Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.1 - Deployment Guide

One Identity Manager Data Governance Edition Deployment Guide Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting NetApp managed host deployment EMC managed host deployment SharePoint Farm managed host deployment

Data Governance agents cannot access NAS devices via SMB

After adding an EMC or NetApp host machine to a domain running Windows Server 2012/2012 R2, you may encounter one or both of the following:

  1. The Data Governance agent cannot access EMC or NetApp shares. For example, you receive a "Windows Cannot Access" network error when trying to access a share on the NAS device using the filer explorer.
  2. You cannot browse resources or set security index roots for an EMC or NetApp managed host. That is, after adding an EMC or NetApp managed host, the Data Status gets stuck in a "Waiting for scanning to start" state and an error is recorded in the agent log.
Probable cause

Both of these issues are related to known issues with Windows Server 2012/2012 R2 and Windows 8 clients. That is, Windows Server 2012 and later and Windows 8 and later include a newer version of the Server Message Block (SMB) protocol. These newer versions now ship with SMB 3.0 (originally known as SMB 2.2).

  1. The first problem, where the agent cannot access EMC or NetApp shares, is most likely due to an incompatibility between your NAS device and the SMB protocol.
  2. The second problem, where the agent cannot scan the NAS device, is due to the "Secure Negotiate" feature that was added to SMB 3.0 for Windows Server 2012 and Windows 8.
Resolution

  1. To resolve the problem where the agent cannot access EMC or NetApp shares, upgrade the FLARE code on your NAS device with support for SMB 3.0.

    WORKAROUND: If upgrading the FLARE code is not an option, disable SMB 2.0 on the agent machine running Windows Server 2012/2012 R2.

    See http://www.exaltedtechnology.com/windows-8-access-is-denied-to-network-shares-could-be-an-issue-with-smb-2-2-with-emc-cellera-or-nas-device/ for more information on this known issue and how to disable SMB 2.0.

  2. To resolve the problem where the agent cannot scan the NAS device, use an alternate supported operating system to host the agent to scan the EMC or NetApp filer or contact the file server vendor for an update that enables the file server to support Windows Server 2012 and Windows 8 clients.

    WORKAROUND: Set "Secure Negotiate" to "enable if needed" using the following PowerShell command on the agent machine running Windows Server 2012/2012 R2:

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" RequireSecureNegotiate -Value 2 -Force

    NOTE: Using the "enable if needed" setting means that if the remote client is able to go secure, the Windows Server 2012/2012 R2 will use the secure negotiate feature, but if the remote client cannot go secure (like NetApp and EMC), then it will fallback.

    Disabling the secure negotiate feature is NOT recommended by Microsoft.

    See https://support.microsoft.com/en-us/kb/2686098 for more details on this known issue.

Additional information

To determine the SMB version running on your server

  1. Access the remote file server and run the following PowerShell command:

    Get-SmbConnection

  2. Look at the "Dialect" entry to see what version of SMB the client has negotiated with the file server.

    For example, if the entry is 3.0, both the client and the server support that version of the SMB protocol.

 

Agent leases expiring

Probable cause
  • The computer on which the agent is running has rebooted.
  • The agent service on the hosting computer has been stopped or disabled.
  • The Data Governance service has been restarted.
Resolution
  • Ensure the One Identity Manager Data Governance Edition Agent service is running on the hosting computer.
  • Under normal conditions, agent lease expired messages should resolve themselves; however, it may take the duration of the lease renewal to renew. By default, the lease renewal interval is set to five minutes.

Cannot add managed paths to my EMC server

Probable cause

When adding managed paths for an EMC server, you may receive the following error:
Resource: \\Server_Name\, Error Message: The network path was not found. NetAPI32 Error: 53.

This error means that Data Governance Edition could not resolve the EMC server or any of the shares of the server.

Resolution

Review and verify that the DNS settings are up-to-date, ensure you can ping the EMC server, ensure that the proper ports are open, etc.

Reboot the server having the problem and try again.

No activity data

When you run a Resource Activity, Account Activity, or Perceived Owner report, you may not immediately see an action in the report that you know you have performed.

Probable cause
  • There is lag time between when an action occurs, such as a file read or write, and when the data is sent from the agent to the server. This delay is dependent upon the following:
    • The aggregation setting on the Resource Activity page of the Managed Host Settings dialog
    • The update schedule. By default, resource activity is synchronized into the One Identity Manager database, once a day, after the first initial synchronization. The initial synchronization happens a few minutes after resource activity collection is enabled. This update schedule is controlled by a Data Governance server configuration setting (PerceivedOwnershipCalcUpdateRefreshIntervalMinutes). See the One Identity Manager Data Governance Edition Technical Insight Guide for more information on this configuration file setting.
    • Various internal processes.
  • It is possible that you did not have resource activity collection enabled for that managed path during the time span covered in the report.
  • If you have enabled resource activity collection, it is possible you have excluded some accounts, files or folders where the activity occurred.
  • If Quest Change Auditor is installed and you are collecting resource activity directly from Change Auditor, Change Auditor may not be capturing the events you are expecting.
Resolution
  • Verify the managed host type. Resource activity collection is only available for local managed Windows servers, SharePoint farms, and supported NetApp and EMC managed hosts.
  • Use the Edit Host Settings task from the Managed hosts view to verify that the required paths are being managed:
    • Open the Managed Paths page of the Managed Host Settings dialog. Are the required managed paths listed?
  • Use the Edit Host Settings task from the Managed hosts view to verify that resource activity collection is enabled:
    • Open the Resource Activity page of the Managed Host Settings dialog.

      • Is the Collect and aggregate events option selected?

      • Are the required events selected?

  • Verify the accounts, files or folders that are being tracked

    • Click the Resource Activity Exclusions button on the Resource Activity page of the Managed Host Settings dialog.
    • Check each tab to see what objects are being excluded.
  • Collaborate with the Change Auditor administrator to determine what data Change Auditor is collecting.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating