Before I left the office for the weekend, I installed a Barracuda Spam Firewall on the network. We've had nagging, random upticks in the amount of spam that was making it past the Antigen software running on our Exchange Server - even with filter updates multiple times a day. The Outlook filters were catching a lot of the additional UCE that was delivered to users, but it's not an ideal solution. For those of us who have mobile devices, that spam was getting delivered to those devices regardless of how the desktop client handled it later.
I just checked on how the Barracuda was doing and it had blocked over 11,000 messages since Friday evening. Antigen didn't have the most exciting reporting features without exporting things to a spreadsheet and playing around with pivot tables, so I can't say for sure how it compares, but I was impressed. I'll have to export some of the logs from Antigen at some point and make an official comparison.
It also allowed nearly 300 messages through, many of which were bulk mail that was tagged as such. So I'll have to tweek that a bit tomorrow. It was just nice to have a weekend where I didn't get spam passed through to my BlackBerry.
Hopefully people in the office will be impressed as well. I'll let this run for another week or so and then look into turning on the end-user quarantines.
Sunday, June 28, 2009
Friday, June 26, 2009
Windows 7 Pre-Order Offer
With the Windows 7 release date scheduled for October 22, now is the time to take advantage of Microsoft's offer to save at least half off your upgrade from Vista or XP. Check out the details!
Also, if you are still running the Beta version of Windows 7 or want to try out Windows 7 RC for the first time, the last day to download the RC is August 15th.
Also, if you are still running the Beta version of Windows 7 or want to try out Windows 7 RC for the first time, the last day to download the RC is August 15th.
Friday, June 19, 2009
NTDS Error 2103
This week one of my domain controllers developed a curious problem. I don't like curious problems, especially ones that rear their heads after the server reboots.
The error was an NTDS General event 2103, which indicates that the AD database "was restored using an unsupported procedure and Net Logon service has been paused". Research and KB Article 875495 lists event 2103 and 3 other events related to a condition known as USN Rollback.
This DC is running Windows 2003 SP2, so based on the article, I should be seeing at least the more serious NTDS Replication 2095 event as well, due to a hotfix in SP1 that made the error logging somewhat more verbose. But I'm not. This makes it more curious. Am I in a rollback state or not?
KB 8759495 also lists some possible causes of this state, some of which are possible in a virtual environment - the case for this DC. It points me to another KB Article 888794 which lists out a bunch of considerations for hosting DCs as VMs. However our environment met all the requirements, including one related to write caching on disks, as our host machine has battery backed disk caching. So I rule out that we actively caused a potential rollback.
Repadmin has a switch (/showutdvec) that can be used to determine USN status by displaying the up-to-dateness vector USN for all DCs that replicate a common naming context. If the direct replication partners have a higher USN for the DC in question than that DC has for itself, that's considered evidence of a USN rollback. My DC did not have this problem, as it had a USN higher than it's partners. So at this point I couldn't confirm or deny a true USN rollback issue, however it seemed the the DC "thought" it was having this problem. Maybe I could figure out why the DC was in this limbo.
So I returned to the original article to look for specific causes. One line reads, "Starting an AD domain controller whose AD database file was restored (copied) into place by using an imaging program such as Norton Ghost."
Thinking back, the conversion of this DC from physical to virtual did not go as smoothly as I would have hoped. I remembered I had to resolve some issue where I was getting an error in the logs related to the directory database file not being where the OS expected it, even though the path on the server hadn't changed during the conversion. It was odd at the time, but the posted fix seemed to clear the issue and I'd moved on.
I'm guessing that perhaps that was the start of my issues - maybe the P2V process made the OS think the database was different copy even though it wasn't. The result was that the server thought it was rolled back, but the USNs never reflected a problem. So I decided it was better to be safe than sorry and assume this "limbo" condition was not how I wanted to leave things.
The resolution for USN rollback is a forced removal of the domain controller from AD. Since this is a DC in a child domain that's being phased out, very few changes happen to that domain so I wasn't concerned about possibly loosing changes that may have been made on that DC. It was only the FSMO holder for one role which was easily seized by the other DC.
My decision now is to decided between bringing up a replacement DC for this domain next week or just run one DC for the time being and try to speed up the remaining tasks that need to be done before we can removed the child domain all together.
But that's for another day!
The error was an NTDS General event 2103, which indicates that the AD database "was restored using an unsupported procedure and Net Logon service has been paused". Research and KB Article 875495 lists event 2103 and 3 other events related to a condition known as USN Rollback.
This DC is running Windows 2003 SP2, so based on the article, I should be seeing at least the more serious NTDS Replication 2095 event as well, due to a hotfix in SP1 that made the error logging somewhat more verbose. But I'm not. This makes it more curious. Am I in a rollback state or not?
KB 8759495 also lists some possible causes of this state, some of which are possible in a virtual environment - the case for this DC. It points me to another KB Article 888794 which lists out a bunch of considerations for hosting DCs as VMs. However our environment met all the requirements, including one related to write caching on disks, as our host machine has battery backed disk caching. So I rule out that we actively caused a potential rollback.
Repadmin has a switch (/showutdvec) that can be used to determine USN status by displaying the up-to-dateness vector USN for all DCs that replicate a common naming context. If the direct replication partners have a higher USN for the DC in question than that DC has for itself, that's considered evidence of a USN rollback. My DC did not have this problem, as it had a USN higher than it's partners. So at this point I couldn't confirm or deny a true USN rollback issue, however it seemed the the DC "thought" it was having this problem. Maybe I could figure out why the DC was in this limbo.
So I returned to the original article to look for specific causes. One line reads, "Starting an AD domain controller whose AD database file was restored (copied) into place by using an imaging program such as Norton Ghost."
Thinking back, the conversion of this DC from physical to virtual did not go as smoothly as I would have hoped. I remembered I had to resolve some issue where I was getting an error in the logs related to the directory database file not being where the OS expected it, even though the path on the server hadn't changed during the conversion. It was odd at the time, but the posted fix seemed to clear the issue and I'd moved on.
I'm guessing that perhaps that was the start of my issues - maybe the P2V process made the OS think the database was different copy even though it wasn't. The result was that the server thought it was rolled back, but the USNs never reflected a problem. So I decided it was better to be safe than sorry and assume this "limbo" condition was not how I wanted to leave things.
The resolution for USN rollback is a forced removal of the domain controller from AD. Since this is a DC in a child domain that's being phased out, very few changes happen to that domain so I wasn't concerned about possibly loosing changes that may have been made on that DC. It was only the FSMO holder for one role which was easily seized by the other DC.
My decision now is to decided between bringing up a replacement DC for this domain next week or just run one DC for the time being and try to speed up the remaining tasks that need to be done before we can removed the child domain all together.
But that's for another day!
Thursday, June 11, 2009
Event Log Auditing
My company has had a policy for checking all server event logs at least weekly for as long as I can remember. Honestly I'm happy to review server logs on a regular basis, as I've caught a variety of small problems before they've become big problems by doing it. The bigger issue is creating a trail of some sort that proved that it was done to make our auditors happy.
Last fall I went looking for some software that would help with the whole process. We'd settled on NetPro's LogAdmin because we were purchasing some of their other products and LogAdmin seemed like it would do the trick. A combination of factors led to us not getting it installed properly or in a timely manner - my time being pulled by a variety of "more pressing" projects, the purchase of NetPro by Quest Software, my lack of experience with SQL installations, misinformation about what IIS requirements were needed to support the software, and then the subsequent "end of life" announcement for LogAdmin by Quest.
I feel like a spent a lifetime on the phone and sending emails, but we got our LogAdmin licenses converted to the equivialent Quest product, InTrust. So finally after 2 days of scheduled phone support, some growing pains of installing SQL 2005 on Server 2008 and the software requirement of disabling UAC, the InTrust product is installed and I've had some basic training on configuration.
Since we didn't originally look at this product, I feel like I've been flying blind. The support tech I was working with was great but concentrated his demos on the security logs, where I need reports and alerts for ALL the logs in Windows. I'm hoping I'll have some time next week to RTFM and concentrate on setting up the agent, filters and reports on a server or two to get more comfortable.
Last fall I went looking for some software that would help with the whole process. We'd settled on NetPro's LogAdmin because we were purchasing some of their other products and LogAdmin seemed like it would do the trick. A combination of factors led to us not getting it installed properly or in a timely manner - my time being pulled by a variety of "more pressing" projects, the purchase of NetPro by Quest Software, my lack of experience with SQL installations, misinformation about what IIS requirements were needed to support the software, and then the subsequent "end of life" announcement for LogAdmin by Quest.
I feel like a spent a lifetime on the phone and sending emails, but we got our LogAdmin licenses converted to the equivialent Quest product, InTrust. So finally after 2 days of scheduled phone support, some growing pains of installing SQL 2005 on Server 2008 and the software requirement of disabling UAC, the InTrust product is installed and I've had some basic training on configuration.
Since we didn't originally look at this product, I feel like I've been flying blind. The support tech I was working with was great but concentrated his demos on the security logs, where I need reports and alerts for ALL the logs in Windows. I'm hoping I'll have some time next week to RTFM and concentrate on setting up the agent, filters and reports on a server or two to get more comfortable.
Wednesday, June 3, 2009
Windows 7 RC on my Samsung NC10
Finally got around to installing Windows 7 on my Samsung NC10 netbook - not that I haven't been dying to since TechEd in Los Angeles, I just hadn't the time until the other night. It probably helped that PacITPros was having a Windows 7 Loadfest meeting and I wanted to have it ready to go.
The install was pretty quick and although I had backed up all my personal files, it was great that everything that was on XP was convienently backed up to the "windows.old" folder. (It made reinstalling iTunes extra fast since I didn't have to reload my music from backup DVDs.)
The install was pretty quick and although I had backed up all my personal files, it was great that everything that was on XP was convienently backed up to the "windows.old" folder. (It made reinstalling iTunes extra fast since I didn't have to reload my music from backup DVDs.)
I love the way it looks and it didn't have any trouble finding drivers for all the basics - wireless network card, bluetooth mouse, built-in video. Had to use some Vista drivers from the manufacturer for some of the Samsung specific things, like the special function keys, battery manager, etc. Found a great blog article by Ade Miller about installing Window 7 on the Samsung, which was really helpful in the driver search.
The biggest issue so far has been with the free version of AVG anti-virus, which was severely slowing down the boot. I'm trying out the free version of Avaste and that seems to be working well so far. Now I need actually start using it do my regular work.
Subscribe to:
Posts (Atom)
-small.jpg)
