Beruflich Dokumente
Kultur Dokumente
Abstract
This paper provides an overview of the VNX Home Directory
feature. VNX gives system administrators the ability to configure
powerful rules that automate the process of creating and
assigning home directories to users. Whether an organization
has hundreds of users or tens of thousands, this feature helps
relieve the management burden of providing CIFS home
directories for the organizations users.
March 2015
Table of Contents
Executive summary.................................................................................................. 4
Introduction ............................................................................................................ 5
Audience ............................................................................................................................ 5
Terminology ....................................................................................................................... 6
Conclusion ............................................................................................................ 33
Executive summary
Data is vital to the operation of todays businesses: Even small data files generated
every day by individual users can have costly repercussions if they are lost or
damaged. Yet, by failing to provide a protected storage location on the network for
this data, many companies effectively mandate that users store data on faultsensitive disks in laptop or desktop computers.
CIFS home directories can be combined with fault-tolerant storage (such as VNX) to
provide safe, secure, network-accessible storage for this user-level data.
Management of these home directories can be burdensome to the storage
administrators, so EMC VNX provides an integrated Home Directory feature that
significantly reduces administrative burden by shifting the directory and share
management to VNX.
In the typical business environment, user home directories are not shared; each
home directory is intended for only one specific user. Consequently, the system or
domain administrator must:
1. Determine where the users home directory will exist.
2. Create a directory on the file server to act as the users home directory.
3. Create a CIFS share to give the user access to the home directory.
4. Secure the CIFS share.
5. Set the home directory field of the users profile on the domain controller to
reflect the appropriate home directory location.
VNXs Home Directory feature eliminates the need for three of these steps. Further, it
eases the burden of the last step because the contents of the home directory field in
the user profile can be the same for all users.
When using VNXs Home Directory feature, you initially set up rules that govern home
directory behavior. To add a user home directory, you then follow this less
burdensome sequence of steps:
1. Determine where the users home directory will exist.
2. Set the home directory field of the users profile on the domain controller to
reflect the appropriate home directory location.
The Home Directory feature also has important benefits for disaster recovery (DR) and
migration. VNXs CIFS configurations can be replicated to remote sites for DR
purposes, and the home directory database is a replicated configuration component.
Should disaster strike, end users need only to reconnect to the home directory,
eliminating the need to change the Universal Naming Convention (UNC) path.
In migration scenarios, the home directory database and user file systems can be
migrated to the new VNX Data Mover with minimal downtime. Once the home
directory database has been migrated, users can simply be referred to the new VNX
Data Mover where each user will see his home directory as it was on the old VNX Data
Mover. This simplicity contrasts with the need to manually migrate a CIFS home
directory configuration that includes hundreds or thousands of individual CIFS shares
(one per user). As a companys home directory storage needs grow, migrating to
newer or larger VNX cabinets requires less work than it would otherwise.
VNX for File Operating Environment (OE) 8.1.3.72 introduces a parameter that allows
users to connect to their Home Directory using a \\server\username[$] path while still
being able to use the traditional \\server\HOME path. This new syntax is helpful to
users who are migrating their home directories from another vendors arrays to a VNX.
By supporting the \\server\username[$] path, manual changes from a
\\server\username[$] path to a \\server\HOME path is eliminated. See Migrating
Home Directory configurations from another vendors array to VNX for more
information.
In summary, the VNX Home Directorys benefits are:
Simpler, more reliable home directory migrations to VNX or between VNX Data
Movers (intra- and extra-cabinet)
Introduction
This papers goal is to communicate the business case for VNX Home Directory, as
well as high-level implementation and design considerations of the feature. Specific
implementation details are documented in the VNX Home Directory Management Help
Files and are not be covered here.
To achieve that goal, this paper answers these questions:
How can I take Home Directory beyond its basic functionality and use it in
advanced ways?
Audience
EMC customers, those considering the purchase of EMC VNX storage, and EMC field
personnel are the intended recipients of this paper.
This audience expected to have a basic understanding of VNX concepts and the
administration of users within a Microsoft Windows Active Directory domain. A basic
understanding of VNX CIFS technology is assumed, although this paper should also
be accessible to those who understand Microsoft CIFS concepts but lack deep
understanding of VNXs CIFS implementation.
Terminology
Common Internet File System (CIFS) A file sharing technology for IP networks that is
the primary file sharing technology for Microsoft Windows operating systems and that
has gained traction with other operating systems. CIFS is based on the Server
Message Block (SMB) protocol.
Disaster recovery (DR) The recovery of business IT operations after the primary data
site is lost to a disaster. Such disasters may include power outages, natural disasters
such as wind damage or flooding, terrorist attacks, and so forth.
Home Directory A dedicated, network-attached (CIFS) file storage resource; typically
one per user and mapped as a network drive at login.
Microsoft Management Console (MMC) An extensible Microsoft application
(mmc.exe) that provides the ability to create a custom system management
dashboard (or view). Many Microsoft Windows features are managed via the MMC;
for example, Computer Management (compmgmt.msc) is an MMC application.
MMC Snap-in A plug-in to the Microsoft Management Console. These plug-ins can
be arbitrarily grouped into a single, customized MMC view by using the mmc.exe
/console command. Microsoft provides many such plug-ins, but third-party vendors
such as EMC may also provide plug-ins to manage their own products. EMC VNX File
CIFS Management is an example of an MMC Snap-in that is provided by EMC.
Virtual Data Mover (VDM) A virtual container of VNX file systems and CIFS servers. A
VDM is treated as a unit, and it can be moved between Data Movers within a VNX
cabinet and replicated to other Data Movers for disaster recovery.
VNX File CIFS ManagementAn EMC MMC snap-in that provides management
functions for Home Directory, as well as for some other VNX features. (Previously
called Celerra CIFS Management.)
Joanna Smith
MARKETING\jsmith
Mark Fodor
MARKETING\mfodor
Rue Prada
FINANCE\rprada
This example uses a CIFS server called ATLANTA3, assumed to be joined to the
MARKETING domain. Also assume that the MARKETING domain has a bidirectional
trust relationship with the FINANCE domain so that members of both domains can
authenticate with ATLANTA3.
Shared drive
One common implementation for CIFS home directories is the shared drive
implementation, shown in Figure 1. This implementation is simple both conceptually
and in practice: One large shared drive (CIFS share) is created and shared by many
users. Each user has a folder/directory on the shared drive that is used as the users
home directory. The advantage of this approach is that it can be extremely easy to
implement if security is not a concern. Some challenges with this approach are:
The user must navigate into a subdirectory of the share to find his own home
directory.
This problem can be prevented by specifying the full path to a users home
directory in his Windows profile. For example, in Figure 1 mfodors profile
would contain the path \\atlanta3\shared\mfodor in his home directory
settings.
Figure 1. All users map the same CIFS share in the shared drive approach
Unique shares
The unique shares approach is another common implementation for CIFS home
directories (shown in Figure 2). In this approach, a unique CIFS share is created for
each users home directory. Only the user who owns the home directory is permitted
to map the share. This approach is more secure than the shared drive
implementation, but it suffers from being much more difficult to implement. Its
drawbacks include:
Figure 2. A CIFS share is created for each user in the unique shares approach
VNX Home Directory uses CIFS login information and a database to provide a unique,
secure home directory view to each user. The home directory view users see is
defined by rules stored in the Home Directory database. A VNX administrator
configures the database to meet the specific needs of the organization.
VNX Home Directory eases home directory administration in two key ways:
It enables users to see their unique home directory views while logging into
the same CIFS share.
For a given CIFS server, each user of the CIFS server connects to
\\[cifs-server]\HOME to access his/her home directory. In other words, all users
connect to the same CIFS share, as depicted in Figure 3.
All users connect to \\atlanta3\HOME, the location of their home directory. Note that
any shared-drive CIFS solution can provide this functionality, but only if all three
users are allowed to see the same files and directories when connected to
\\atlanta3\HOME. For example, in Figure 3 all three users would see the same
directory listing of \\atlanta3\HOME if a shared drive implementation were used:
$ dir \\atlanta3\HOME
aapple
jsmith
mfodor
rprada
For example, Joanna Smith could access the contents of Mark Fodors home directory
if the ACLs allow. Yet this behavior is not typically desirable. The alternative unique
shares approach giving each user a dedicated share to map (\\atlanta3\jsmith,
\\atlanta3\mfodor, \\atlanta3\rprada) is also undesirable because it greatly
increases the administrative burden of providing the user home directories.
Changing the requirements extends the example case. A column could be added to
the user table to specify not only the users logon information, but also the file path
that should be exported to the user when connected to the home directory CIFS share.
In other words, the table that specifies that each user should have a unique view
when connected to \\atlanta3\HOME\ is augmented.
Table 2. Users, logon names, and home directory paths
Full name
/marketing/jsmith
Mark Fodor
MARKETING\mfodor
/marketing/mfodor
Rue Prada
FINANCE\rprada
/finance/rprada
This latest requirement changes the example significantly. All users are connecting to
the same share \\atlanta3\HOME yet each user sees a different set of files and
folders when connected. VNX Home Directory enables exactly this capability, shown
in Figure 4.
10
Figure 4. Logical view built when a user connects to Data Mover with VNX Home
Directory
VNX Home Directorys secure single share model in which all users connect to the
same share yet see unique, private file system views provides noteworthy value
when configuring user profiles in the Active Directory. The Setting the Home Directory
path in AD User Profile section on page 22 offers more information.
Stored mappings
VNX Home Directory uses a database to store mappings between users and file
system paths. Each Data Mover or Virtual Data Mover has a database table where a
row in the table takes this general form:
Table 3. Database table form
Match criterion
Path
Options
A match criterion consists of two patterns: One pattern specifies a domain name and
the other pattern specifies a username.
Table 4. Match criterion table form
Match criterion
domain name
Path
Options
username
When a user like Joanna Smith logs into the CIFS server called atlanta3, the Data
Mover extracts Joannas domain (MARKETING) and username (jsmith) from her login
credentials. The Data Mover uses this information to search the home directory
database; it compares Joannas domain and usernames with the various match
criteria stored in database table. If the Data Mover finds a match, then the specified
11
path will be associated with Joannas CIFS session. If no match is found, then
Joannas CIFS session fails and she is denied login.
In the following sections look more closely at how this process works.
username
path
options
domain name
username
path
options
domain name
username
path
options
At the most basic level, the Data Mover consults the database and looks for a match
based on domain name and username. If it finds such a match, then it looks for the
path specified by the matching entry. If it fails to that path, then the Data Mover will
look for the next matching database entry. Since the search algorithm is slightly more
complex than this description allows, it is worth taking a deeper look at the database
search.
Home Directory database search: In detail
Finding a match in the database is not as simple as the first match algorithm.
Rather, the Data Mover searches the entire database top to bottom when looking for a
match, and no single match is used until all matches have been identified.
When the Data Mover finds multiple matches in the database, it will attempt to use
(try) the most recently found match first. Note that the most recently found
matching entry is the one found farthest down the database table. Should the Data
Mover be unable to locate the path specified by that matching entry, it will take the
next most recently found match and try it, and so on.
12
This section uses Joanna as an example to look at the match process. For this
example, Joanna maps \\atlanta3\HOME, and the Home Directory database looks like
the following:
Matching entry
MARKETING
*smith
/home/special/msmith options
/guests
options
MARKETING
jsmith
/marketing/jsmith
options
The Data Mover will look at Matching Entry #1 first, so it will search for the path
/home/special/msmith. Assuming that the path /home/special does not exist on the
Data Mover, Matching Entry #1 will be discarded because the home directory
/home/special/msmith does not exist. Matching Entry #2 (/guests) will be processed
next, and the path /guests does exist. Joanna will be allowed to map
\\atlanta3\HOME and her working directory for that session will be /guests.
Recall that this result is not desired; Joannas working directory was to be
/marketing/jsmith. That goal can be achieved by simply changing the order of the
Home Directory database table entries so that the desired entry to apply is found last
and processed first:
13
User
Path
Options
FINANCE
/finance
options
MARKETING
h*
/marketing-h
options
/guests
options
MARKETING
*smith
/home/special/msmith options
MARKETING
jsmith
/marketing/jsmith
options
In practice, it is best to ensure that only one database table entry/row will match each
user, unless the goal is to spread users across multiple file systems. This white paper
discusses how to spread users across multiple file systems in a subsequent section.
If multiple matches are necessary to implement the home directory rules required for
the organization, then the best practice is to put the more general criteria toward the
top of the database table and more specific criteria toward the bottom of it. This
arrangement allows more specific database entries to be found last and processed
first.
Path syntax
This white paper has established that Home Directory database entries are matched
to a users login credentials based on the value of the domain name and username.
However, the actual database key is not <domain,user> but <domain,user,path>.
Including the path in the key provides the flexibility to specify multiple matching
entries in the database so that users can be spread across multiple file systems.
Spreading users across multiple file systems is discussed below; it is only mentioned
here to emphasize the reason the path field is part of the key in the Home Directory
database.
A path has the following general syntax:
It may contain two special strings that are substituted by the Data Mover upon
processing the database entry:
o <u>: Substituted with the username of the user who is connecting to the
HOME share
o <d>: Substituted with the domain name of the user who is connecting to
the HOME share
It must be specified relative to the root of the Data Mover or Virtual Data
Mover.
The substitution strings provide enormous flexibility when defining database entries.
Consider the following example:
14
User
Path
Options
a*
/home/<d>/a-c/<u>
options
b*
/home/<d>/a-c/<u>
options
c*
/home/<d>/a-c/<u>
options
d*
/home/<d>/d-f/<u>
options
e*
/home/<d>/d-f/<u>
options
z*
/home/<d>/y-z/<u>
options
FINANCE
/finance/<u>
options
MARKETING
/marketing/<u>
options
20 more
The first 26 entries in this table (only six are shown here) are catch all entries; users
of all domains other than FINANCE and MARKETING match to one of these entries, and
their home directories are arranged into alphabetical buckets (a-c, d-f, etc.) according
to their domain and usernames. For example, if ENGINEERING\ecartman logs in, the
Data Mover will process the database and determine that the home directory is
/home/engineering/d-f/ecartman.
The last two entries in the table catch all users in the MARKETING and FINANCE
domains, associating those users with directories under /marketing and /finance,
respectively.
Substitution strings provide the ability to avoid having to specify one Home Directory
database entry per user. Instead, you can specify a generic path that contains
substitution strings; the path will then become customized for each user based on
login credentials.
Regular expressions
When defining Home Directory database entries using only alphanumeric characters
and the two supported wild cards (* and .), it can be difficult to encode the
necessary patterns. This challenge might result in an excessive number of database
entries to achieve a goal that should have been relatively simple. VNX Home Directory
solves this problem by leveraging the enormous flexibility of regular expressions to
specify the domain name and username of a database entry.
Consider a scenario where the goal is to divide users alphabetically among different
file systems such that groups of four adjacent letters are on the same file system (a-d,
e-h, and so on). Without regular expressions, this goal can be accomplished only by
creating 26 separate database table entries, one for each letter of the alphabet.
15
User
Path
Options
a*
/homeA-D/<d>/<u>
options
b*
/homeA-D/<d>/<u>
options
c*
/homeA-D/<d>/<u>
options
d*
/homeA-D/<d>/<u>
options
e*
/homeE-H/<d>/<u>
options
18 more
x*
/homeU-X/<d>/<u>
options
y*
/homeY-Z/<d>/<u>
options
z*
/homeY-Z/<d>/<u>
options
Using regular expressions, this set of 26 entries can be consolidated into a set of only
seven and shows how powerful it is to use regular expressions:
Table 10. Example entries using regular expressions
Domain
User
Path
Options
.*
[a-d].*
/homeA-D/<d>/<u>
regexp=Yes
.*
[e-h].*
/homeE-H/<d>/<u>
regexp=Yes
.*
[i-l].*
/homeI-L/<d>/<u>
regexp=Yes
.*
[m-p].*
/homeM-P/<d>/<u>
regexp=Yes
.*
[q-t].*
/homeQ-T/<d>/<u>
regexp=Yes
.*
[u-x].*
/homeU-X/<d>/<u>
regexp=Yes
.*
[y-z].*
/homeY-Z/<d>/<u>
regexp=Yes
Table 11 shows other examples of how regular expressions can be used in the Home
Directory database to simplify Home Directory management:
16
Table 11. Examples of regular expression use in the Home Directory database
Domain name
Username
Matches
[ENGINEERING|FINANCE]
.*
.*
[wdc|moc].*
Users whose
names are not
prefixed with one
of the two
designations
.*
.* [2] [0-9]
{3}.*
Users whose
names do not
have the required
sequence of
digits
While regular expressions can simplify Home Directory management, they should be
used with care. Be sure that the regular expression you use does not unintentionally
match users other than those it is designed to match.
Auto-create
While the combination of regular expressions with Home Directorys single share
model is powerful, its usefulness is diminished if each users home directory must be
manually created. VNX Home Directorys auto-create feature can ensure that home
directories are created automatically as needed by the VNX1.
Auto-create is an option set on the Home Directory database table entry. It tells the
Data Mover to create the users home directory if such a directory does not already
exist. There are several choices for the security applied to these auto-created
directories; see the Security considerations section on page 19 for details. Only the
lowest level token in the home directory path will be created. If the parent container
of the lowest-level token not exist, then the home directory entry will be treated as if it
does not match the login credentials.
17
/homeI-L/
marketing/
jsmith/
The EMC VNX File CIFS Management MMC Snap-in is available on EMC Online Support.
18
19
another Data Movers Home Directory database you can copy the file3 /.etc/homedir
from one Data Mover to another.
Security considerations
In the most common and secure configuration, the VNX Home Directory allows each
user to access only his/her own home directory, as defined by the rules configured in
each home directory database on each Data Mover. You should take special care to
ensure that the rules defined by system administrators do not allow unintended
access violations. The default behavior is the most secure and does not need to be
changed if the owner-only access model is desired.
The VNX Home Directory gives you greater control over who can access automaticallycreated home directories. This higher degree of control is accomplished using Access
Control Lists (ACLs) that are applied to these directories. Specifically, a registry flag
offers two security options for automatically-created home directories:
1. Restrict ACL to the owner. (This is the default value.)
2. Set ACL based upon inherited values.
With both settings, if the parent ACL is set up correctly, the inheritance model ensures
that the owner of the new home directory is the Windows user rather than UNIX root.
When using inheritance, you must be careful when building the inherited ACL to
ensure that you achieve the desired result.
A third setting is also available. This setting places the UNIX root user as the owner of
each Home Directory folder and the EVERYONE group is given full control. This third
setting applies only to new auto-created home directories. It does not apply to
manually created or existing home directories.
This security feature is controlled through a registry entry belonging to the CIFS
Server:
HKEY_LOCAL_MACHINE\Software\EMC\Homedir\Flags
The server_file Control Station command can be used to retrieve and upload this file.
20
0x0 (default) This setting disallows ACL inheritance from the parent folder and
creates the new home directory with the user as the owner (as opposed to root).
Only the user/owner has full privileges. No other privileges are set, which
effectively locks out every other user from the directory. To access the users home
directory, an administrator or user with take ownership privileges must take
ownership of the home directory and modify the ACL as required.
0x1 This setting creates the new home directory with the current user as the
owner (as opposed to root) and gives that user full privileges. Inheritance from
the parent folder is allowed and dictates any further permissions applied on the
home directory folder. This setting may revert to the 0x0 behavior if the ACL
inheritance from the parent folder has not been configured. Using inheritance
requires care in building the inherited ACL so that the desired result is achieved.
21
0x2 Any new home directory folder is created with root as the owner and
allows full privileges to the EVERYONE access control entry (ACE).
NOTE: When using the setting 0x1, you should exercise special care. Understand fully
the implications of permissions and ACL inheritance. In particular, the inheritance of
the CREATOR OWNER ACL limits permissions to newly created files and folders
inside a users home directory folder to the user who created the file or folder. For
example, a file created by the Domain Administrator (assuming the permission to do
so exists in the ACL) in another users home directory will be owned by the Domain
Administrator. It will not be accessible to the user who owns the home directory. This
is because there is no ACL in the home directories ACL that specifically grants
permission to that user (instead, it is the CREATOR OWNER ACL).
If the home directory field is set in the AD User Profile, then Windows will take the following actions when the user logs in to a
domain member computer:
Map the home directory and assign it to the specified network drive
Set the HOMEDRIVE, HOMEPATH, and HOMESHARE user environment variables
4
22
Performance In large domains or under heavy I/O conditions, splitting the home
directory users between two or more file systems may yield better performance.
23
Billing/chargeback Spreading users across two or more file systems can help
track the capacity used by each set of users. Tracking use can be helpful when
parts of an organization are billed internally for their users file system usage, or
for ISVs that are providing storage hosting services for external customers.
VNX Home Directory makes it relatively easy to spread users across two or more file
systems. Recall the discussions in Process for matching user credentials against
database entries on page 12 and Path syntax on page 14 that say regarding the
database key. The database key for the Home Directory database is <domain, user,
path> and in the case of multiple entries that match on <domain, user> the
matches are searched backward until an entry with a viable/matching path is found.
This behavior enables users to be spread among multiple file systems.
Two options are available for spreading users among multiple file systems:
1. Create two or more entries where <domain, user> are identical between
database entries, but <path> is different. This option requires caution when
using the auto-create functionality.
2. Create two or more entries where only <domain> is identical between database
entries, but <user> and <path> both differ between database entries. This option
enables unrestricted use of the auto-create functionality.
To understand spreading users further, consider examples using the two MARKETING
domain users from this papers examples. In this case, Joanna Smith and Mark Fodor
will be on different file systems.
Table 12. Spreading users on different file systems
Full name
Joanna Smith
MARKETING\jsmith
/marketing1/jsmith
Mark Fodor
MARKETING\mfodor
/marketing2/mfodor
24
User
Path
Options
MARKETING
/marketing2/<u>
auto-create=no
MARKETING
/marketing1/<u>
auto-create=no
A user would manually create the following directories in the marketing1 and
marketing2 VNX file systems:
/marketing1/jsmith
/marketing2/mfodor
When Joanna Smith maps \\atlanta3\HOME, both entries will match her user domain
and username. Recall that the Data Mover database search takes the last match and
attempts to find the specified path. In this case, the last match has the
path=/marketing1/<u>. Since /marketing1/jsmith exists, no further search is needed.
Joannas home directory will be /marketing1/jsmith.
When Mark Fodor maps \\atlanta3\HOME, both entries will match his user domain
and username. The Data Mover will take the last match and try to find the specified
path. In this case, the last match is the one with path=/marketing1/<u>. Since
/marketing1/mfodor does not exist, the Data Mover will look at the next-to-last
match: path=/marketing2/<u>. Since /marketing2/mfodor exists, no further search is
needed. Marks home directory will be /marketing2/mfodor.
Given this description, it is not difficult to predict what would happen if auto-create
were enabled on these database entries. The last match (the one with
path=/marketing1/<u>) is the first examined and with auto-create enabled the Data
Mover would simply create a /marketing1/mfodor directory for Mark rather than
processing the second-to-last match. This behavior would effectively put all users on
the same file system (/marketing1), which is undesirable.
With that caution in mind, the creation of a third directory can be beneficial.
Table 14. Example directory structure to account for users without Home Directories
Domain
User
Path
Options
MARKETING
/marketing3/<u>
auto-create=yes
MARKETING
/marketing2/<u>
auto-create=no
MARKETING
/marketing1/<u>
auto-create=no
In this case, all users who do not have home directories pre-created on /marketing1
or /marketing2 will fall through to the third-to-last match. Home directories will
automatically be created for them on /marketing3 if they do not already exist.
25
This approach is often the least convenient from an administrative perspective, but it
is necessary when usernames lack specific string attributes that would allow them to
be grouped into well-defined sets. Because this approach is perhaps the most
difficult to understand, the experience of a real-world VNX customer is helpful:
Situation
A school has two sets of users: teachers and students. Both teachers and students
log into the same Windows domain. Teachers receive much larger quota allocations
than students, so their home directories are stored in a different path from the path
for student home directories. There is no mechanism by which a teacher can be
distinguished from a student when examining the username. What would the
recommended home directory configuration look like?
Analysis
Perhaps the most important piece of information in the description of this customers
situation is that there is no mechanism by which the username or domain can
distinguish a student from a teacher. In other words, the <domain,username> portion
of the Home Directory entry will be identical if multiple entries are required.
It is also clear that the user base must be distributed as groups across multiple file
systems or across multiple paths within the same file system. As a result, multiple
Home Directory entries are required, one for each distinct path.
Like most schools, the student-teacher ratio is fairly large at this school, 20 students
for every one teacher (20:1). The following Home Directory configuration would
perhaps be the most efficient configuration possible.
Table 15. Home Directory configuration for school example
Domain
User
Path
Options
SCHOOL
/homedirs/students/<u> auto-create=yes
SCHOOL
/homedirs/teachers/<u>
auto-create=no
Note that this configuration requires the administrator to manually create teacher
home directories in the path /homedirs/teachers/. When a teacher logs in, her
directory will be found by the first matching entry under the path
/homedirs/teachers/.
When a student logs in, his directory will be not be found by the first matching entry
(/homedirs/teachers/<u>) because it does not exist there. Home Directory then will
look at the second matching entry and will find the students home directory in the
path /homedirs/students. If the student does not already have a home directory
under /homedirs/students, then one will be created automatically because autocreate is enabled on the second matching entry. Thus, the administrator does not
have to manually create home directories for students.
26
Since the student-teacher ratio is 20:1, the administrator needs only to manually
create home directories for approximately 1/21 of the user base (the teachers).
Should he forget to create a teachers home directory then the teacher will
automatically be given a home directory in /homedirs/students. The administrator
can later rectify the situation by simply moving that home directory to
/homedirs/teachers.
When only <domain> is identical between database entries
Looking at an alternative approach reveals that, using the auto-create feature, it is
possible to avoid manually creating home directories.
Assume that half of the users in the MARKETING domain have usernames beginning
with one of the letters from the alphabetical set of letters a through k. The rest of
the usernames begin with l through z. This fact would allow an administrator to
put half of the users on /marketing1 and the other half on /marketing2 while also
taking advantage of the auto-create functionality.
Such a home directory database might look like:
Table 16. Example auto-create for home directory database
Domain
User
Path
Options
MARKETING
[l-z].*
/marketing2/<u>
MARKETING
[a-k].*
/marketing1/<u>
auto-create=yes,
regexp=yes
auto-create=yes,
regexp=yes
When Joanna Smith maps \\atlanta3\HOME, only the last of these entries will match
her user domain and username. If this is her first time mapping the share, then the
Data Mover will see that /marketing1/jsmith does not exist and will create it to use as
Joannas home directory.
When Mark Fodor maps \\atlanta3\HOME, only the second to last of these entries will
match his user domain and username. If this is his first time mapping the share, then
the Data Mover will see that /marketing2/mfodor does not exist and will create it to
use as Marks home directory.
This approach is often the most convenient, and it works best when the login names
that comprise the user base have specific string attributes that allow them to be
grouped into distinct sets. In this example, that attribute is the value of the first
character of the username. Regular expressions can then be used to specify match
criteria based upon these attributes.
27
Performance In domains with a large number of users or with heavy I/O loads,
putting all home directory users on the same Data Mover may not be feasible from
a performance standpoint. In this case, the I/O load can be spread across Data
Movers by spreading the user base across those Data Movers.
Capacity In environments where the individual user home directories are very
large, it may be necessary to spread users across multiple backend storage
systems that are connected to different VNX cabinets.
Billing/chargeback Spreading users across two or more Data Movers may help
to manage billing/chargeback. For example, if each department in the
organization is charged internally for one Data Mover, it can be helpful to put the
users of each department on the Data Mover it pays for.
Figure 10. Users can be spread across Data Movers by connecting them to different
CIFS servers
Because each Data Mover and Virtual Data Mover has its own Home Directory
database, the task of spreading users across two or more Data Movers is easy. Simply
direct users to the correct Data Mover (via a CIFS server) when they attempt to map
their home directory. This direction requires preparation to decide which Data Mover
28
each user should use and to ensure the users profile reflects the UNC path to that
Data Mover.
Ensure that the mount path of all replicated Home Directory user file systems is
the same on both the source and destination Virtual Data Movers. If the mount
path is different on the destination Virtual Data Mover, then the paths in the Home
Directory database may be incorrect after failover.
Ensure that the CIFS server names used on the destination Virtual Data Mover are
identical to those used on the source Virtual Data Mover.
Ensure that the network interface names used on the destination Virtual Data
Mover are identical to those used on the source Virtual Data Mover. IP addresses
can be different on the destination Data Mover.
EMC advises the testing of Home Directory replication plan prior to implementing it on production data.
29
EMC advises you to test your Home Directory migration plan prior to implementing it on production data.
30
This capability is especially helpful in the case where the users have local
applications, such as built in synchronization and embedded links. Those
applications will not have to be manually updated on each individual users account
after the migration. This capability is the same for shared network devices, such as
scanners, printers, and fax devices.
Without this path mapping, manual remediation would be needed to modify each
users configuration to a \\server\HOME path. Users will still be able to map to the
traditional \\server\HOME path, though. As seen in Figure 12, users can connect to
either \\server\HOME or \\server\username[$] to get to their home directory since
both paths point to the same place.
31
Figure 13. Setting registry setting for username support on home directories
The following is a description of the two options that are available for the
UsernameSupported registry:
32
Conclusion
VNX Home Directory feature can significantly ease the administrative pain of
providing home directories for CIFS users. It eliminates the need to manually create
and manage CIFS home directory shares, and it can also eliminate the need to
manually create each user home directory.
Home Directory provides sufficient flexibility for you to implement highly customized
rules based on regular expressions, and it may require only a few rules to spread all
of your domain users over a single file system or several file systems. This flexibility
makes it simple to scale your Home Directory implementation from hundreds to
thousands or even tens of thousands of CIFS users.
Further, when Home Directory is combined with VDM Replication, a Home Directory
environment can be seamlessly replicated to a remote site for disaster recovery.
When combined with VNX File System Migration or other migration technologies,
Home Directory environments can easily be migrated to other VNX cabinets.
With an understanding of the Home Directory concepts that were outlined in this
white paper, you can create an efficient and effective home directory solution for your
organization.
33