Tag Archive: SAN


Reference: https://blogs.technet.microsoft.com/askds/2011/07/28/troubleshooting-sid-translation-failures-from-the-obvious-to-the-not-so-obvious/

https://www.microsoft.com/en-US/download/details.aspx?id=53314

How Domain and Forest trusts work: https://technet.microsoft.com/en-us/library/cc757352(v=ws.10).aspx

EMC ISILON SID translation errors: https://community.emc.com/thread/177333?tstart=0

 

Actions to do:

Check Trust relationships

Check Firewall logs and use portqry to test ports required. Also use nltest; netdom command lines.

Check GPO: Network access: Allow anonymous SID/Name translation

and  The following groups have the “Access this Computer from the Network” permission on domain controllers by default:

Administrators
Authenticated Users
Everyone

Introduction: How to migrate a SQL cluster to a new SAN ?

Environment: Server 2008 r2 (failover cluster – aka MSCS) and SQL 2008 sp3

Reference about Failover clustering:

http://technet.microsoft.com/en-us/library/cc753362(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/ff182338(v=ws.10).aspx

 

I selected for your this article  – how to move a SQL 2008 cluster to a new SAN:

https://gallery.technet.microsoft.com/SAN-Migration-step-for-SQL-d66dea19

 

Notes from the field:

http://blogs.technet.com/b/hugofe/archive/2012/07/04/windows-2008-2008-r2-san-migration.aspx

 

Note regarding the Quorum:

The Cluster service recognizes and identifies disks by their disk signatures (stored on the Quorum). Disk signatures are stored on the physical disk in the master boot record (MBR)

http://support.microsoft.com/kb/280425/en-us

Failover Clustering error codes: http://technet.microsoft.com/en-us/library/cc756229(v=WS.10).aspx

 

Note regarding Disk Signatures:

http://blogs.technet.com/b/markrussinovich/archive/2011/11/08/3463572.aspx
 
Disk Signatures
 
A disk signature is four-byte identifier offset 0x1B8 in a disk’s Master Boot Record, which is written to the first sector of a disk. This screenshot of a disk editor shows that the signature of my development system’s disk is 0xE9EB3AA5 (the value is stored in little-endian format, so the bytes are stored in reverse order).
 
Windows uses disk signatures internally to map objects like volumes to their underlying disks and starting with Windows Vista, Windows uses disk signatures in its Boot Configuration Database (BCD), which is where it stores the information the boot process uses to find boot files and settings.
Disk Signature Collisions
 
Windows requires the signatures to be unique, so when you attach a disk that has a signature equal to one already attached, Windows keeps the disk in “offline” mode and doesn’t read its partition table or mount its volumes. This screenshot shows how the Windows Disk Management administrative utility presents an offline disk that I caused when I attached the VHD Disk2vhd created for my development system to that system:
 
If you right-click on the disk, the utility offers an “Online” command that will cause Windows to analyze the disk’s partition table and mount its volumes:
 
When you chose the Online menu option, Windows will without warning generate a new random disk signature and assign it to the disk by writing it to the MBR. It will then be able to process the MBR and mount the volumes present, but when Windows updates the disk signature, the BCD entries become orphaned, linked with the previous disk signature, not the new one.
 
 
http://support.microsoft.com/kb/937251
 
The BIOS may or may not enumerate disks in a specific order. There is no direct relationship between the BIOS order, and the order in which Windows numbers the disks. During startup, Windows switches from using the BIOS INT13 support to native Windows drivers to access disks. Windows waits for several seconds for the system disk to enumerate through Plug and Play. When there is a match within the time-out period, normal startup will proceed. Otherwise, the system will trigger a bug check with Stop error code of 0x7B. Windows uses other mechanisms to differentiate disks, as Windows has no control over the disk-numbering process before startup. Windows has no information about any changes to hardware when the computer is turned off. Therefore, Windows initiates its own query for device enumeration.  
 
The disk numbers that are assigned by Windows after it switches to native Windows storage controller drivers during startup are dependent solely on the order in which the disks are enumerated and processed by Plug and Play. Windows will enumerate available fixed disks, followed by removable disks, assuming that the correct native Windows drivers are already present and installed on the system. Various uncontrollable timing factors may affect the enumeration order.
 

If you want to use Subject Alternative Names on internal SSL certificates issued by Active Directory Certificate Services you have to configure CA (Certificate Authority)
to accept SAN attribute from a certificate request.

By default (for security reasones) the AD CS CA does not issue certificates with SAN attribute.

Ability to connect without certificate issues (warning) to internal web server using a CNAME alias, FQDN or NetBios is one example where this becomes useful.

Run the following commands to configure CA:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

net stop certsvc

net start certsvc

 

To add Subject Alternative Name to certificate add following to it’s attributes:

san:dns=dns_name

where dns_name is required Subject Alternative Name.

You can specify more names by separating them with an ampersand (&).

san:dns=dns_name1&dns=dns_name2

AD CS will accept the request and issue a certificate with Subject Alternative Names in it.

Remember to edit https bindings after installing certificate on your internal server (IIS).

Follow this reference guide from Technet: How to Request a Certificate With a Custom Subject Alternative Name: http://technet.microsoft.com/en-us/library/ff625722(WS.10).aspx#BKMK_Security

Another interesting web article with configuration sample: http://www.ldap389.info/en/2011/04/29/powershell-enterprise-ca-pki-create-san-certificate-iis-7-server-we/