In last one year, many people from support organization, customers has asked me the importance of NoDirectSDR registry entry for flashbackup. Frequent questions that I came across includes (and not limited to):
Why I need to bother at all about it? What it’s all about?
My flashbackup mapping is pretty slow, should I enable it?
I don’t see any improvement after enabling it, should I disable it?
Do I miss any functionality if I disable it?
How to enable/disable it?
I kept on promising that one day (that’s the day now) I will explain in detail it all and just kept on answering situation specific questions. So here is the deal.
If you don’t use flash-backup for windows policy, you can skip this article. It doesn’t apply to you. If you use VCB backup type 1 & 2, again it doesn’t apply much to you, because you can’t disable/enable this registry key. If you are using flashback up to backup your windows hosts, read on. If you are using VCB backup type 0 and 3, continue. I would like to divide this article in 5 major parts.
What is security descriptors in NTFS or similar file systems
How and why flashbackup use them
How to disable/enable it
When you want to disable it And Troubleshooting steps
Advanced reading suggestions
You may find these articles/Blogs of your interest as well if you have landing up in this space.
With the NetBackup 6.5.1 this feature was introduced and NoDirectSDR registry entry is enabled by default. This was a outcome of a project done to improve FlashBackup mapping performance through direct read of NTFS Security Descriptor Database in VxMS. Let’s know some thing about security descriptors in NTFS file system.
1. What is security descriptors in NTFS or similar file systems
Data structure used by Windows to control access to security objects like files, folders, Registry keys, Services, etc.
Each security object has a security descriptor
What do Security Descriptors contains:
Owner SID - who created the object
Primary group SID for the owner
Discretionary Access Control List (DACL)
Defines who has been granted/denied access to the object
Owners and Administrators can make changes to ACL
System Access Control List (SACL)
Defines users whose access or failure to access an object is monitored
The more advanced details of this and ACL/ACE can be found in MSDN.
SD Block-diagram contents:
• Header – Describes the contents of the security descriptor. It also contains a control structure that defines whether the object can inherit permissions from the security descriptor of its parent.
• Owner SID – Except for administrators, the owner of an object is the user who created it. Objects created by any member of the Administrators Built-in group are assigned the Administrators group as the owner.
• Primary group SID for the owner – This identification is used for POSIX and Macintosh support only.
• Discretionary access control list (DACL) – This list defines the security principals who have been granted access or denied access to the object. The "discretionary" in DACL means that owners and administrators can make changes to the list.
• System access control list (SACL) – This list defines users who will be logged by the auditing system when they access or fail to access an object. The ability to modify a SACL should be strictly controlled to prevent a bad guy from disabling auditing while he does dirty deeds.
2. How and why flashbackup use them
Windows FlashBackup uses internal algorithm to
Get extent mapping of files being backed up
Retrieve Security Descriptors of files being backed up
Restoring File Contents, Attributes, Security Descriptors and so on…
Security Descriptor Retrieval Methods
Either Using NTDLL API ZwQuerySecurityObject()
Or direct read of NTFS $Secure (Security Descriptor Database) file
Using NTDLL API ZwQuerySecurityObject()
Needs file handle for each file, hence slow
Retrieval fails if file handle cannot be obtained
No parsing of $SECURE involved
Available as a default method until NBU 6.5 and as a fallback in NBU 6.5.1
Direct read of NTFS $Secure file
No dependency on handle processing
Implemented as default method in NBU 6.5.1
3. Enabling and Disabling Method
Direct read of NTFS $Secure is enabled by default in NBU 6.5.1.
Can be disabled by adding an registry entry.
NoDirectSDR Registry key.
Path : \HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\VxMS
Note that with above registry entry or entry with value 0 enables Direct read of SDs
Non Zero value disables direct read of SDs and fall backs to Using NTDLL API ZwQuerySecurityObject()
4. When you want to disable it And Troubleshooting steps
The only one reason I can think of when it fails. Your backups are not running successfully. You see many errors in your backup like:
tar_base::V_vTarMsgW: INF - VxMS Error message 1 = xm_get_next_index: vfm_open_file_index XXXXX failed error 1
where XXXXX is any index (starts from 1 and goes up to infinite (theoretically)) and you see this error for all indexes in your backup. Your bpbkar is filled with these errors.
How to find if that’s the problem and you should even consider to disable it.
Open your registry using regedit
Go to \HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\VxMS
Find out installation directory
It will be similar to C:\Program Files\common files\Veritas\VxMS\
You may find a folder logs inside VxMS folder.
See if you have any vxms_ntfs_9.txt files inside that folder. If yes, Now the time to call your local Symantec technical support and ask them if disabling this registry entry will help or not. In most cases it will but situations may vary from environment to environment.