• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Tape devices going invisible while group policy updating

RajeshR

ADSM.ORG Member
#1
Hello All,

We have a long time running issue on TSM server where the tape drives giving continuous
ANR8311E An I/O error occurred while accessing drive errno= 3, rc = 2863
for all the tape drives that are mounted during the time of group policy objects update.

error=3 refers to path_notfound on windows platform as per Microsoft.

TSM Server Host: Windows 2012 R2 x64
TSM server version 7.1.6.0

This issue is only happening while group policy updating, group policy event info below
- Provider
[ Name] SceCli
- EventID 1704
[ Qualifiers] 16384
Level 4
Task 0
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2017-10-16T10:56:13.000000000Z
EventRecordID 191166
Channel Application
Computer TSM-Server
Security

However rest of the time we don't have any issue with tape drives.
we have default refresh interval for updating group policy on server for 16 hrs.
Every 16 hrs what ever the operations running on TSM server effecting with group policy object update.

Tape library/drives side didn't find any issue.
SAN side no issues reported except communication loss during the time of gp update.
HBA/tape device drivers/Drive/library firmware's updated to latest.

Whenever i run the tsmdlst.exe cmd it shows the result within 3-4 seconds.
But if i run the gpupdate /force and tsmdlst.exe both at a time the result taking 1:30 minutes to show output.
Certainly it's loosing connection with tape drives while group policy updating.
We don't have anything to lose connection for group policy, however we created a different OU and moved tsm server to new OU but the issue remain same.

Kindly suggest.

Best Regards.
 

RajeshR

ADSM.ORG Member
#5
My understanding is that the default is scan ALL - meaning it will scan everything.

https://msdn.microsoft.com/en-us/library/bb530324.aspx
is there any way to check this default value on my TSM server with local administrator access.
We do not have access to domain controller.
We don't have this issue before and as per MS AD admin no changes has made in recent months.
Today they created new OU and moved TSM server to this new OU but still issue persists.
We also Turned of TPM since one of pmr said TPM policy caused other customer to give same errors, so to give it a try we turned off TPM for now but still issue remain same.
 

marclant

ADSM.ORG Moderator
#11
Can you remove the Spectrum Protect Server from the Group Policy?

Or better yet, remove it from the domain altogether as per the presentation on Top 10 Ways to Secure a Spectrum Protect environment:
upload_2017-10-16_16-16-10.png

source:
 

RajeshR

ADSM.ORG Member
#12
Can you remove the Spectrum Protect Server from the Group Policy?

Or better yet, remove it from the domain altogether as per the presentation on Top 10 Ways to Secure a Spectrum Protect environment:
View attachment 1354

source:
Thanks for the update have gone through this before. Will try to remove the server from Microsoft AD. Need to dig into the issue why all of sudden it's happening.
Even of we remove from group policy local policy will still refresh I think. If local policy having some issues it may issue same error again.
 

marclant

ADSM.ORG Moderator
#13
Thanks for the update have gone through this before. Will try to remove the server from Microsoft AD. Need to dig into the issue why all of sudden it's happening.
Even of we remove from group policy local policy will still refresh I think. If local policy having some issues it may issue same error again.
You may need to engage Microsoft, Windows should not access devices and make them temporarily unavailable. Don't know if it still applies now, in the older days, we'd disable RSM.
 

RajeshR

ADSM.ORG Member
#14
You may need to engage Microsoft, Windows should not access devices and make them temporarily unavailable. Don't know if it still applies now, in the older days, we'd disable RSM.
Yeah i have never seen RSM services on my machine, may be they are not applicable for W2k12 R2.
 

moon-buddy

ADSM.ORG Moderator
#15
Yeah i have never seen RSM services on my machine, may be they are not applicable for W2k12 R2.
RSM was removed, I believe, after Win 2008.

This is why I hate TSM on Windows especially if you put this under AD. AD policies scans all and applies group policies related to security where it sees fit. This is also one reason why I do not want TSM login credentials to be AD aware.
 

marclant

ADSM.ORG Moderator
#16
This is also one reason why I do not want TSM login credentials to be AD aware.
I'm mixed on that one. Windows machine not part of AD, server not published, but having the server use AD admin IDs is good especially in multi-server environments. One less password to remember, central user management, and possible to enforce stricter password policies. But we are getting off topic.
 

RajeshR

ADSM.ORG Member
#17
If we exclude TSM server from group policy we are not getting this issue even if we update gpupdate /force while jobs running, But our client systems couldn't able to contact TSM server after removing TSM server from group policy.
We are checking on this matter will update.
 

moon-buddy

ADSM.ORG Moderator
#18
If we exclude TSM server from group policy we are not getting this issue even if we update gpupdate /force while jobs running, But our client systems couldn't able to contact TSM server after removing TSM server from group policy.
We are checking on this matter will update.
I am assuming you use DNS to resolve IP addresses from server names.

Removing the TSM server from AD breaks the DNS relationships that is bounded to AD IF you have group policies that tell DNS to ignore non-AD defined systems.

If you have this, relax your AD policies.
 

RajeshR

ADSM.ORG Member
#19
After removing TSM server from default group policy there is no more issue, We found nothing in default group policies to scan tape devices while updating group policy.
I think it's always better to keep TSM server from default group policy.
Thanks to everyone.
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 9 18.0%
  • Keep using TSM for Spectrum Protect.

    Votes: 29 58.0%
  • Let's be formal and just say Spectrum Protect

    Votes: 8 16.0%
  • Other (please comement)

    Votes: 4 8.0%

Forum statistics

Threads
31,118
Messages
132,497
Members
21,308
Latest member
mujahikh
Top