VMware Cloud Community
rickardnobel
Champion
Champion

Windows disk signatures destroying datastores?

I have heard somewhere that certain versions of Windows aggresively signed all disks it detected, which could cause severe problems in a SAN enviroment. As if a LUN carrying a VMFS datastore was not masked away correctly from a physical Windows server it could destroy it by writing a disk signature in the MBR.

Can anyone confirm if this has been a problem?

And what versions of Windows server that has this behavior? I do not belive they do this anymore, but from what version? 2000/2003?

My VMware blog: www.rickardnobel.se
Reply
0 Kudos
26 Replies
AntonVZhbankov
Immortal
Immortal

You can disable such behavior for Windows. Run "diskpart"

>DISKPART> automount disable

>DISKPART> automount scrub

>DISKPART> exit

And reboot Windows. From this moment this particular Windows machine won't touch VMFS unless you manually do that.


---

MCSA, MCTS Hyper-V, VCP 3/4, VMware vExpert

http://blog.vadmin.ru

EMCCAe, HPE ASE, MCITP: SA+VA, VCP 3/4/5, VMware vExpert XO (14 stars)
VMUG Russia Leader
http://t.me/beerpanda
rickardnobel
Champion
Champion

Thank you for you reply.

Do you know which versions of Windows Server that actually does auto mounting and signing?

My VMware blog: www.rickardnobel.se
Reply
0 Kudos
AntonVZhbankov
Immortal
Immortal

2003 does for sure, this is from VCB installation guide (Windows 2003 required).

But it is not really wise to give access all-to-everything on SAN. I'd say more - it is really unwise. Right way is to use zoning:

>Allow Host 1 to LUN 1

>Allow Host 2 to LUN 2

>Deny All to All


---

MCSA, MCTS Hyper-V, VCP 3/4, VMware vExpert

http://blog.vadmin.ru

EMCCAe, HPE ASE, MCITP: SA+VA, VCP 3/4/5, VMware vExpert XO (14 stars)
VMUG Russia Leader
http://t.me/beerpanda
Reply
0 Kudos
rickardnobel
Champion
Champion

2003 does for sure, this is from VCB installation guide (Windows 2003 required).

I have some memory of this behavior is different between Win2003 Standard and Enterprise Edition. Strange, but perhaps that Enterprise should be more "SAN aware"..?

But it is not really wise to give access all-to-everything on SAN. I'd say more - it is really unwise. Right way is to use zoning:

Of course you are right about this. I just want to know what happens if that is being done.

My VMware blog: www.rickardnobel.se
Reply
0 Kudos
AntonVZhbankov
Immortal
Immortal

It is SAN aware, but it is not really cluster-aware. NTFS is FS with exclusive access, and since LUN from SAN is just another disk for Windows this kind of behavior is expected.


---

MCSA, MCTS Hyper-V, VCP 3/4, VMware vExpert

http://blog.vadmin.ru

EMCCAe, HPE ASE, MCITP: SA+VA, VCP 3/4/5, VMware vExpert XO (14 stars)
VMUG Russia Leader
http://t.me/beerpanda
Reply
0 Kudos
rickardnobel
Champion
Champion

It is SAN aware, but it is not really cluster-aware. NTFS is FS with exclusive access, and since LUN from SAN is just another disk for Windows this kind of behavior is expected.

I meant the "SAN awareness" as it should have a better understanding that unknown disks it sees may be on a SAN and should not be auto mounted and signed without an administrator is confirming it. I have heard that Windows 2003 Enterprise Edition should do this, but for some reason not Standard Edition.

Could anyone confirm or deny this?

My VMware blog: www.rickardnobel.se
Reply
0 Kudos
a_p_
Leadership
Leadership

Yes, for the Enterprise edition the settings Anton mentioned in his first reply are set by default. This may be the case because the Enterprise edition is mainly used for MSCS where the SAN disks are presented to multiple nodes, but only should be accessed by one node (MSCS is a so called "Shared Nothing" cluster) at a time.

As Anton mentioned, setting "automount disable" using diskpart changes the behavior.

André

rickardnobel
Champion
Champion

Thanks a.p. for your reply. The MSCS point of view seems very reasonable and could explain the difference between Standard and Enterprise.

Do you (or anyone) know the behavior for Windows 2008 and the different editions?

My VMware blog: www.rickardnobel.se
Reply
0 Kudos
a_p_
Leadership
Leadership

AFAIK the defaults are the same for Windows 2003 and Windows 2008. Automount is disabled only for Enterprise and Datacenter editions.

For Hyper-V Servers this is different, see http://support.microsoft.com/kb/973834/en-us

André

Reply
0 Kudos
rickardnobel
Champion
Champion

Thanks for your answer and the link to MS KB!

AFAIK the defaults are the same for Windows 2003 and Windows 2008. Automount is disabled only for Enterprise and Datacenter editions.

Yes, that seems to be so, as the following is found in KB article:

"On Windows Server 2008 Enterprise and Windows Server 2008 Datacenter, the default SAN policy is VDS_SP_OFFLINE_SHARED. On all other Windows Server 2008 editions, the default SAN policy is VDS_SP_ONLINE."

"Online" here means auto-mount. The only question is if this automounting also includes a new disk signature, which would break a VMFS datastore?

My VMware blog: www.rickardnobel.se
Reply
0 Kudos
a_p_
Leadership
Leadership

The only question is if this automounting also includes a new disk signature, which would break a VMFS datastore?

Yes, disk signaturing is the default behavior in Windows, when a new disk is detected and automount is enabled.

See http://www.yellow-bricks.com/2008/02/11/vcb-i-forgot-all-about-automount-disable-what-now/ on how to recover an "automounted" VMFS volume.

André

Reply
0 Kudos
joergriether
Hot Shot
Hot Shot

Guys,

on newly installed 2008r2x64 enterprise servers in our farm i HAVE TO disable automount. So i`d recommend with high importance to ALWAYS check diskpart, automount status and correct it to disabled if necessary.

best regards,

Joerg

Reply
0 Kudos
rickardnobel
Champion
Champion

on newly installed 2008r2x64 enterprise servers in our farm i HAVE TO disable automount. So i`d recommend with high importance to ALWAYS check diskpart, automount status and correct it to disabled if necessary.

Thanks for your input! You will have to do it on the Enterprise Editions too? From the link (MS KB) it says it will not be necessary on Windows 2008 Enterprise. Could it be changed again on 2008 R2 to a more aggressive automounting?

Does anyone know if you by diskpart or other tool can check the actual status of this setting?

My VMware blog: www.rickardnobel.se
Reply
0 Kudos
a_p_
Leadership
Leadership

Not sure if this is the same for all Windows version, but I think so.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MountMgr\NoAutoMount

value 1: Disabled.

value 0: Enabled.

André

Reply
0 Kudos
rickardnobel
Champion
Champion

Not sure if this is the same for all Windows version, but I think so.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MountMgr\NoAutoMount

value 1: Disabled.

value 0: Enabled.

Good, I shall do some checks as soon as I find a Win2008 and R2 and watch the defaults for this. Crazy if it is enabled...

Or does anyone has any 2008/R2 at hands to do a quick look at those registry values?

My VMware blog: www.rickardnobel.se
Reply
0 Kudos
joergriether
Hot Shot
Hot Shot

You could also just open a dosbox and type diskpart automount and see what it tells you then.

Best regards,

Joerg

Reply
0 Kudos
rickardnobel
Champion
Champion

I did a test now with Windows 2008 R2 Enterprise. From the command line:

DISKPART> automount

Automatic mounting of new volumes enabled.

The registry key mentioned earlier did not exist on the 2008 R2. However, I exposed the R2 server to a LUN which had a VMFS store on it, and it showed up in Disk Manager, but with the disk in offline mode. It continued to work for the ESXi host that had created it.

This means that 2008-R2 Enterprise does not autosign disks, however it says it will do AUTOMOUNTING, but that must mean something else?

My VMware blog: www.rickardnobel.se
Reply
0 Kudos
jcwuerfl
Hot Shot
Hot Shot

This is one of the big reasons why VMware is getting rid of VCB and going with there new VMware vStorage APIs. If you are still using VCB check with your backup vendor to see if they support the new VMware vStorage APIs so you can get rid of VCB as that is going away with the next version of VMware.

Reply
0 Kudos
joergriether
Hot Shot
Hot Shot

Just FYI: Even with Vstorage APIs in SAN Mode you have to expose your LUNs to a Windows Machine, matches for all major backup products using vStorage APIs. This can only be avoided with Network or hotadd mode. All modes have their advantages and disadvantages. The only disadvantage in SAN Mode is you HAVE to be careful what windows can do with your exposed LUNs. So it is ALWAYS a very good idea to strictly check the automount status in diskpart and disable it.

Reply
0 Kudos