leave blank Your identification has been saved in /home/localuser/cron/id_dsa. Your public key has been saved in /home/localuser/cron/id_dsa.pub. The key fingerprint is: 2e:28:d9:ec:85:21:e7:ff:73:df:2e:07:78:f0:d0:a0 localuser@localhost Now we have a key in the two files mentioned above. Make sure that no other unauthorized user can read the private key file (the one without the '.pub' extension). Chmod 600 on the localhost-rsync-key file. This key will not work until we put the public portion (id_dsa.pub) into the 'authorized_keys' file on remotehost, specifically the one for remoteuser: /home/remoteuser/.ssh/authorized_keys
chmod 755 on authorized_keys Use scp to copy the file to the remotehost: $ scp /home/localuser/cron/id_dsa.pub remoteuser@remotehost:/home/remoteuser/ SSH to the remotehost: $ ssh remoteuser@remotehost Make sure the necessary directory and files exist to authorize connections with this key: $ if [ ! -d .ssh ]; then mkdir .ssh ; chmod 755 .ssh ; fi $ mv localhost-rsync-key.pub .ssh/ $ cd .ssh/ $ if [ ! -f authorized_keys ]; then touch authorized_keys ; chmod 600 authorized_keys ; fi $ cat localhost-rsync-key.pub >> authorized_keys Now the key can be used to make connections to localhost, but these connections can be from anywhere (that the ssh daemon on remotehost allows connections from) and they can do anything (that remoteuser can do). To provide better security edit the 'authorized_keys' file (with vi) and modify the line with 'localhost-rsync-key.pub' information on it. Just add a few things in front of what is already there, changing the line from this: ssh-dss AAAAB3NzaC1kc3MAAAEBAKYJenaYvMG3nHwWxKwlWLjHb77CT2hXwmC8Ap............................ to this: from="10.1.1.1",command="/home/remoteuser/cron/validate-rsync" ssh-dss AAAAB.............................. where "10.1.1.1" is the IP address of localhost, and "/home/remoteuser/cron/validate-rsync" is a script similar to: #!/bin/sh case "$SSH_ORIGINAL_COMMAND" in *&*) echo "Rejected" ;; *(*) echo "Rejected" ;; *{*) echo "Rejected" ;; *;*) echo "Rejected" ;; *<*) echo "Rejected" ;; *`*) echo "Rejected" ;; rsync --server*) $SSH_ORIGINAL_COMMAND ;; *) echo "Rejected" ;; esac Make certain that the 'validate-rsync' script is executable by remoteuser on remotehost and test it. Now that the key is in place and configured, test it out before putting it in a cron job. Exit from the ssh session to remotehost and try: $ rsync -avz -e "ssh -i /home/localuser/cron/localhost-rsync-key" remoteuser@remotehost:/remote/dir /local/dir/ Finally, create a cron script like" #!/bin/sh RSYNC=/usr/bin/rsync SSH=/usr/bin/ssh KEY=/home/localuser/cron/localhost-rsync-key RUSER=remoteuser RHOST=remotehost RPATH=/remote/dir LPATH=/local/dir/ $RSYNC -az -e "$SSH -i $KEY" $RUSER@$RHOST:$RPATH $LPATH Then save the script as something like "rsync-remotehost-bak" Use 'crontab -e' to insert a line for this new cron job that with run at 2AM every day: 0 2 * * * /home/localuser/cron/rsync-remotehost-bak
# Tivoli Ports to accept from any
iptables -A INPUT -p tcp -m tcp –sport 9494:9495 -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 9494:9495 -j ACCEPT
# Tivoli Ports limited by TIVOLI chain
iptables -A INPUT -p tcp -m tcp –sport 9494:9495 -j TIVOLI
iptables -A INPUT -p tcp -m tcp –dport 9494:9495 -j TIVOLI
iptables -A TIVOLI -s src-tiv-IP -j ACCEPT
iptables -A TIVOLI -d dst-tiv-IP -j ACCEPT
iptables -A TIVOLI -j REJECT -- reject-with icmp-port-unreachable
Netbackup Tips
Stopping Netbackup
- /etc/init.d/netbackup stop --> graceful shutdown
- /usr/openv/netbackup/bin/bpps -a --> check for any remaining processes
- /usr/openv/netbackup/bin/goodies/bp.kill_all ---> kills all remaining netbackup processes, not necessarily graceful
- /usr/openv/netbackup/bin/bpps -a --> check for any remaining processes
- kill -9 <pid> for any remaining. NOTE: unkillable processes may require a reboot
Starting Netbackup
- /etc/init.d/netbackup start --> after bp.kill_all, to restart
Common Tasks
Starting the Administration GUI
- java from the windows client
- java from the server - /usr/openv/java/jnbSA &
Checking Backup Status
- Activity Monitor or
- /usr/openv/netbackup/bin/admincmd/bpdbjobs -report
Cleaning a tape manually
- Identify the drive name to be cleaned
- tpclean -L
- Manually clean the drive:
- tpclean -C <drive name>
Determining what tapes were used for a backup
- GUI
- Backup and Restore --> Find the file system --> Preview Media Button
- CLI
- Find the correct backup images
- bpimagelist -U -client <CLIENT> -d <STARTDATE> -e <ENDDATE>
- Find the media used for those images
- bpimagelist -U -client <CLIENT> -d <STARTDATE> -e <ENDDATE> -media
Listing the files in a backup
bpflist --help --> undocumented netbackup command to list files from a binary .f file
Inventory the Robot
- Inventory Robot --> /opt/openv/volmgr/bin/vmcheckxxx -rt tld -rn <robot_number> -list
- Inventory Robot and Update Configuration --> /opt/openv/volmgr/bin/vmupdate -rt tld -rn <robot_number> -list
Listing Properties of the Volume Pools
- vmpool -listall
Scratch Tapes
- Count scratch tapes: /usr/openv/volmgr/bin/vmquery -pn Scratch | grep -c "robot slot"
- Moving tapes to the scratch pool
- If Needed - Expire the tape
- bpexpdate -ev <TAPE ID> -d 0 -force -host <Media Manager>
- Move the tape
- vmchange -p 2 -m <TAPE ID>
Checking Drive Usage
- /usr/openv/volmgr/bin/vmoprcmd -d
Taking a drive down or up
- /usr/openv/volmgr/vmoprcmd -down <drive index>
- /usr/openv/volmgr/vmoprcmd -up <drive index>
Performing a Restore
- From the GUI
- user backup & restore --> configuration --> client
- user backup & restore --> configuration --> client to restore
- directory to search
- directory depth
- date range
- file --> browse backups for restore
Adding New Tapes to the Library
- Using the GUI
- Media Management --> Actions --> New --> Single Volume . . -->
- Media Type (ie DLT)
- Robot Type (ie TLD)
- Media ID (from Inventory)
- Slot Number (from Inventory)
- Robot Number (ie 0)
- Volume Group
- Volume Pool (ie Scratch)
- Using the CLI
- vmadd -m <media id> -mt <tape type> -verbose -rt tld -b <barcode> -rn <robot number> -rc1 <slot> -p <pool number> -mm <max mounts>
- vmpool -listall --> lists all pools, both name and number
- For example: vmadd -m Q100L1 -mt hcart -verbose -rt tld -b ECQ100L1 -rn 0 -rc1 8 -p 2 -mm 0
Re-using Tapes from other systems or older Netbackups
- Expire the media
- bpexpdate -ev MEDIA_ID -d 0 -force -host HOST
- Deassign the media
- vmquery -deassignbyid MEDIA_ID 4 0
- Move to the scratch pool
- vmchange -m MEDIA_ID -p POOL#
- Relabel the media
- bplabel -ev EVA019 -d 8mm -p Scratch
Changing the attributes of media
- Changing the barcode
- vmchange -barcode CYM100D -m CYM100
- Changing the Volume Pool
- vmchange -m MEDIA_ID -p POOL#
To expire media
- bpexpdate -ev <medai id> -d 0 -force -host <media server>
To unfreeze media
- List the frozen media
- /usr/openv/netbackup/bin/goodies/available_media | grep -i FROZEN
- Unfreeze the media
- bpmedia -unfreeze -ev <media id> -h <media server>
To relabel a tape
- bplabel -ev <media id> -d <tape density> -p <pool name>
- bplabel -ev 000687 -d hcart -p TriVrgt_OFFSITE
To remove media from the Netbackup database
- Verify that there are no images on the tape
- bpimmedia -mediaid 000687 -L
- Expire the tape
- bpexpdate -ev 000687 -d 0 -host scorpius -force
- Get the status and pool number of the tape
- vmquery -m 000687
- Deassign the tape
- vmquery -deassignbyid <media id> <pool number> <status code from vmquery -m>
- vmquery -deassignbyid 000687 4 0x0
- Delete the tape
- vmdelete -m 000687
Installing the Netbackup Client
- /update_clients -ForceInstall -ClientList /tmp/clients.lst
- requires that TMPDIR and TEMPDIR be set correctly
Excludng files from backup on a client
- Create /usr/openv/netbackup/exclude_list
- Put the file specifications of the files/directories to be excluded
- /mnt/directory/*
Displaying Information about a Tape
- vmquery -m <media id> --> Displays attributes about a particular tape
- bpmedialist -U -mcontents -ev 000687 --> Displays media contents
- bpmedialist -U -mlist --> List of all media
- bpmedialist -U -mlist -ev CYM966 --> Listing of a particular media id
- bpimmedia -mediaid 000687 -L --> Listing of images on a tape
Robtest Commands
- Starting robtest
- robtest
- 1 --> to select TLD 0
- Getting help
- ?
- Looking at contents of the tape drives
- s d
- Looking at the contents of the library
- s s
- Moving a tape from a drive to a library slot
- s d --> to identify drive number that has tape (Contains Cartridge = yes, Barcode=XXXXXX)
- s s --> to identify an empty slot in the tape library (Netbackup will need to be re-inventoried)
- m d# s# --> from from drive # to slot #
- s d --> verify the tape drive is empty
- s s --> verify the library slot has the tape
Configuration Files
/usr/openv/netbackup/bp.conf
- configuration file, sets backup server and backup clients
- force statement must be correct
- client to browse from
- client to restore to
/usr/openv/volmgr/vmconf
Logfiles
To utilize logfiles, create the corresponding directory in /usr/openv/netbackup/logs
Server Logfile directories:
- admin - adminstrative commands
- bpbrm - backup and restore manager
- bpcd - client daemon
- bpdbjobs - database manager program process
- bpdm - disk manager process
- bpjava-msvc - Java application server authentication service
- bpjava-usvc - process that services Java requests
- bprd - request daemon process
- bpsched - scheduler process that runs on master servers
- bptm - tape/optical media management process
- user-ops - required directory for use by Java programs
- xbpadm - X based administration utility
- xbpmon - X based job monitor process
Client Logfile directories:
- bp - client user interface process
- bparchive - archive program
- bpbackup - backup program
- bpbkar - program that generates golden images
- bpcd - client daemon
- bpjava-msvc - Java application server authentication service
- bpjava-usvc - process that services Java requests
- bplist - program that lists backed up and archived files
- bpmount - program that determines local mountpoints and wildcard expansion for multiple streams
- bphdb - Oracle database backup program start process
- db_log - database specific extension log
- tar - tar process log during restores
- user_ops
Media Manager logging automatically goes to the system log using syslogd logging facility
.Logging will only occur if these directories are created. These directories will generate a lot of data and should be deleted when no longer necessary.
To increase the amount of logging information set VERBOSE=2 in /usr/open/netbackup/bp.conf (default is VERBOSE=1)
Processes
ltid
acsd
vmd
Useful Commands
bpcllist - list classes
bpclinfo <class> -L --> displays info about a class
vmpool - volume pools
vmpool -listall
vmpool -listscratch
bplabel -ev <media id> -d hcart
bpbackup db --> backs up the catalog
bpclclients <policy> --> lists the clients for a particular policy (class)
Troubleshooting
bperror -statuscode <-- displays information about the netbackup error.
No Backups are running:
- Check system log file for error messages
- Stop and restart all the netbackup processes
- Look for a downed drive
- /usr/openv/volmgr/bin/vmoprcmd -d
- /usr/openv/volmgr/bin/vmoprcmd -up 0 --> this will bring up drive 0 if it's control shows as down
- Look for pending requests
- /usr/openv/volmgr/bin/vmoprcmd –d or gui --> device management
- If there is a pending request either re-assign it to a drive, or deny the request
Downed drive does not come back up or does not stay up
- Check for a hardware problem by looking for messages on the tape library
- Make sure there is not a tape stuck in the drive
- Use robtest (described above) to look at the drives
- If there is a tape stuck in the drive, try to remove it using robtest
- If robtest fails, then you must manually remove it.
Verify the Client is communicating properly:
- bpclncmd -ip <ip address> --> from both client and server
- bpclntcmd -hn <hostname> --> from both client and server
- bpclntcmd -pn --> from client only
Device Actions
Device Management --> info about tape drives
- 8mm
- hcart (LTO)
Netbackup Client
To check things out do this:
It could be a couple things. Mostly DNS, bp.conf, or something stupid. On
the client run this command
/usr/openv/netbackup/bin/bpclntcmd -pn
/usr/openv/netbackup/bin/bpclntcmd -server "server name"
/usr/openv/netbackup/bin/bpclntcmd ip "ip_address"
One of these usually fails and your able to fix it right off
1074 ./bpclntcmd -hn corpbu1
1075 ./bpclntcmd -ip 10.194.1.129
1076 ping 10.194.1.129
1077 ./bpclntcmd -hn corpldv1
1078 ./bpclntcmd -hn corpbu1.corporate.vox.net
1079 ping corpldv1
1080 ./bpclntcmd -ip 10.194.1.120
Must be able to resolve correctly from the master server and the client or it will not work!!!
Netapp Putty and RemoteShare
pavsan01 Filer view pavsan01> vol options evs08_vmp3 nosnap=on, nosnapdir=off, minra=off, no_atime_update=on, nvfail=off, ignore_inconsistent=off, snapmirrored=off, create_ucode=on, convert_ucode=on, maxdirsize=167690, schedsnapname=ordinal, fs_size_fixed=off, guarantee=volume, svo_enable=off, svo_checksum=off, svo_allow_rman=off, svo_reject_errors=off, no_i2p=off, fractional_reserve=100, extent=off, try_first=volume_grow pavsan01> vol options evs_cluster2_vol1 no_atime_update on
remote share
C:Documents and Settingsmsxgdt>rmtshare \pavsan01
Share name Resource Remark
----------------------------------------------------------------------
--------- IPC$ Remote IPC ETC$ C:etc Remote Administration HOME C:volvol0home Default Share C$ C: Remote Administration vol0$ C:volvol0 Remote Administration vol0bu$ C:volvol0 Backup Administrative
Share evs01_log_vol1$ C:volevs01_log_vol1 MS Exchange Logs
evs02_log_vol1$ C:volevs02_log_vol1 MS Exchange Logs
evs01_log_qtree1$ C:volevs01_log_vol1evs01_... MS Exchange Logs
paveasp1_ea_vol1$ C:volpaveasp1_ea_vol1 MS EMail Archive
paveasp1_ea_qtree1$ C:volpaveasp1_ea_vol1pave... MS EMail Archive
pavmvs01$ C:volpavmvs01 pavMVS01 Test LUN pavmvs01_disk$ C:volpavmvs01pavmvs01_disk pavMVS01 Test LUN
pavmvs01_qtree$ C:volpavmvs01pavmvs01_qtree pavMVS01 Test LUN
evs03_log_vol1$ C:volevs03_log_vol1 MS Exchange Logs
evs02_log_qtree1$ C:volevs02_log_vol1evs02_... MS Exchange Logs
evs03_log_qtree1$ C:volevs03_log_vol1evs03_... MS Exchange Logs
evs01_db_vol1$ C:volevs01_db_vol1 MS Exchange Storage
Group 1
evs01_db_qtree1$ C:volevs01_db_vol1evs01_d... MS Exchange Storage
Group 1
evs03_db_vol1$ C:volevs03_db_vol1 MS Exchange Storage
Group 3
evs03_db_qtree1$ C:volevs03_db_vol1evs03_d... MS Exchange Storage
Group 3
evs06_vmp$ C:volevs06_vmp3 Exchange EVS06
Transaction Log ... evs08_vmp$ C:volevs08_vmp3 Exchange EVS08
Transaction Log ... evs07_vmp$ C:volevs07_vmp3 Exchange EVS07
Transaction Log ...
The command completed successfully.
C:Documents and Settingsmsxgdt>rmtshare \pavsan01evs06_vmp$ Share name \pavsan01evs06_vmp$ Path C:volevs06_vmp3 Remark Exchange EVS06 Transaction Log Volume Maximum users No limit Users 0 Permissions: Everyone : FULL CONTROL
The command completed successfully.
C:Documents and Settingsmsxgdt>rmtshare \pavsan01evs06_vmp$ /d
The command completed successfully.
C:Documents and Settingsmsxgdt>rmtshare
\pavsan01evs06_vmp3$=C:volevs06_vmp 3 /remark:"Exchange EVS06 Transaction Log Volume"
The command completed successfully.
C:Documents and Settingsmsxgdt>rmtshare \pavsan01evs07_vmp$ /d
The command completed successfully.
C:Documents and Settingsmsxgdt>rmtshare \pavsan01evs08_vmp$ /d
The command completed successfully.
C:Documents and Settingsmsxgdt>rmtshare
\pavsan01evs07_vmp3$=C:volevs07_vmp 3 /remark:"Exchange EVS07 Transaction Log Volume"
The command completed successfully.
C:Documents and Settingsmsxgdt>rmtshare
\pavsan01evs08_vmp3$=C:volevs08_vmp 3 /remark:"Exchange EVS08 Transaction Log Volume"
The command completed successfully.
C:Documents and Settingsmsxgdt>
############################################################
Trend Scanmail 7.0 Install for Clusters
1. Steps
Log into the cluster node that owns the Quorum to install Scanmail
1. From Cluster admin stop the System attendant on each virtual server – the install will “see” all nodes for any node that is part of the cluster
2. Stop the IIS Admin Service on all servers!
3. Run setup.exe and click Yes to the warning prompt
a. Select Next
b. Select Install/Upgrade
c. Select Accept
d. SMEX 7.0
i. SM-6AHJ-PBPXG-JQEX9-XKHGF-8FD8T-N3F4D
e. Type in the Server names instead of browsing i.e. PAVMSGPP06, PAVMSGPP07, PAVMSGPP08, PAVMSGPP09, PAVEVS06, PAVEVS07, and PAVEVS08
f. Use Pvalentinomsxgdt and change default installation location to E:Trend MicroSMEX and leave share as C$
g. Leave the default of enable SMTP scanning
h. Leave the default IIS selected
i. Change web server information to
i. Virtual Web Site – and the Port will go to 8080
j. Leave it selected on
i. Specify an Existing Active Directory account
k. Use msxgdt for the web console admin account (don’t use domain)
l. Uncheck use proxy server to connect to Internet. (Server is already behind a firewall)
m. Select “No, I don’t want to participate”
n. Leave the defaults check.
o. Verify the all active, passive and virtual servers are listed and checked as available to install, if not services must still be running on individual nodes or the IP and network names resource are not running for the virtual servers
p. Scanmail will then install – watch progress and use details button
5. Move to Trend CM Installation
Trend CM Installation -(This must be done to each individual Node)
1. copy Public Key – E2EPublic.dat from
\PAVnas05srvappsmediaServerTrendmicroScanmailv70SmexSMEXUpdatePublic Folder Key to e:trend microsmexPublic Folder Key
2. Run setup under \PAVnas05srvappsmediaservertrendmicroscanmailv70smexsmexupdateCMAgent_1057
3. Each step is a screen.
a. Select Next
b. Enter trendcm
c. Leave defaults
d. Click Import and select the location for the public folder key e:trend microsmexPublic Folder Keykeyfilename
3. TrendCM Agent will install
4. Move to next server in the cluster (active nodes can be done live and not effect Exchange )
5. Move to Patch4 Install
Patch4 Install for cluster
This install is done only on a passive node, take offline and move all resources hosted on server to another node before installing the patch
1. Stop Exchange System Attendant from cluster admin
2. Pause Node
3. exit cluster admin
4. stop iis admin
5. stop cluster service
6. run patch4 update from:
c. \PAVnas05srvappsmediaServerTrendmicroScanmailv70SmexPatch 4 cluster
d. The file will cluster at the end
7. Watch the patch4 install progress bar for any errors
8. IIS Admin Service will restart on its own
9. Resume the Node in cluadmin
10. Cluster service will restart on its own
11. Bring all resources online and move to correct servers.
We will Re-create the EVS SMEX Resource: see the Screen Capture below as Reference.
Points to Look at from the capture:
1. When creating the EVS SMEX Resource, choose root drive letter F: or G: as one of the dependencies. Also add Exchange IS and Network Name as dependencies.
2. Then for the Scanmail data path, specify only evsXX_smtp_vmpSMEX and remove affect the group from properties advanced tab
On the IIS:
1.For SMEX Website, make sure the report-<EVSName> virtual directory is pointing to the correct SMEX path (<evs06_smtp_vmp>SMEXdatareport).
2. Make sure all the nodes have the correct path.
3. Restart the IIS and Scanmail services and delete the SMEX folder from root drive f: or g:
4. And When SMEX Master Service was started, make sure that on the F: evs06_smtp_vmp>SMEXdata you should have a pairing of
Conf.mdb and Conf.ldb
Log.mdb and log.ldb
After reboot:
1. Verify 3 Scanmail services are running
2. Unpause the node from cluadmin
3. failover a Exchange virtual server to the node
4. Log into the Scanmail Management Console from a workstation – NOT THE SERVER (Web based – use msxgdt) by going to http://PAVevs08:8080/smex
5. Verify engine and dat files are up to date, if not run update
6. Verify realtime scan window is showing mail flow
Start the process again from the patch4 point for each node in the cluster as it becomes the passive node
Exchange 2003 Cluster Installation
1. Configure operating System
Make sure the OS is configured properly and all necessary OS patches are installed.
Perform Windows Update for Critical updates only and (deselected IE7 2/15/07)
Boot.ini add /3GB /userva=3030 to end of line
In Windows Explorer, navigate to the system partition. This is the partition that holds hardware specific Windows files such as Boot.ini and NtlDR.
If you cannot see the Boot.ini file, it could be because the folder options are set to hide protected operating system files. If this is the case, in the Explorer window, click Tools, Folder Options, and then click View. Clear the Hide protected operating system files (Recommended) check box. When prompted, click Yes.
Right click the Boot.ini file and select properties and deselect Read Only checkbox.
After the Boot.ini file is visible in Explorer, right-click the file, click Open With, and then click Notepad to open the file.
Add the /3GB and /userva=3030 switches to the end of the line starting with "multi" under the [Operating Systems] section.
Save the changes and close Notepad.
Change boot.ini timeout values for system startup: set 1 node to 10seconds and all other nodes to 90 seconds.
At the command prompt, type: bootcfg /timeout# Where # specifies the time in seconds after which default operating system will be loaded.
If disks are not already partitioned as below go to Computer Management > Disk Management > and create partitions
C: 12GB - Under Properties verify it is named Boot
D: 40.32GB - Under Properties verify it is named Exchanged
E: 16384MB or 16G – Under Properties verify that it is named Pagefile, Trend, Temp
Adjust Pagefile by right clicking My Computer – selecting properties > Advanced > Performance > Settings button – go to Advanced Tab > Virtual Memory > Change button and set C: 512 min 512 max Pagefile on E: 4096 min 4096 max for 4GB
Application Event log increased to 40MB or 40960KB by going to Computer Management > Event Viewer > right-click Application > select Properties and update Maximum Log Size value.
Set Security and System Event Log to Maximum Log Size of 16384KB
Install Windows 2003 sp1 Resource Kit and Support Tools
2. Install SnapDrive 4.1
Install Emulex storport driver 1.20a3 if required
First check Start > Programs > Emulex – if it does not exist then install driver below
Run distribution file at netappstorportminiportkit_1.-20a3-1g.exe 2007.1.23.1139 or newer then Extract to c:program filesemulex.
Run AutoPilot Installer at conclusion of distribution file extraction
Select correct version number as the driver to upgrade to
Click Next and installation begins
When complete, go to Device Manager – SCSI and RAID Controllers and check if HBA is now at the correct version
Reboot if prompted
Install new FCP HAK 3.0
Double-click ntap_windows_fcp_3.0_setup_x86.exe file
Click Next and accept all defaults
Install directory should be c:program filesnetappwak
Select Complete Installation method
Select Install to begin installation
Install Snapdrive 4.1
Double-click snapdrive4.1.exe file
Select all default options
Snap Drive
SDR-MPIO
VYZMIQINJVBTEE
SDR-WIN LUN
JMOFBEWOJFHEYA
SME2K3
EQZKPWA
User Account
msxpv
If SnapDrive must be uninstalled for any reason ALWAYS use the snapdrive4.1exe to do so and select the option to remove MPIO drivers when prompted.
If you cannot see the initiators when trying to create a LUN do the following:
Stop the SnapDrive service from services.msc (DO NOT USE COMPUTER MANAGEMENTSERVICES)
Remove or rename the old HBAAPI.dll (version 2.2.1.0) in the SnapDrive directory (by default, c:Program FilesNetAppSnapDrive), then Start the SnapDrive service
Install Snapdrive 4.2.1
Install Data ONTAP DSM 3.0 for Windows
Double-click ntap_win_mpio_3.0_setup_i386.exe
Select Single Instance Image Mode (cfmode=single_image)
Snap Drive
SDR-MPIO
DZFUPANSZYHXCF
Double-click snapdrive4.2.1 exe
Select all default options
Snap Drive
SDR-WIN
VKCOHUMRBFAAAA
SME2K3
HTFNBGOGJNDCMA
User Account
msxpv
If you cannot see the initiators when trying to create a LUN do the following:
Stop the SnapDrive service from services.msc (DO NOT USE COMPUTER MANAGEMENTSERVICES)
Remove or rename the old HBAAPI.dll (version 2.2.1.0) in the SnapDrive directory (by default, c:Program FilesNetAppSnapDrive), then Start the SnapDrive service
3. Create the Cluster
See section 5 for LUN and drive letter details (PUT IN SCREEN SHOTS)
Create the evs_cluster_vol1/evs_cluster_qtree1/evs_cluster_quorum.lun first on node 1 (pvmsgpp06) according to table below
evs_cluster_vol1/evs_cluster_qtree1/evs_quorum.lun
500
If you cannot see the initiators when trying to create a LUN see end of section 2 above.
Create the \pvsanpp02evs_cluster_qtree1evs_ quorum.lun LUN for the Quorum on node 1
DO NOT PERFORM THESE STEPS ON SUBSEQUENT NODES
Setup Cluster Services
Verify that NICs have been assigned appropriate IP’s on all Nodes
NIC1 for pvmsgpp02 = 132.189.91.102 pvmsgpp03 = .103 pvmsgpp04= .104
GW= 32.189.91.254, SM= 255.255.255.0, DNS=132.189.91.10 and 132.189.8.28
ClassC
Heartbeat Nic SM=255.255.255.192 GW=
pvMSGPP02 = 10.0.36.2
pvMSGPP03 = 10.0.36.3
pvMSGPP04 = 10.0.36.4
Cluster IP 132.189.91.121 SM=255.255.255.0
MSDTC 132.189.91.122 SM=255.255.255.0
EVS02 132.189.91.123
EVS03 132.189.91.124
Rename the network connections Production Network Port (1) and Cluster Heartbeat Port (1)
Right click the cluster Heartbeat Port connection properties, select TCP/IP, click properties, click Advanced, click DNS tab.
Remove the checkbox “Register this connection’s address in DNS”
Click WINS tab and select “Disable NETBIOS over TCP/IP”
Open Network Connections, on the Advanced menu, click Advanced settings.
On the “Adapter and Bindings” move the production network port to the top.
On the “Provider” tab move the “Microsoft Windows Network” to the top.
Run cluadmin on first node evs01
Select File > Create new cluster (FIRST NODE ONLY)
Enter the IP address for the cluster
Make sure Q: is the quorum
If there are any issues with Cluster you can remove and cleanup by removing nodes then running c:cluster node pvmsgpp02 /forcecleanup and starting over by running Create New Cluster option
Verify that console:i:1 is added to first line of RDP connection shortcut via Wordpad (required to see QUORUM on nodes 2 and 3) or use mstsc /console
Connect Quorum Drive on subsequent nodes pvMSGPP03 and 04 in Cluster
In SnapDrive right-click Disks and select connect
Enter full path to Quorum LUN \pvsanpp02evs_cluster_vol1$evs_cluster_qtree1evs_quorum.lun
Add subsequent nodes to cluster – in cluadmin go to File > New > Node
Click add and then select Advanced and chose minimal configuration and continue selecting next through all warnings and finish
Finish the wizard.
After node is added do a move group command and verify that Q: is available from Windows Explorer
Move Group back to the passive node
Perform steps k – r on the remaining nodes
Open the cluster administrator and right click on the cluster name (pvMSGC1) properties, click Network Priority tab and move the cluster heartbeat port up. Click properties of the cluster heartbeat port and select “Internal cluster communications only”
Create the MSDTC
Create MSDTC Drive on pvMSGPP04 in Cluster
In SnapDrive right-click Disks and select create
Enter full path to MSDTC LUN \pvsanpp02evs_cluster_vol1$evs_cluster_qtree1evs_MSDTC.lun
Click Next, select Shared (Microsoft Cluster Services Only)
Select each server and add the initiators and click Next
Create a new group for MSDTC and click Next
Click Finish.
Open cluster Administrator and go to MSDTC group.
Add IP Address, Network and DTC resources. Click add new resource.
Right click and bring MSTDC resource online
Right click and bring the resource online
Right click and bring the resource online.
Remove “Affect Group” from the DTC advanced properties.
4. Create the Volume Mount Point
Create the Volume Mount Point Root LUNS
First create VMP root LUNs according to table below.
In SnapDrive right-click on disks and select Create Disk
Enter Virtual disk path. \pvsanpp01evs_cluster_vmp_roots$evs_cluster_vmp_roots_qtree1
Enter a lun name. evs01_root_f.lun
Select “No under snapshot”
Size 32MB
Select Shared
Create a Cluster Services Group, VMP-Roots
Finish the wizard
Repeat steps a thru I for creating remaining root luns based upon pv_exchange_NetApp_config.xls spreadsheet
Create the database LUNs
In SnapDrive right-click on disks and select Create Disk
Enter Virtual disk path.
\pvsanpp01evs01_vmp1$evs01_sg1_db1_qtree1
Enter a lun name. evs01_sg1_db1.lun
Select “Yes under snapshot”
Size 65700 MB
Select Shared
Select Use Volume Mount Point and enter a name i.e. F:evs01_sg1_db1_vmp as in this example
Finish the wizard
Repeat steps a thru h for creating the other database LUNs, change the highlighted values. See the table below for the details about the virtual disk path and LUN names.
Database Virtual Disk Path | Database LUN | Mount Points-65700MB |
evs01_sg1_db1.lun | F:evs01_sg1_db1_vmp | |
evs01_sg1_db2.lun | F:evs01_sg1_db2_vmp | |
evs01_sg1_db3.lun | F:evs01_sg1_db3_vmp | |
evs01_sg1_db4.lun | F:evs01_sg1_db4_vmp | |
evs01_sg2_db1.lun | F:evs01_sg2_db1_vmp | |
evs01_sg2_db2.lun | F:evs01_sg2_db2_vmp | |
evs01_sg2_db3.lun | F:evs01_sg2_db3_vmp | |
evs01_sg2_db4.lun | F:evs01_sg2_db4_vmp | |
evs01_sg3_db1.lun | F:evs01_sg3_db1_vmp | |
evs01_sg3_db2.lun | F:evs01_sg3_db2_vmp | |
evs01_sg3_db3.lun | F:evs01_sg3_db3_vmp | |
evs01_sg3_db4.lun | F:evs01_sg3_db4_vmp | |
evs01_sg4_db1.lun | F:evs01_sg4_db1_vmp | |
evs01_sg4_db2.lun | F:evs01_sg4_db2_vmp | |
evs01_sg4_db3.lun | F:evs01_sg4_db3_vmp | |
evs01_sg4_db4.lun | F:evs01_sg4_db4_vmp | |
|
|
|
evs02_sg1_db1.lun | G:evs02_sg1_db1_vmp | |
evs02_sg1_db2.lun | G:evs02_sg1_db2_vmp | |
evs02_sg1_db3.lun | G:evs02_sg1_db3_vmp | |
evs02_sg1_db4.lun | G:evs02_sg1_db4_vmp | |
evs02_sg2_db1.lun | G:evs02_sg2_db1_vmp | |
evs02_sg2_db2.lun | G:evs02_sg2_db2_vmp | |
evs02_sg2_db3.lun | G:evs02_sg2_db3_vmp | |
evs02_sg2_db4.lun | G:evs02_sg2_db4_vmp | |
evs02_sg3_db1.lun | G:evs02_sg3_db1_vmp | |
evs02_sg3_db2.lun | G:evs02_sg3_db2_vmp | |
evs02_sg3_db3.lun | G:evs02_sg3_db3_vmp | |
evs02_sg3_db4.lun | G:evs02_sg3_db4_vmp | |
evs02_sg4_db1.lun | G:evs02_sg4_db1_vmp | |
evs02_sg4_db2.lun | G:evs02_sg4_db2_vmp | |
evs02_sg4_db3.lun | G:evs02_sg4_db3_vmp | |
evs02_sg4_db4.lun | G:evs02_sg4_db4_vmp | |
|
|
|
Create the Transaction Log LUNs
In SnapDrive right-click on disks and select Create Disk
Enter Virtual disk path.
\pvsanpp01evs01_vmp3$evs01_sg1_tl_qtree1
Enter a lun name. evs01_sg1_tl.lun
Select “Yes under snapshot”
Size 23760 MB
Select Shared
Select Use Volume Mount Point and enter a name i.e. T:evs01_sg1_tl_vmp as in this example
Finish the wizard
Repeat steps a thru I for creating the other database LUNs, change the highlighted values. See the table below for the details about the virtual disk path and LUN names.
tl Virtual Disk Path | tl LUN | Mount Points 23760MB |
evs01_sg1_tl.lun | F:evs01_sg1_tl_vmp | |
evs01_sg2_tl.lun | F:evs01_sg2_tl_vmp | |
evs01_sg3_tl.lun | F:evs01_sg3_tl_vmp | |
evs01_sg4_tl.lun | F:evs01_sg4_tl_vmp | |
|
|
|
evs02_sg1_tl.lun | G:evs02_sg1_tl_vmp | |
evs02_sg2_tl.lun | G:evs02_sg2_tl_vmp | |
evs02_sg3_tl.lun | G:evs02_sg3_tl_vmp | |
evs02_sg4_tl.lun | G:evs02_sg4_tl_vmp | |
|
|
|
Create the SMTP LUNs
In SnapDrive right-click on disks and select Create Disk
Enter Virtual disk path.
\pvsanpp01evs01_vmp3$evs01_smtp_qtree1
Enter a lun name. evs01_smtp.lun
Select “No under snapshot”
Size 4096 MB
Select Shared
Select Use Volume Mount Point and enter a name i.e. S:evs01_smtp_vmp as in this example
Finish the wizard
Repeat steps a thru I for creating the other database LUNs, change the highlighted values. See the table below for the details about the virtual disk path and LUN names.
SMTP Virtual Paths | SMTP LUNs | Mount Points 4GB |
evs01_smtp.lun | F:evs01_smtp_vmp | |
evs02_smtp.lun | G:evs02_smtp_vmp |
Maintenance LUNs on SAN01 aggregate 1
evs_cluster_mnt_vol2/evs_cluster_mnt_qtree1/evs_cluster_mnt1.lun
400000
5. Install Exchange Server 2003 on Each Node
Installing and Enabling Required Windows Services
Exchange Server 2003 Setup requires that the following components and services be installed
and enabled on the server:
.NET Framework
ASP.NET - verify that this is set to Auto Start
Internet Information Services (IIS)
World Wide Web Publishing Service
Simple Mail Transfer Protocol (SMTP) service
Network News Transfer Protocol (NNTP) service
Install Exchange Server 2003 on all cluster nodes
Make sure that the Cluster service is running on each node.
Install and enable the required Windows services.
Install Microsoft Distributed Transaction Coordinator (MSDTC).
Run Exchange Server 2003 Enterprise Setup.
Ignore error stating there is a compatibility issue with this version of windows.
Create D:Exchsrvr on all nodes
Change Path of installation to D:Exchsrvr and chose typical install on all nodes.
Install SP2 on all nodes
Run Windows Update on all nodes
Post-deployment steps – Tuning Parameters
Set the system pages to 0 (DWORD)
HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerMemory ManagementSystemPages = 0
Set HeapDeCommit Threshold to 262144 (decimal) (DWORD)
HKLMSystemCurrentControlSetControlSession Manager HeapDeCommitFreeBlockThreshold = value of 262144 (decimal)
Set Guid-Replid Caching to 0 (DWORD)
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeIS"server name""each private database"
Set the MinUserDC set to number GCs – the PDC emulator = 6 (in the current environment). (DWORD)(Decimal)
HKLMSystemCurrentControlSetServicesMSExchangeDSAccessProfilesDefault
Set the msExchESEParamLogBuffers
Go to ADSIEDIT.msc and set the value to 9000
Start ADSI Edit.
Double-click the Configuration container, expand CN=Services, expand CN=Microsoft Exchange, and then expand CN=<ExchangeOrganizationName>.
Expand CN=Administrative Groups, expand CN=<AdministrativeGroupName>, and then expand CN=Servers.
Expand CN=<ServerName>, expand CN=InformationStore, right-click CN=<StorageGroupName>, and then click Properties.
In the Attribute Editor, click the msExchESEParamLogBuffers attribute, and then click Edit.
In the Edit Attribute box, set the value to 512 for Exchange 2000 Server or 9000 (for example, clear the value) for Exchange Server 2003.
Click Apply, and then click OK.
Close ADSI Edit and then restart the Microsoft Exchange Information Store service for the change to take effect.
2) PagedPoolSize = DWORD value of FFFFFFFF
hklm-system-currentcontrolset-control-session manager-memory management
3) DynamicMemory = Add DWORD value of 1
hklm-system-currentcontrolset-control-session manager-memory management
4) PoolUsageMaximum = Add DWORD value of 40
hklm-system-currentcontrolset-control-session manager-memory management
5) MsExchAgingKeepTime = value of 345600 ???? (May be do not need this) (default is 40 days)
set at each DB in ADSIEdit
6) msExchMaxCachedViews = value of 20 (default is 11)
set at each DB in ADSIEdit
http://www.microsoft.com/technet/prodtechnol/exchange/Analyzer/2c732be4-eb00-4cde-8c90-f5f1427575eb.mspx?mfr=true
7) SkipWildcardSearchInGC = value of 1
HKLMSoftwareTrendMicroScanMail for ExchangeCurrentVersion
8) QuerySender = value of 0
HKLMSoftwareTrendMicroScanMail for ExchangeRealTimeScan
9) ScanningThreads = should be twice the number of processors plus one
HKLMSystemCurrentControlSetServicesMSExchangeISVirusScan
10) MaxMessageCount = value of 500
HKLMSoftwareTrendMicroScanMail for ExchangeCurrentVersion
11) MaxScanningThreadCount = value of 25
HKLMSoftwareTrendMicroScanMail for ExchangeRealTimeScanScanOption
12) ScanningThreadPoolCount = value of 25
HKLMSoftwareTrendMicroScanMail for ExchangeRealTimeScanScanOption
13) TempFileThreshld = value of 102400 (or max message size)
HKLMSoftwareTrendMicroScanMail for ExchangeRealTimeScanScanOption
6. Creating the Exchange Virtual Servers
Create the IP Address and Network Name resources for all Virtual Servers EVS01 and 02
Create System Attendant Resource
Make sure you select the LUN where you want to the SMTP/MTA to reside. Exchange will create a mailbox store and public store in the same LUN. Move the mailbox store and delete the public folder store.
If an error occurs then move the computer account from the computers OU to Saint PaulServers OU in AD. Make sure the computers are in the correct OU.
Remove the “affect the group” setting on all resources except network name, IP address, Information Store and System Attendant resources on each virtual server.
Change the Threshold to 1 and the Period to 120 on the advanced tab for Information Store and System Attendant resources.
Change the value of Threshold to 1 on Exchange system attendant and information store on all virtual servers.
Disable EventLogReplication on each virtual server
Cluster.exe /prop EnableEventLogReplication = 0
Add the MsgHandleThreshold registry key on all the nodes.
http://technet.microsoft.com/en-us/library/aa998105.aspx
Disable the MTA service on all nodes and set the following registry keys to disable MTA events for each database
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeISServerNameGateway In Threads – (DWORD) (0)
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeISServerNameGateway Out Threads – (DWORD) (0)
Securing Clusters
http://technet.microsoft.com/en-us/library/bb123629.aspx
http://technet.microsoft.com/en-us/library/bb124140.aspx
7. Create Storage groups and databases.
Each Exchange virtual server has 4 storage groups and 4 databases. The first two databases are journaled in each storage group. None of the servers will contain any public folder stores. Delete any default public folder stores using the following steps.
Start ADSI Edit.
Double-click the Configuration container, expand CN=Services, expand CN=Microsoft Exchange, and then expand CN=<ExchangeOrganizationName>.
Expand CN=Administrative Groups, expand CN=<AdministrativeGroupName>, expand CN=Servers, expand CN=<ServerName>, expand CN = InformationStore, and then expand CN=<Storage Group Name>
Right-click CN=<Public Folder Store Name> and then click Delete.
Double-click the Configuration container, expand CN=Services, expand CN=Microsoft Exchange, and then expand CN=<ExchangeOrganizationName>.
Expand CN=Administrative Groups, expand CN=<AdministrativeGroupName>, expand CN= Folder Hierarchies
Right-click CN=<Public Folders> and then click Properties.
In the Attribute Editor, click the msExchOwningPFTreeBL attribute, and then click Edit.
In the Edit Attribute box, make sure the public folder store is not listed
Click Apply, and then click OK.
Close ADSI Edit and then restart the Microsoft Exchange Information Store service for the change to take effect.
Install and Configure Snap Manager for Exchange 3.2
Permissions for Blackberry Enterprise Server
Setting the required permissions in Exchange for the BES Service accounts on the new mail servers which will be hosting BlackBerry-enabled accounts.
These permissions must be applied at the Storage Group or Server Level!
The required permissions are:
Administer Information Store
View Information Store
Receive As
Send As (Probably no longer a requirement due to how permissions are evaluated, but this would keep us consistent with other servers).
I would recommend adding all BES Service accounts for now, then removing the old management accounts at a later date, once all migrations have been completed.