Tape devices going invisible while group policy updating

RajeshR

ADSM.ORG Senior Member
Joined
May 11, 2016
Messages
82
Reaction score
9
Points
0
PREDATAR Control23

Hello All,

We have a long time running issue on TSM server where the tape drives giving continuous
ANR8311E An I/O error occurred while accessing drive errno= 3, rc = 2863
for all the tape drives that are mounted during the time of group policy objects update.

error=3 refers to path_notfound on windows platform as per Microsoft.

TSM Server Host: Windows 2012 R2 x64
TSM server version 7.1.6.0

This issue is only happening while group policy updating, group policy event info below
- Provider
[ Name] SceCli
- EventID 1704
[ Qualifiers] 16384
Level 4
Task 0
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2017-10-16T10:56:13.000000000Z
EventRecordID 191166
Channel Application
Computer TSM-Server
Security

However rest of the time we don't have any issue with tape drives.
we have default refresh interval for updating group policy on server for 16 hrs.
Every 16 hrs what ever the operations running on TSM server effecting with group policy object update.

Tape library/drives side didn't find any issue.
SAN side no issues reported except communication loss during the time of gp update.
HBA/tape device drivers/Drive/library firmware's updated to latest.

Whenever i run the tsmdlst.exe cmd it shows the result within 3-4 seconds.
But if i run the gpupdate /force and tsmdlst.exe both at a time the result taking 1:30 minutes to show output.
Certainly it's loosing connection with tape drives while group policy updating.
We don't have anything to lose connection for group policy, however we created a different OU and moved tsm server to new OU but the issue remain same.

Kindly suggest.

Best Regards.
 
PREDATAR Control23

We did not have anything mentioned in group-policy to scan tape drives.
 
PREDATAR Control23

My understanding is that the default is scan ALL - meaning it will scan everything.

https://msdn.microsoft.com/en-us/library/bb530324.aspx

is there any way to check this default value on my TSM server with local administrator access.
We do not have access to domain controller.
We don't have this issue before and as per MS AD admin no changes has made in recent months.
Today they created new OU and moved TSM server to this new OU but still issue persists.
We also Turned of TPM since one of pmr said TPM policy caused other customer to give same errors, so to give it a try we turned off TPM for now but still issue remain same.
 
PREDATAR Control23

What type of tape drive and library do you have?
What device driver do you use for the library/drives?
 
PREDATAR Control23

What type of tape drive and library do you have?
What device driver do you use for the library/drives?
Library:IBM TS3310 (3576)
Drives: LTO6 Brand New tape drives with latest firmware.
IBM tape device drivers latest version 6.2.6.3
 
PREDATAR Control23

Did you use install_exclusive.exe? If not, that's probably why.
 
PREDATAR Control23

Can you remove the Spectrum Protect Server from the Group Policy?

Or better yet, remove it from the domain altogether as per the presentation on Top 10 Ways to Secure a Spectrum Protect environment:
upload_2017-10-16_16-16-10.png

source:
 
PREDATAR Control23

Can you remove the Spectrum Protect Server from the Group Policy?

Or better yet, remove it from the domain altogether as per the presentation on Top 10 Ways to Secure a Spectrum Protect environment:
View attachment 1354

source:

Thanks for the update have gone through this before. Will try to remove the server from Microsoft AD. Need to dig into the issue why all of sudden it's happening.
Even of we remove from group policy local policy will still refresh I think. If local policy having some issues it may issue same error again.
 
PREDATAR Control23

Thanks for the update have gone through this before. Will try to remove the server from Microsoft AD. Need to dig into the issue why all of sudden it's happening.
Even of we remove from group policy local policy will still refresh I think. If local policy having some issues it may issue same error again.
You may need to engage Microsoft, Windows should not access devices and make them temporarily unavailable. Don't know if it still applies now, in the older days, we'd disable RSM.
 
PREDATAR Control23

You may need to engage Microsoft, Windows should not access devices and make them temporarily unavailable. Don't know if it still applies now, in the older days, we'd disable RSM.
Yeah i have never seen RSM services on my machine, may be they are not applicable for W2k12 R2.
 
PREDATAR Control23

Yeah i have never seen RSM services on my machine, may be they are not applicable for W2k12 R2.

RSM was removed, I believe, after Win 2008.

This is why I hate TSM on Windows especially if you put this under AD. AD policies scans all and applies group policies related to security where it sees fit. This is also one reason why I do not want TSM login credentials to be AD aware.
 
PREDATAR Control23

This is also one reason why I do not want TSM login credentials to be AD aware.
I'm mixed on that one. Windows machine not part of AD, server not published, but having the server use AD admin IDs is good especially in multi-server environments. One less password to remember, central user management, and possible to enforce stricter password policies. But we are getting off topic.
 
PREDATAR Control23

If we exclude TSM server from group policy we are not getting this issue even if we update gpupdate /force while jobs running, But our client systems couldn't able to contact TSM server after removing TSM server from group policy.
We are checking on this matter will update.
 
PREDATAR Control23

If we exclude TSM server from group policy we are not getting this issue even if we update gpupdate /force while jobs running, But our client systems couldn't able to contact TSM server after removing TSM server from group policy.
We are checking on this matter will update.

I am assuming you use DNS to resolve IP addresses from server names.

Removing the TSM server from AD breaks the DNS relationships that is bounded to AD IF you have group policies that tell DNS to ignore non-AD defined systems.

If you have this, relax your AD policies.
 
PREDATAR Control23

After removing TSM server from default group policy there is no more issue, We found nothing in default group policies to scan tape devices while updating group policy.
I think it's always better to keep TSM server from default group policy.
Thanks to everyone.
 
Top