How To Add A New Load-Sharing Mirror on NetApp Cluster Mode using PowerShell

To protect the Storage Virtual Machine (SVM) namespace root volume, you can create a load-sharing mirror volume on every node in the cluster, including the node in which the root volume is located. Then you create a mirror relationship to each load-sharing mirror volume and initialize the set of load-sharing mirror volumes. As you add new nodes to the cluster, you may choose to add a new load-sharing mirror to a set of existing load-sharing mirrors.

New-NcVol
PS>New-NcVol -Name root_vs01_m3  -Aggregate sas_aggr1 -JunctionPath $null -Type dp -Size 1g -VserverContext vs01

Name          State       TotalSize  Used  Available Dedupe Aggregate   Vserver  
----          -----       ---------  ----  --------- ------ ---------   -------
root_vs01_m3  online      1.0 GB     0%    1023.9 MB False  sas_aggr1   vs01

 

Create the destination load-sharing mirror volume by using the New-NcVol cmdlet with the -type parameter set to DP (data-protection volume). The destination volume that you create must be the same size or greater than the SVM root volume.

New-NcSnapmirror
PS>New-NcSnapmirror  //vs01/root_vs01_m3 //vs01/root_vs01 -Type ls 

SourceLocation               DestinationLocation             Status       MirrorState  
--------------               -------------------             ------       -----------
ntap-clus01://vs01/root_vs01 ntap-clus01://vs01/root_vs01_m3 idle         uninitialized

 

Use the New-NcSnapmirror cmdlet with the -type LS parameter to create a load-sharing mirror relationship between the source volume and a destination volume.

Note: The -Schedule parameter does not need to be used, because Data ONTAP automatically applies the same schedule to the set of all load-sharing mirrors that share the same source volume.

Get-NcSnapmirror
PS>Get-NcSnapmirror | Select sourcelocation, destinationlocation, relationshipstatus, relationshipType, ishealthy, schedule | ft -a

SourceLocation               DestinationLocation              RelationshipStatus RelationshipType IsHealthy Schedule  
--------------               -------------------              ------------------ ---------------- --------- --------
ntap-clus01://vs01/root_vs01 ntap-clus01://vs01/root_vs01_m1  idle               load_sharing          True 5min  
ntap-clus01://vs01/root_vs01 ntap-clus01://vs01/root_vs01_m2  idle               load_sharing          True 5min  
ntap-clus01://vs01/root_vs01 ntap-clus01://vs01/root_vs01_m3                     load_sharing               5min

 

Use the Get-NcSnapmirror cmdlet with the parameters listed to confirm the relationship has been created, as well as the health of the relationship.

Invoke-NcSnapmirrorInitialize
PS>  Invoke-NcSnapmirrorInitialize -DestinationVolume root_vs01_m3 -DestinationVserver vs01 | Get-NcJob

JobId JobName                        JobPriority JobState   JobVserver           JobCompletion  
----- -------                        ----------- --------   ----------           -------------
70    SnapMirror initialize          exclusive   queued     vs01


PS>  Get-NcJob 70

JobId JobName                        JobPriority JobState   JobVserver           JobCompletion  
----- -------                        ----------- --------   ----------           -------------
70    SnapMirror initialize          exclusive   success    vs01       SnapMirror: done  

 

Use the Invoke-NcSnapmirrorInitialize cmdlet specifying the DestinationVolume and DestinationVserver to perform the initial update of a SnapMirror relationship.

Note: Do not use the Invoke-NcSnapmirrorLsInitialize cmdlet. The Invoke-NcSnapmirrorLsInitialize cmdlet is for initializing volumes for an entire set of load-sharing mirrors, not for initializing an individual volume.

Invoke-NcSnapmirrorLsUpdate
PS>  Invoke-NcSnapmirrorLsUpdate ntap-clus01://vs01/root_vs01 | Get-NcJob

JobId JobName                        JobPriority JobState   JobVserver           JobCompletion  
----- -------                        ----------- --------   ----------           -------------
87    SnapMirror Loadshare update    exclusive   queued     vs01

PS>  Get-NcJob 87

JobId JobName                        JobPriority JobState   JobVserver           JobCompletion  
----- -------                        ----------- --------   ----------           -------------
87    SnapMirror Loadshare update    exclusive   success    vs01                 SnapMirror: done  

 

Upon job completion, update the LS set by using the Invoke-NcSnapmirrorLsUpdate cmdlet specifying the source endpoint to update destination volumes of the set of load-sharing mirrors. The cmdlet makes destination volumes in the group of load-sharing mirrors up-to-date mirrors of the source volume. Separate SnapMirror transfers are performed from the source volume to each of the up-to-date destination volumes in the set of load-sharing mirrors.

Use the Get-NcSnapmirror cmdlet once more to confirm the health of the relationship.

PS>  Get-NcSnapmirror | Select sourcelocation, destinationlocation, relationshipstatus, relationshipType, ishealthy, schedule | ft -a

SourceLocation               DestinationLocation              RelationshipStatus RelationshipType IsHealthy Schedule  
--------------               -------------------              ------------------ ---------------- --------- --------
ntap-clus01://vs01/root_vs01 ntap-clus01://vs01/root_vs01_m1  idle               load_sharing          True 5min  
ntap-clus01://vs01/root_vs01 ntap-clus01://vs01/root_vs01_m2  idle               load_sharing          True 5min  
ntap-clus01://vs01/root_vs01 ntap-clus01://vs01/root_vs01_m3  idle               load_sharing          True 5min  

 

Further reading:

  1. Adding a load-sharing mirror to a set of load-sharing mirrors
  2. Initializing an individual load-sharing mirror

Configure FPolicy for Varonis on NetApp Cluster Mode using PowerShell

To enable the Varonis Metadata Framework to connect to a NetApp file server operating in cluster mode, you must configure an FPolicy for it.

This PowerShell script, which I based off of Technical Report TR-4429 (referenced below for further reading), will automate:

  • Creating the FPolicy Event Object
  • Creating the FPolicy External Engine
  • Creating the FPolicy Object
  • Creating the Fpolicy Scope Object
  • Configuring the Login Method for DatAdvantage
  • Configuring the Varonis service account as CIFS superuser (To enable the Management Console to correctly detect NetApp cluster shares, the Varonis service account must be a member of the Domain Administrators group, or added as a CIFS superuser.)
  • Enabling the FPolicy
#requires -Version 2 -Modules DataONTAP
param (  
  $vservs = ('VSERVER_NAME'),
  $varcollectserver = 'VARONIS PROBE/COLLECTOR IP',
  $varsvcactdomain = 'DOMAIN',
  $varsvcactuser = 'USER'
)

Import-Module -Name DataONTAP

$FASName = Read-Host -Prompt 'Enter the FQDN of your NetApp array'
If ($FASName -eq '')  
{
  Write-Host -Object 'No selection made, script now exiting.' 
  exit
}

Connect-NcController -Name $FASName -Credential (Get-Credential)

foreach ($vserv in $vservs)  
{

  New-NcFpolicyEvent -Name fp_event_varonis_cifs -Protocol cifs -FileOperation create, create_dir, delete, delete_dir, read, write, rename, rename_dir, setattr -Filter first_read, first_write -VserverContext $vserv

  New-NcFpolicyExternalEngine -Name fp_ex_eng -PrimaryServer $varcollectserver -Port 2002 -SslOption no_auth -Asynchronous -VserverContext $vserv

  New-NcFpolicyPolicy -Name Varonis -Event fp_event_varonis_cifs -EngineName fp_ex_eng -NonMandatory -VserverContext $vserv

  New-NcFpolicyScope -PolicyName Varonis -VolumesToInclude '*'  -ExportPoliciesToInclude '*' -VserverContext $vserv

  New-NcUser -UserName ($varsvcactdomain + '' + $varsvcactuser) -Vserver $vserv -Application ontapi -AuthMethod domain -Role vsadmin

  Invoke-NcSsh -Command "set -privilege advanced;vserver cifs superuser create -domain $varsvcactdomain -accountname $varsvcactuser -vserver $vserv;vserver cifs superuser show -vserver $vserv"

  Enable-NcFpolicyPolicy -Name Varonis -SequenceNumber 1 -VserverContext $vserv
}

Further reading:

  1. FPolicy Solution Guide for Clustered Data ONTAP: Varonis DatAdvantage
  2. How FPolicy on clustered Data ONTAP works with external FPolicy servers

Remote session was disconnected because no Remote Desktop client access licenses available

Received this error today trying to RDP into a server:


Solution was to delete the registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSLicensing

In Windows Powershell (Run as Admin):
Remove-Item HKLM:SOFTWAREMicrosoftMSLicensing  

You’ll be prompted to confirm the deletion:

Confirm

The item at HKLM:SOFTWAREMicrosoftMSLicensing has children and the Recurse parameter was not specified. If you continue, all
children will be removed with the item. Are you sure you want to continue?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “Y”):

After this, you need to re-run the Remote Desktop Connection (Run as Admin) to recreate the key.

Use PowerShell to get Active Directory Office Phone Number

Happy Friday Everyone. I am horrible with remembering phone numbers so this is a good little one-liner to know.

Obviously, this relies on (1) OfficePhone being populated in AD (2) knowing the last name of the person you are trying to call. But it’s faster than several mouse clicks in Outlook Address Book, if you’re already in PowerShell, which I tend to be.

Get-ADUser -filter 'Surname -like "Lastname"' -Properties Officephone | Select Name, Officephone  

Disable SSLv2 and SSLv3 in Data ONTAP 7-mode for CVE-2016-0800 and CVE-2014-3566

NetApp KB1015015 provides information and procedures for disabling SSLv2 and SSLv3 in Data ONTAP operating in 7-Mode and clustered Data ONTAP versions 8.1 though 8.3 for CVE-2016-0800 and CVE-2014-3566.

The procedure is 2-steps: (1) enable tls (disabled by default and must be enabled prior to disabling SSL) and (2) disable SSLv2 and v3.

The following simple PowerShell script will automate performing this procedure on multiple number of 7-mode systems.

It relies on either either specifying filername or providing a .csv list of filernames it can authenticate against.

.CSV file should be formatted as:

#requires -Version 2 -Modules dataontap
<#  
        .SYNOPSIS           
        Simple script which automates disabling SSLv2 and SSLv3 in Data ONTAP 7-Mode for CVE-2016-0800 and CVE-2014-3566.

        .DESCRIPTION
        Uses Set-NaOption to enable tls and disable SSLv2 and v3.

        .PARAMETER filer
        Specifies the name of the NetApp filer. Optional.

        .NOTES
        (1) Script will prompt for credentials. Uses same cred for multiple filers.
        (2) If no parameter is specified it will prompt for .csv list of filers. 
        .CSV should be formatted as:
        name
        filer1
        filer2

        .EXAMPLE
        C:PS> netapp-disable-ssl-7mode.pst 

        .EXAMPLE
        C:PS> netapp-disable-ssl-7mode.pst filer1

        Author: David Maldonado
        Date: 09/01/2016
        Version: 1.0 - Initial Script - for 7mode
#>

param( [string[]] $filerinput)  
If ($filerinput -eq $NULL)  
{ 
    function Get-FileName($initialDirectory)
    {   
        $NULL = [System.Reflection.Assembly]::LoadWithPartialName('System.windows.forms')

        $OpenFileDialog = New-Object -TypeName System.Windows.Forms.OpenFileDialog
        $OpenFileDialog.initialDirectory = $initialDirectory
        $OpenFileDialog.filter = 'All files (*.*)| *.*'
        $NULL = $OpenFileDialog.ShowDialog()
        $OpenFileDialog.filename
    } 
    Write-Host -Object 'No controller specified, please provide source .csv file.' -BackgroundColor Yellow -ForegroundColor Blue 
    $filers = Import-Csv (Get-FileName -initialDirectory 'c:') 
}
Else  
{
    $filers = $filerinput 

    $filerresults = @() 
    $filerhash = foreach ($filer in $filers)
    {
        $filerresult  = New-Object -TypeName PSObject
        $filerresult  | Add-Member -MemberType NoteProperty -Name 'name' -Value $filer
        $filerresults += $filerresult
    }

    $filers = $filerresults | Select-Object -Property *
}

Import-Module -Name DataONTAP  
$mycreds = (Get-Credential)
function Disable-7MSSL  
{
    Connect-NaController -Name $filer.name -Credential $mycreds

    Set-NaOption -OptionName tls.enable -OptionValue on
    if (((Get-NaOption -OptionNames tls.enable).value) -eq 'on') 
    {
        Set-NaOption -OptionName ssl.v2.enable -OptionValue off
        Set-NaOption -OptionName ssl.v3.enable -OptionValue off
    }
}

Foreach ($filer in $filers)  
{
    Disable-7MSSL
}