In last one year, many people from support organization, customers has asked me the importance of NoDirectSDR registry entry for flashbackup. Frequent questions that I came across includes (and not limited to):
- Why I need to bother at all about it? What it’s all about?
- My flashbackup mapping is pretty slow, should I enable it?
- I don’t see any improvement after enabling it, should I disable it?
- Do I miss any functionality if I disable it?
- How to enable/disable it?
- etc etc.
I kept on promising that one day (that’s the day now) I will explain in detail it all and just kept on answering situation specific questions. So here is the deal.
If you don’t use flash-backup for windows policy, you can skip this article. It doesn’t apply to you. If you use VCB backup type 1 & 2, again it doesn’t apply much to you, because you can’t disable/enable this registry key. If you are using flashback up to backup your windows hosts, read on. If you are using VCB backup type 0 and 3, continue. I would like to divide this article in 5 major parts.
- What is security descriptors in NTFS or similar file systems
- How and why flashbackup use them
- How to disable/enable it
- When you want to disable it And Troubleshooting steps
- Advanced reading suggestions
You may find these articles/Blogs of your interest as well if you have landing up in this space.
- What is so special about DirectRead Registry entry in Flashbackup.
- How to adjust the FlashBackup read buffer for clients.
- What you need to know about alternate data streams in windows? Is your Data secure? Can you restore that?
- Slow mapping with flashbackup? Look at your exclude file list !
With the NetBackup 6.5.1 this feature was introduced and NoDirectSDR registry entry is enabled by default. This was a outcome of a project done to improve FlashBackup mapping performance through direct read of NTFS Security Descriptor Database in VxMS. Let’s know some thing about security descriptors in NTFS file system.
1. What is security descriptors in NTFS or similar file systems
- Data structure used by Windows to control access to security objects like files, folders, Registry keys, Services, etc.
- Each security object has a security descriptor
- What do Security Descriptors contains:
- Owner SID - who created the object
- Primary group SID for the owner
- Discretionary Access Control List (DACL)
- Defines who has been granted/denied access to the object
- Owners and Administrators can make changes to ACL
- System Access Control List (SACL)
Defines users whose access or failure to access an object is monitored
The more advanced details of this and ACL/ACE can be found in MSDN.
SD Block-diagram contents:
• Header – Describes the contents of the security descriptor. It also contains a control structure that defines whether the object can inherit permissions from the security descriptor of its parent.
• Owner SID – Except for administrators, the owner of an object is the user who created it. Objects created by any member of the Administrators Built-in group are assigned the Administrators group as the owner.
• Primary group SID for the owner – This identification is used for POSIX and Macintosh support only.
• Discretionary access control list (DACL) – This list defines the security principals who have been granted access or denied access to the object. The "discretionary" in DACL means that owners and administrators can make changes to the list.
• System access control list (SACL) – This list defines users who will be logged by the auditing system when they access or fail to access an object. The ability to modify a SACL should be strictly controlled to prevent a bad guy from disabling auditing while he does dirty deeds.
2. How and why flashbackup use them
- Windows FlashBackup uses internal algorithm to
- Get extent mapping of files being backed up
- Retrieve Security Descriptors of files being backed up
- Restoring File Contents, Attributes, Security Descriptors and so on…
- Security Descriptor Retrieval Methods
- Either Using NTDLL API ZwQuerySecurityObject()
- Or direct read of NTFS $Secure (Security Descriptor Database) file
- Using NTDLL API ZwQuerySecurityObject()
- Needs file handle for each file, hence slow
- Retrieval fails if file handle cannot be obtained
- No parsing of $SECURE involved
- Available as a default method until NBU 6.5 and as a fallback in NBU 6.5.1
- Direct read of NTFS $Secure file
- No dependency on handle processing
- Less failure-prone
- Improves performance
- Implemented as default method in NBU 6.5.1
3. Enabling and Disabling Method
- Direct read of NTFS $Secure is enabled by default in NBU 6.5.1.
- Can be disabled by adding an registry entry.
- NoDirectSDR Registry key.
- Path : \HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\VxMS
- Note that with above registry entry or entry with value 0 enables Direct read of SDs
- Non Zero value disables direct read of SDs and fall backs to Using NTDLL API ZwQuerySecurityObject()
4. When you want to disable it And Troubleshooting steps
The only one reason I can think of when it fails. Your backups are not running successfully. You see many errors in your backup like:
tar_base::V_vTarMsgW: INF - VxMS Error message 1 = xm_get_next_index: vfm_open_file_index XXXXX failed error 1
where XXXXX is any index (starts from 1 and goes up to infinite (theoretically)) and you see this error for all indexes in your backup. Your bpbkar is filled with these errors.
How to find if that’s the problem and you should even consider to disable it.
- Open your registry using regedit
- Go to \HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\VxMS
- Find out installation directory
- It will be similar to C:\Program Files\common files\Veritas\VxMS\
- You may find a folder logs inside VxMS folder.
- See if you have any vxms_ntfs_9.txt files inside that folder. If yes, Now the time to call your local Symantec technical support and ask them if disabling this registry entry will help or not. In most cases it will but situations may vary from environment to environment.
5. Advanced reading suggestions