Archiving allows you to create a copy of selected data on another storage device, whether it be an exacqVision S-series storage server, a user provided storage server, exacqVision Cloud Drive, an Amazon S3 account, or Wasabi S3 account.
This video explains how to create a new archiving profile, establish the archiving task, then schedule the specific data you wish to archive.
For additional, detailed information on setting up Cloud Drive archiving, please refer to our separate Cloud Drive videos as well.<br><br>
Chapters:<br> 00:00 Intro<br> 00:27 Archiving vs. Extended Storage<br> 00:58 Creating an Archiving Profile<br> 03:45 Scheduling the Archiving Task<br> 05:10 Selecting the Data to Archive<br>
If you configure a Windows-based computer that has more than one network adapter on the same physical network and protocol subnet, you may experience unexpected results. This article describes the expected behavior of this kind of nonstandard configuration.
More Information
Consider the following scenario:
You have a working computer that has Windows installed.
Two network adapters are connected to the same physical network or hub.
TCP/IP is installed as the network protocol.
The adapter addresses on the same subnet are 192.168.0.1 and 192.168.0.2.
A client on the network uses the address 192.168.0.119.
In this scenario, you may expect the two adapters on the same physical network and protocol subnet to perform load balancing. However, by definition, only one adapter may communicate on the network at a time in the Ethernet network topology. Therefore, both adapters cannot be transmitting at the same time and must wait if another device on the network is transmitting. Additionally, broadcast messages must be handled by each adapter because both are listening on the same network. This configuration requires significant overhead, excluding any protocol-related issues. This configuration does not offer a good method for providing a redundant network adapter for the same network.
Note Windows Server 2012 includes a new feature call SMB Multichannel. SMB Multichannel is part of the SMB 3.0 protocol and lets servers use multiple network connections at the same time. For more information about SMB Multichannel, visit The basics of SMB Multichannel, a feature of Windows Server 2012 and SMB 3.0.
Note Windows Server 2012 servers cannot use multiple network connections at the same time if the network is configured by using CSMA/CD.
Assume that the server has to send a packet by using the TCP/IP protocol to a client whose address is 192.168.0.119. This address is located on the local subnet. Therefore, a gateway does not have to be used to reach the client. The protocol stack uses the first route that it finds in the local routing table. Typically, this is the first adapter that was installed. In this case, that adapter is 192.168.0.1. If the transmission fails, later retries may use the same adapter according to the entry that is found in the routing table.
If the network cable for the 192.168.0.1 adapter fails, this does not necessarily cause the route to be removed from the routing table. Therefore, the second adapter still may not be used.
Another thing to consider is that some network applications bind to specific adapters in the system. If a network application were to bind to the second adapter specifically, application-related traffic that was received from clients on the first adapter might be ignored by the application. This might be caused by NetBIOS name registration on the network. Additionally, if the adapter to which the application is bound fails, the application may fail if it does not use the other adapter.
Usually, unless applications specifically demand it, this kind of configuration is not helpful. Some manufacturers make fault-tolerant network adapters to guard against a single point of failure. These adapters enable two adapters to be included on the same server but enable only one adapter to be used at a time. If the primary adapter fails, the driver deactivates the first card and enables the second by using the same address configuration. The result is a fairly seamless transition to the alternative adapter. This is the preferred method to guard against a single network adapter as a single point of failure.
When connecting an NVR running Ubuntu 12.04 or older to a newer S-series you may have issues with it connecting and displaying the “Disconnected” message on the archiving page; even thou everything is correct and systems running Ubuntu 14.04 or newer DO NOT have this issue.
When you search the logs, you will see a message stating it failed to connect.
There is a combination of configuration defaults that prevent an Ubuntu 12.04 server (or older) establishing an SMB connection to an Ubuntu 18.04+ (S-Series) server.
Samba changed their “allow ntlm” default from yes to no in version 4.5.0 The version of Samba available for Ubuntu 16.04 is 4.3.11 (still allows ntlm, no connection issue), and Ubuntu 18.04 is 4.7.6 (does not allow ntlm by default, so can’t connect).
The workaround used at the customer is to re-allow ntlm on the S-Series by adding ntlm auth = yes to the /etc/samba/smb.conf on the S-Series server and restarting smbd service.
You will need to either be right on the S-series or SSH in to it.
Run the following command in terminal from the S-series
sudo nano /etc/samba/smb.conf
Add the following in to it right above domains….. ntlm auth = yes
Make sure you save it when finished.
Next, restart the SMB service…
From terminal type the following sudo /etc/init.d/samba restart
Now, go back in to the Exacq Client>Archiving and disable archiving and re-enable it and it should connect.
exacqVision 7.1.23 to 7.2.0 running on Ubuntu Linux
<br>
Symptom
If the recorder is archiving and cannot reach an SMB archive target, the recorder will become unresponsive and watchdog reset.
<br>
Workaround
Downgrade to a version prior to 7.1.23
<br>
Resolution
Upgrade server to 7.2.1 or newer to address proper timeout detection and erroneous watchdog behavior. However, LDAP, e-mail notifications, drive/RAID monitoring and other operations involving external executable utilities will cease to function until the archive connection is restored. Refer to https://crm.exacq.com/kb/?crc=1151 for more details on how to subsequently resolve the archiving connection issue.
exacqVision’s default method for archiving recorded data uses the SMB protocol. Using an exacqVision S-Series storage system makes configuring archiving simple. Users may also archive to SMB shares configured on their own third-party systems, but installing and configuring Samba or SMB Shares on non-Exacq built systems is outside the scope of Exacq Support.
There have been several iterations of SMB since the protocol was first introduced. Devices wishing to communicate via SMB must first perform a negotiation to determine which version they will use. The version and dialect of SMB chosen will determine what features are used.
<br><br>
Versions
Discussing versions quickly becomes a tangled web, which we will try to unravel here.
When capturing the network traffic between two devices, using applications such as Wireshark, the protocol will be listed as SMB2, which supports many dialects including 2.1, 3.0, 3.1, which can cause some confusion as many people will refer dialects as versions. We will be using the term dialect for these here.
Introduced in 2015, dialect 3.1.1 is the latest release of SMB at the moment. While SMB is the protocol used, SMB is implemented on Linux systems using an application named Samba. Samba provides support for SMB as well as other protocols, thus it has it’s own version numbering separate from SMB. Samba has supported SMB dialect 3.1.1 since Samba 4.3.
How to check the version of Samba installed on your S-series or other Linux system:
Open a Terminal window, by pressing CTRL+ALT+T
Type samba --version, and press Enter.
<br><br>
Server Signing
Server signing is a security method used by SMB. When signing is enabled, every SMB message includes a signature key and a hash of the entire message is included in the message header.
How does signing help protect data? In addition to verifying the identities of the sending and receiving devices, the nature of hashing means that if an attacker changes the message between the NVR and the archive share, the hash will no longer match.
<br><br>
Encryption
SMB version 2.0 provides encryption, but used HMAC-SHA256 encryption. SMB 3.0 updated the encryption used to AES-CMAC and AES-CCM. SMB 3.1.1 then updated to support AES-128-GCM and AES-128-CCM as well as other security enhancements.
SMB Dialect
Encryption Method
2.0
HMAC-SHA256
3.0
AES-CMAC and AES-CCM
3.1.1
AES-128-GCM and AES-128-CCM
<br><br>
Manual Enforcement
As mentioned above, when two devices attempt to communicate using SMB they first negotiate the connection to determine the version and dialect they will use.
The client first advertises to the server which versions and dialects it supports. The server replies with the highest version and dialect it supports so they can agree. In the case of exacqVision’s Archiving, the client is the recording NVR system and the server is the S-Series system.
IMPORTANT: Because the protocol automatically selects the highest version both devices support, and because SMB signing and encryption are mature technologies, there is usually no need to manually configure settings. It is recommended only in situations where specific network requirements must be enforced to function properly.
<br>
To manually configure SMB:
On the S-Series server, open a Terminal window by pressing CTRL+ALT+T
Use sudo permissions to edit /etc/samba/smb.conf
Locate the [global] settings section.
Beneath the [global] tag, add the following lines: server signing = mandatory server min protocol = SMB3_11 server max protocol = SMB3_11
Save your changes, then exit the file.
Restart Samba by entering sudo /etc/init.d/samba restart
The entries given for Step 4 above enforce server signing as well as SMB dialect 3.1.1. Attempts to connect with anything else would fail. A list of possible options for these three entries is given below.
server signing = [default, auto, mandatory, disabled]
server min protocol = [SMB2, SMB2_02, SMB2_10, SMB3, SMB3_00, SMB3_02, SMB3_11]
server max protocol = [SMB2, SMB2_02, SMB2_10, SMB3, SMB3_00, SMB3_02, SMB3_11]
Note: ‘server min protocol’ should be the same or lower than ‘server max protocol’. If these are different values the client and server must support a dialect in between these values. If these are the same value, they must support that specific dialect.
IMPORTANT: Without editing the configuration at all, the default behavior when these fields are excluded from the smb.conf file are the same as entering the following: server signing = auto server min protocol = SMB2_02 server max protocol = SMB3
If an exacqVision S-Series Enterprise system is configured for Samba (SMB) shares, and then the number of partitions on the drive is changed, configuring a Samba share on the new partitions could fail.
<br>
As a workaround, first configure the new partitions for extended storage to ensure that partitions are properly formatted.
To configure auto export from a Linux-based Exacq Server to a network share, complete the following steps: (Windows procedure here)<br><br>
NOTE: For Linux-based systems, this procedure is available in exacqVision Server/Client version 6.6 and later.<br><br>
On the Archiving page in exacqVision Client, add a new archiving target with appropriate credentials and verify that it successfully connects. Do NOT configure an archiving task for this target.
On the Auto Export page in exacqVision Client, click the Refresh Status button once to ensure that the configured target will be presented as an available auto export location.
When you configure an Auto Export profile (or click the Auto Export Now! button), your network target will be available in the Export Path or Partition drop-down list.<br><br>
To remove the network target, complete the following steps:
On the Archiving page in exacqVision Client, delete the archive target.
On the Auto Export page in exacqVision Client, click the Refresh Status button once. The target will no longer be available as an Auto Export location.
On a Windows system, exacqVision Server runs as a service. This is desirable because the service starts recording video without user interaction when the system is started. However, this creates an issue with the management of credentials for access to network storage, as the exacqVision Server does not run from a normal user account that requires credentials, but runs from the System account.
If you would like to use the Auto Export feature to export video to a network share in Windows, please follow the steps below. (Linux instructions here):
On the Exacq NVR, log into the Windows operating system as an admin user.<br><br>
Download PsTools and extract PsExec.exe from the zip file.<br><br>
From the Start menu, select All Programs and then Accessories. Right-click on Command Prompt and select Run as Administrator.<br><br>
Change the directory to the location where you extracted PSExec.exe.<br><br>
At the prompt enter: psexec -i -s cmd.exe If necessary, agree to the SysInternals license agreement.<br><br>
In the new command window, type net use z: \\192.168.1.23\SHARE /persistent:yes The mapped drive letter (z: in this example) and the network share location (192.168.1.23\SHARE) can vary as desired your installation. Replace SHARE with your own directory path.<br><br>
If the above should fail, you may need to provide credentials to connect to this share directory, these may be added to the command, like so: net use z: \\192.168.1.23\SHARE /persistent:yes /user:"USERNAME" "PASSWORD"
Additionally, in some environments you may need to provide the domain name: net use z: \\192.168.1.23\SHARE /persistent:yes /user:"DOMAIN\USERNAME" "PASSWORD" or in the case of a local user account: net use z: \\192.168.1.23\SHARE /persistent:yes /user:"local\USERNAME" "PASSWORD"<br><br>
If credentials are required to access this network share, you should be prompted. Enter the username and password.
Once the command completes successfully, close both command prompt windows.
In exacqVision Client, open the Auto Export page under Config. Click Refresh Status to display the newly configured drive in the Export Path drop-down list.<br><br>
The network share mapped to the Z:\ drive is now available for use in an export profile for event-driven exports or for user-initiated Auto Export.
If you desire to remove this share from the machine in the future, use CMD run as Administrator to run PsTools again: psexec -i -s cmd.exe
At the new prompt, enter: net use DRIVE: /delete where DRIVE is replaced with the letter of the mapped drive to remove.<br>
