1. Please help support our sponsors by considering their products and services.
    Our sponsors enable us to maintain high-speed Internet connection and fast webservers.
    They support this free information and knowledge exchange forum service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions

Tape devices going invisible while group policy updating

Discussion in 'TSM Operation' started by RajeshR, Oct 16, 2017.

  1. RajeshR

    RajeshR ADSM.ORG Member

    Joined:
    May 11, 2016
    Messages:
    55
    Likes Received:
    1
    Hello All,

    We have a long time running issue on TSM server where the tape drives giving continuous
    ANR8311E An I/O error occurred while accessing drive errno= 3, rc = 2863
    for all the tape drives that are mounted during the time of group policy objects update.

    error=3 refers to path_notfound on windows platform as per Microsoft.

    TSM Server Host: Windows 2012 R2 x64
    TSM server version 7.1.6.0

    This issue is only happening while group policy updating, group policy event info below
    - Provider
    [ Name] SceCli
    - EventID 1704
    [ Qualifiers] 16384
    Level 4
    Task 0
    Keywords 0x80000000000000
    - TimeCreated
    [ SystemTime] 2017-10-16T10:56:13.000000000Z
    EventRecordID 191166
    Channel Application
    Computer TSM-Server
    Security

    However rest of the time we don't have any issue with tape drives.
    we have default refresh interval for updating group policy on server for 16 hrs.
    Every 16 hrs what ever the operations running on TSM server effecting with group policy object update.

    Tape library/drives side didn't find any issue.
    SAN side no issues reported except communication loss during the time of gp update.
    HBA/tape device drivers/Drive/library firmware's updated to latest.

    Whenever i run the tsmdlst.exe cmd it shows the result within 3-4 seconds.
    But if i run the gpupdate /force and tsmdlst.exe both at a time the result taking 1:30 minutes to show output.
    Certainly it's loosing connection with tape drives while group policy updating.
    We don't have anything to lose connection for group policy, however we created a different OU and moved tsm server to new OU but the issue remain same.

    Kindly suggest.

    Best Regards.
     
  2.  
  3. moon-buddy

    moon-buddy ADSM.ORG Moderator

    Joined:
    Aug 24, 2005
    Messages:
    6,860
    Likes Received:
    363
    Occupation:
    Electronics Engineer, Security Professional
    Location:
    Somewhere in the US
    Modify your group policy so it would not scan for tape devices or do a SCSI scan.
     
  4. RajeshR

    RajeshR ADSM.ORG Member

    Joined:
    May 11, 2016
    Messages:
    55
    Likes Received:
    1
    We did not have anything mentioned in group-policy to scan tape drives.
     
  5. moon-buddy

    moon-buddy ADSM.ORG Moderator

    Joined:
    Aug 24, 2005
    Messages:
    6,860
    Likes Received:
    363
    Occupation:
    Electronics Engineer, Security Professional
    Location:
    Somewhere in the US
  6. RajeshR

    RajeshR ADSM.ORG Member

    Joined:
    May 11, 2016
    Messages:
    55
    Likes Received:
    1
    is there any way to check this default value on my TSM server with local administrator access.
    We do not have access to domain controller.
    We don't have this issue before and as per MS AD admin no changes has made in recent months.
    Today they created new OU and moved TSM server to this new OU but still issue persists.
    We also Turned of TPM since one of pmr said TPM policy caused other customer to give same errors, so to give it a try we turned off TPM for now but still issue remain same.
     
  7. marclant

    marclant ADSM.ORG Moderator

    Joined:
    Jun 16, 2006
    Messages:
    2,641
    Likes Received:
    372
    Occupation:
    Accelerated Value Specialist for Spectrum Protect
    Location:
    Canada
    What type of tape drive and library do you have?
    What device driver do you use for the library/drives?
     
  8. RajeshR

    RajeshR ADSM.ORG Member

    Joined:
    May 11, 2016
    Messages:
    55
    Likes Received:
    1
    Library:IBM TS3310 (3576)
    Drives: LTO6 Brand New tape drives with latest firmware.
    IBM tape device drivers latest version 6.2.6.3
     
  9. RajeshR

    RajeshR ADSM.ORG Member

    Joined:
    May 11, 2016
    Messages:
    55
    Likes Received:
    1
    IBMTape.x64_w12_6263
     
  10. marclant

    marclant ADSM.ORG Moderator

    Joined:
    Jun 16, 2006
    Messages:
    2,641
    Likes Received:
    372
    Occupation:
    Accelerated Value Specialist for Spectrum Protect
    Location:
    Canada
    Did you use install_exclusive.exe? If not, that's probably why.
     
  11. RajeshR

    RajeshR ADSM.ORG Member

    Joined:
    May 11, 2016
    Messages:
    55
    Likes Received:
    1
    Yes we used install_exclusive to install tape device drivers.
     
  12. marclant

    marclant ADSM.ORG Moderator

    Joined:
    Jun 16, 2006
    Messages:
    2,641
    Likes Received:
    372
    Occupation:
    Accelerated Value Specialist for Spectrum Protect
    Location:
    Canada
    Can you remove the Spectrum Protect Server from the Group Policy?

    Or better yet, remove it from the domain altogether as per the presentation on Top 10 Ways to Secure a Spectrum Protect environment:
    upload_2017-10-16_16-16-10.png

    source:
     
  13. RajeshR

    RajeshR ADSM.ORG Member

    Joined:
    May 11, 2016
    Messages:
    55
    Likes Received:
    1
    Thanks for the update have gone through this before. Will try to remove the server from Microsoft AD. Need to dig into the issue why all of sudden it's happening.
    Even of we remove from group policy local policy will still refresh I think. If local policy having some issues it may issue same error again.
     
  14. marclant

    marclant ADSM.ORG Moderator

    Joined:
    Jun 16, 2006
    Messages:
    2,641
    Likes Received:
    372
    Occupation:
    Accelerated Value Specialist for Spectrum Protect
    Location:
    Canada
    You may need to engage Microsoft, Windows should not access devices and make them temporarily unavailable. Don't know if it still applies now, in the older days, we'd disable RSM.
     
  15. RajeshR

    RajeshR ADSM.ORG Member

    Joined:
    May 11, 2016
    Messages:
    55
    Likes Received:
    1
    Yeah i have never seen RSM services on my machine, may be they are not applicable for W2k12 R2.
     
  16. moon-buddy

    moon-buddy ADSM.ORG Moderator

    Joined:
    Aug 24, 2005
    Messages:
    6,860
    Likes Received:
    363
    Occupation:
    Electronics Engineer, Security Professional
    Location:
    Somewhere in the US
    RSM was removed, I believe, after Win 2008.

    This is why I hate TSM on Windows especially if you put this under AD. AD policies scans all and applies group policies related to security where it sees fit. This is also one reason why I do not want TSM login credentials to be AD aware.
     
  17. marclant

    marclant ADSM.ORG Moderator

    Joined:
    Jun 16, 2006
    Messages:
    2,641
    Likes Received:
    372
    Occupation:
    Accelerated Value Specialist for Spectrum Protect
    Location:
    Canada
    I'm mixed on that one. Windows machine not part of AD, server not published, but having the server use AD admin IDs is good especially in multi-server environments. One less password to remember, central user management, and possible to enforce stricter password policies. But we are getting off topic.
     
  18. RajeshR

    RajeshR ADSM.ORG Member

    Joined:
    May 11, 2016
    Messages:
    55
    Likes Received:
    1
    If we exclude TSM server from group policy we are not getting this issue even if we update gpupdate /force while jobs running, But our client systems couldn't able to contact TSM server after removing TSM server from group policy.
    We are checking on this matter will update.
     
  19. moon-buddy

    moon-buddy ADSM.ORG Moderator

    Joined:
    Aug 24, 2005
    Messages:
    6,860
    Likes Received:
    363
    Occupation:
    Electronics Engineer, Security Professional
    Location:
    Somewhere in the US
    I am assuming you use DNS to resolve IP addresses from server names.

    Removing the TSM server from AD breaks the DNS relationships that is bounded to AD IF you have group policies that tell DNS to ignore non-AD defined systems.

    If you have this, relax your AD policies.
     
  20. RajeshR

    RajeshR ADSM.ORG Member

    Joined:
    May 11, 2016
    Messages:
    55
    Likes Received:
    1
    After removing TSM server from default group policy there is no more issue, We found nothing in default group policies to scan tape devices while updating group policy.
    I think it's always better to keep TSM server from default group policy.
    Thanks to everyone.
     
  21. RajeshR

    RajeshR ADSM.ORG Member

    Joined:
    May 11, 2016
    Messages:
    55
    Likes Received:
    1
    1. I think it's always better to keep TSM server away from default group policy.
    have finally had the technote to document this issue published - it is here:-

    http://www-01.ibm.com/support/docview.wss?uid=swg22009960
     

Share This Page