Clustering with Access-Based Enumeration (Part 2)

davidr — Thu, 31 May 2007 11:24:00 GMT

In Part 1 of this article we wrote a short script to re-enable Access-Based Enumeration on a clustered file share. In part 2, we'll dissect the script and make some improvements to the code so that the status of ABE can be checked. This will allow the Cluster Administrator console to show the true current state of Access-Based Enumeration to administrative users.

Here's the original script:

Function Online( )
  on error resume next
  ' Call the ABECMD.EXE /Enable command for each share
  Set oShell = CreateObject("WScript.Shell")
  oShell.Run "H:\ABECMD.EXE /enable ABEShare", 1, true
  if (Err.Number <> 0) then
    Online = 1
  end if
  Online = 0
End Function

Function LooksAlive( )
  LooksAlive = True
End Function

Function IsAlive( )
  IsAlive = True
End Function

The script is divided into 3 separate functions.

The Online() Function

The Online() function is called when the cluster resource monitor attempts to bring the Generic Script resource online. This function is responsible for taking any action that enables the required functionality for the script. In our case, we want to use the ABE command line utility ABECMD.EXE to enable ABE on the clustered share. It's important to note the return values from the Online() function; if it returns zero (0) the function was successful and the resource is placed online. Other values will cause repeated attempts to bring the resource online, possibly followed by a failover.

The LooksAlive() Function

The LooksAlive() function is called at intervals determined by the cluster resource configuration. Microsoft says the following about the LooksAlive() function:

Perform one or more very fast, cursory checks of the specified instance with the emphasis on detecting potential problems rather than verifying operational status. IsAlive will determine whether the instance is really operational. Take no more than 300 milliseconds to return a value. Resource Monitor calls LooksAlive repeatedly at a specified time interval (for example, once every five seconds).

The default time interval for LooksAlive calls is 5 seconds but it is configurable by the administrator.

We return True in this function to tell the Resource Monitor that ABE is probably active.

The IsAlive() Function

The IsAlive() function is called at intervals determined by the cluster resource configuration. Microsoft says the following about the IsAlive() function:

Perform a complete check of the resource to see if it is functioning properly. The set of procedures you need to use depends on your resource. For example, a database resource should check to see that the database can write to the disk and perform queries and updates to the disk. If the resource has definitely failed, return FALSE. The Resource Monitor immediately sets the status of the resource to "ClusterResourceFailed" and calls the Terminate entry point function. Resource Monitor calls IsAlive repeatedly at a specified time interval (for example, once every sixty seconds).

The default time interval for IsAlive calls is 60 seconds but it is configurable by the Administrator.

We return True in this function to tell the Resource Monitor that ABE is definitely active.

Improving the IsAlive() function

In part 1 we noted that we're not really telling the truth about the ABE resource. We're telling Resource Monitor that ABE is enabled, but we're not checking it. So we change the IsAlive() function as follows:

Function IsAlive( )
  Set oShell = CreateObject("WScript.Shell")
  set wshRun = oShell.Exec ("H:\ABECMD.EXE ABEShare")
  if (Err.Number <> 0) or (wshRun.Status <> 0) then
    IsAlive = False
    Exit Function
  else
    sABEOutput = wshRun.StdOut.ReadAll()
    if InStr(sABEOutput, "enabled") then
      IsAlive = True
      Exit Function
    end if
    IsAlive = False
  end if
End Function

Now we're really checking that ABE is enabled for the share. If an administrator comes along and disables ABE, the cluster Resource Monitor will know about it and we can take corrective action.

Clustering with Access-Based Enumeration (Part 1)

davidr — Wed, 30 May 2007 05:24:00 GMT

Access-Based Enumeration is a rather cool add-on to Windows Server 2003 that allows an administrator to restrict what users can see on a file share. If Access-Based Enumeration is enabled for a share, a user can see only the files and folders to which they have access. This can help reduce support calls from users, eg "Why do I get this Access Denied error on the Finance folder?" and make it simpler for users to access the data they need.

For example, here's the view of an ABE-enabled share for an Administrator. A finance user on the other hand will see a different view, and a normal user will see an even more restricted view.

Now that all works fine on a single server without any further effort on the administrator's part.

When you enable ABE on a clustered file share, it will all appear to work just fine until the file share is failed over to another node. When this happens the file share will no longer be ABE-enabled, and the share will revert to the standard Windows 2003 behaviour. To get around this, we write a VBScript application and register it as a cluster resource within the appropriate cluster group.

Here's a script that does exactly this - note that it assumes ABECMD.EXE is available on the cluster drive (in this case, H:\) and that the share is called ABEShare:

Function Online( )
  on error resume next
  ' Call the ABECMD.EXE /Enable command for each share
  Set oShell = CreateObject("WScript.Shell")
  oShell.Run "H:\ABECMD.EXE /enable ABEShare", 1, true
  if (Err.Number <> 0) then
    Online = 1
  end if
  Online = 0
End Function

Function LooksAlive( )
  LooksAlive = True
End Function

Function IsAlive( )
  IsAlive = True
End Function

The version 1 script above is sufficient to re-establish Access-Based Enumeration on a clustered file share after failover. Microsoft recommends not placing the script files on the cluster disk, but for this type of script I think placing it on the cluster disk is acceptable. You may choose to store the script in the same location on each cluster node; but I'm not entirely convinced that the stated benefits outweigh the disadvantages in managing the script (replication etc). YMMV.

Implementing is simple. Add a new resource to the cluster group of type Generic Script. Your Possible Owners for the new resource should include all nodes on which the ABE share must be available. Set the script to be dependent on the File Share resource, and set the Script filepath to be the full path (H:\ABEShare.VBS) to the VBS file. When you being the resource online, the share will become ABE-enabled.

The script above has some limitations, the most glaring of which is that if an Administrator disables ABE (either using the command-line tools, or the Windows Explorer interface) the cluster will not know about it.

In part 2 I'll expand on the VBScript above and describe some improvements that allow the script to report the true status back to the cluster Resource Monitor.

Deliberations from Dave : Windows 2003, Clustering

Clustering with Access-Based Enumeration (Part 2)

Clustering with Access-Based Enumeration (Part 1)