Pages

10/24/2008

Windows::DNS Alias

DisableStrictNameChecking
This is a known issue with 2000 and 2003 servers.

When a client computer connects to a Windows 2000 or 2003 server using an alias, the client receives:
System error 52 has occurred.
A duplicate name exists on the network.
This error occurs when you attempt to connect to the server by using a CNAME alias that is created in the DNS zone:
net view \\alias.<domain name.com>
where alias is a CNAME record that is created for the server in the <domain name.com> zone. Because the server is not listening on the alias, it does not accept connections to that name.


Start – Run - Regedt32
Create the following DWORD Key manually.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"DisableStrictNameChecking"=dword:00000001

Shutdown and restart the server.now alias should work again.

Outlook::Calendar Items



It seems like a couple times a month we get somebody with a wierd issue related to Outlook Appointments.
This Tech Support Article illustrates the many things that can go wrong with Outlook Calendar appointments and some of the solutions.

http://support.microsoft.com/kb/899704/en-us

10/14/2008

10/13/2008

Cisco::SNMP::IP Accounting


Gathering IP accounting information from a router via SNMP.
Cisco document with details about SNMP calls to gather MAC table and IP accounting tables from routers via SNMP.

Perl script to do this:



#!/usr/bin/perl
use SNMP_util;

$host = $ARGV[0];
chomp($host);
if ($host eq "") {
print "Host address (return = $defaultHost) ? ";
$host = <stdin>;
chomp($host);
}
if ($host eq "") { die "Usage: ipac [host address]\n"; }


print "Gathering data from $host . . .\n";

@accounting = snmpwalk ("public\@$host",".1.3.6.1.4.1.9.2.4.9");

my @src, @dest, $pkts, $bytes;

foreach $line (@accounting) {
($pre, $data) = split (/\:/, $line);
@mib = split(/\./, $pre);
if ($mib[1] eq "1") { push (@src, $data);}
elsif ($mib[1] eq "2") { push (@dest, $data);}
elsif ($mib[1] eq "3") { push (@pkts, $data);}
elsif ($mib[1] eq "4") { push (@bytes, $data);}
elsif ($mib[1] eq "5") { last;}
else { print "unrecognized data\n";}
}

my $index = 1;


open (OUT, ">", "output.html");
open (CSV, ">", "output.csv");

print OUT "<html><head><link rel=\"stylesheet\" type=\"text/css\" href=\"styles.css\" /></head><body><table border=\"1\" bordercolor=\"black\">";
print OUT "<h2>$host IP Accounting</h2><a href=\"output\.csv\" target=\"_blank\">Open in Excel</a>";
print CSV "$host IP Accounting\n";
print OUT "<tr><th>Source</th><th>Destination</th><th>Bytes</th><th>Packets</th></tr>\n";
print CSV "Source,Destination,Bytes,Packets\n";

foreach $from (@src) {
print OUT "<tr><td>$src[$index]</td><td>$dest[$index]</td><td>$bytes[$index]</td><td>$pkts[$index]</td></tr>\n";
print CSV "$src[$index],$dest[$index],$bytes[$index],$pkts[$index]\n";
$index++;
}

print OUT "</table></body></html>\n";

close OUT;
close CSV;

`output.html`
#
#

10/02/2008

Exchange2007::Outlook XP::Delivery Status Notification Issue

I have just installed Exchange 2007 and I am receiving delivery reports in some form of chinese text in outlook 2002;
格浴㹬਍䠼慥㹤⼼敨摡㰾潢祤ാ㰊㹰戼㰾潦瑮挠汯牯∽〣〰㘰∶猠穩㵥㌢•慦散∽牁慩≬䐾汥癩牥⁹獩搠汥祡摥琠桴獥⁥敲楣楰湥獴漠⁲楤瑳楲畢楴湯氠獩獴㰺是湯㹴⼼㹢⼼
 
It looks correct in OWA, if it's printed, forwarded, etc.
 

The exchange hub transport server sends the DSN messages in HTML format by default.

Changing it to send DSN's in text format will fix this issue.

 

powershell change this:

Get-TransportServer | Set-TransportServer –InternalDsnSendHtml $False

 

 


9/30/2008

Disable activesync for all mailboxes:
 
get-Mailbox | set-CASMailbox -ActiveSyncEnabled:$False
 


9/29/2008

Outlook::Freeware::Shutdown


I have a shutdown issue with Outlook from time to time. Cache mode file corruption can be problematic when Outlook Add-In's interfere with shutdown.
Outlook Shutdown Add-in

9/10/2008

How much data do I have?


Thanks to: e-discovery team blog

CD = 650 MB = 50,000 pages.
DVD = 4.7 GB = 350,000 pages.
DLT Tape = 40/80 GB = 3 to 6 Million pages.
Super DLT Tape = 60/120 GB = 4 to 9 Million pages.
***************************
Page Estimates:
1 MB is about 75 pages;
1 GB is about 75,000 pages (pick-up truck full of documents).

Aver. pgs. per email: 1.5 (100,099 pages per GB).
Aver. pgs. per word document: 8 (64,782 pages per GB).
Aver. pgs. per spreadsheet: 50 (165,791 pages per GB).
Aver. pgs. per power point: 14 (17,552 pages per GB).

***************************
For the average .PST or .NSF Email File:
100 MB .PST file is 900 emails and 300 attachments.
400 MB .PST file is 3,500 emails and 1,200 attachments.
600 MB .PST file is 5,500 emails and 1,600 attachments.
A 1.00 GB .NSF file is 9,000 emails and 3,000 attachments.
A 1.5 GB .NSF file is 13,500 emails and 4,500 attachments.

*************************** Note: Many variables will affect ALL of the actual numbers above, including especially large image and video files, and recursive files.

*************************** Bits and Bytes Sizes:
•8 bits are equal to 1 byte (one or two words),
•1,024 bytes are equal to 1 kilobyte (KB).
•1,024 kilobytes (KB) are equal to 1 megabyte (MB or Meg).
•1,024 megabytes are equal to 1 gigabyte (GB or Gig) (truck full of paper).
•1,024 gigabytes are equal to 1 terabyte (TB) (50,000 trees of paper).
•1,024 terabytes are equal to 1 petabyte (PB) (250 Billion Pgs. of Text).
•1,024 petabytes are equal to 1 exabytes (EB) (1 000 000 000 000 000 000 bytes).

9/09/2008

Security::VPN::Alphabet Soup



Integrity: AH = Authentication Header or ESP = Encapsulating Security Payload

Encryption: DES = Data Encryption Standard, 3DES = 3 DES keys used, AES = newer standard

Hash: SHA = Secure Hash Algorithm, MD5 = Message-Digest. SHA is newer/more secure. Vista uses SHA

9/02/2008

Protocol Analysis::TCP::TCP State Descriptions


Thanks to: http://www.tcpipguide.com



Table 151: TCP Finite State Machine (FSM) States, Events and Transitions

State

State
Description

Event
and Transition

CLOSED

This is the default
state that each connection starts in before the process of establishing
it begins. The state is called “fictional” in the standard.
The reason is that this state represents the situation where there is
no connection between devices—it either hasn't been created yet,
or has just been destroyed. If that makes sense.
J

Passive Open: A server
begins the process of connection setup by doing a passive open on a
TCP port. At the same time, it sets up the data structure (
transmission
control block or TCB
) needed to manage
the connection. It then transitions to the LISTEN state.

Active Open,
Send SYN:
A client begins connection setup by sending a SYN
message, and also sets up a TCB for this connection. It then transitions
to the SYN-SENT state.

LISTEN

A device (normally a server)
is waiting to receive a synchronize (SYN) message from
a client. It has not yet sent its own SYN message.

Receive Client SYN,Send SYN+ACK: The server device receives a SYN from
a client. It sends back a message that contains its own SYN and
also acknowledges the one it received. The server moves to the SYN-RECEIVED
state.

SYN-SENT

The
device (normally a client) has sent a synchronize (SYN)
message and is waiting for a matching SYN from the other device
(usually a server).

Receive SYN, Send ACK: If the device that has sent its SYN message receives a SYN from the other device but not an ACK for its own SYN, it acknowledges the SYN it receives and
then transitions to SYN-RECEIVED to wait for the acknowledgment to its SYN.

Receive SYN+ACK, Send ACK: If the device that sent the SYN receives both an acknowledgment to its SYN and also a SYN from the other device, it acknowledges the SYN received and then moves straight to the ESTABLISHED state.

SYN-RECEIVED

The device has both received a SYN (connection request) from its partner and sent its own SYN. It is now waiting for an ACK to
its SYN to finish connection setup.

Receive ACK: When the device receives the ACK to the SYN it sent, it transitions to the ESTABLISHED state.

ESTABLISHED

The “steady state” of an open TCP connection. Data can be exchanged freely once both devices in the connection enter this state. This will continue until the connection is closed for one reason or another.

Close, Send FIN: A device can close the connection by sending a message with the FIN(finish) bit sent and transition to the FIN-WAIT-1 state.

Receive FIN: A device may receive a FIN message from its connection partner asking that the connection be closed. It will acknowledge this message and transition to the CLOSE-WAIT state.

CLOSE-WAIT

The device has received a close request (FIN) from the other device. It must now wait for the application on the local device to acknowledge this request and generate a matching request.

Close, Send FIN:The application using TCP, having been informed the other process wants to shut down, sends a close request to the TCP layer on the machine upon which it is running. TCP then sends a FIN to the remote device that already asked to terminate the connection. This device now
transitions to LAST-ACK.

LAST-ACK

A device that has already received a close request and acknowledged it, has sent its own FIN and is waiting for an ACK to this request.

Receive ACK for FIN: The device receives an acknowledgment for its close request. We have now sent our FIN and had it acknowledged, and received the other device's FIN and acknowledged it, so we
go straight to the CLOSED state.

FIN-WAIT-1

A device in this state is waiting for an ACK for a FIN it has sent, or is waiting for a connection termination request from the other device.

Receive ACK for FIN:The device receives an acknowledgment for its close request. It transitions to the FIN-WAIT-2 state.

Receive FIN, Send ACK: The device does not receive an ACKfor its own FIN, but receives a FIN from the other device. It acknowledges it, and moves to the CLOSING state.

FIN-WAIT-2

A device in this state has received
an ACK for its request to terminate the connection and is now waiting
for a matching FIN from the other device.

Receive FIN, Send ACK:
The device receives a FIN from the other device. It acknowledges
it and moves to the TIME-WAIT state.

CLOSING

The device has received a FIN from the other device and sent an ACK for it, but not yet received an ACK for its own FIN message.

ReceiveACK for FIN: The device receives an acknowledgment for its close request. It transitions to the TIME-WAIT state.

TIME-WAIT

The device has now received aFIN from the other device and acknowledged it, and sent its ownFIN and received an ACK for it. We are done, except for waiting to ensure the ACK is received and prevent potential overlap with new connections.

Timer Expiration: After a designated wait period, device transitions to the CLOSED state.

Exchange::IIS::Redirect HTTP to HTTPS page for Outlook Web Access



The following KB article details customizing the error message for the 403.3 error (SSL required.)
MS KB 839357
I'm not an ASP programmer, but I couldn't get their sample code to work. Instead I used the more elegant HTML below:

<HTML>
<HEAD>
<TITLE>WebMail</TITLE>
<meta HTTP-EQUIV="REFRESH" content="0; url=https://email.COMPANY.com/exchange">
</HEAD>
<p>
Redirecting to: <a href="https://email.COMPANY.com/exchange" target="_blank">https://email.COMPANY.com</a>
</p>
</BODY>
</HTML>

5/12/2008

Exchange::Mailbox Cleanup Agent



Thanks to: MS Exchange Team Blog

Exchange 2000/2003 Mailbox Manager and msExchMailboxManagerAgeLimit.
In Exchange 2000/2003 mailbox manager policies may not process items as some administrators might expect. For example, if you set up a mailbox manager policy to delete messages from the inbox after 30 days, you may find that some of the messages are not deleted after the 30 day window has passed.

In Exchange 2000/2003, in order for a message to be processed by a policy, the age of the message must pass 3 criteria:

Delivery: (PR_MESSAGE_DELIVERY_TIME),

Sent: (PR_CLIENT_SUBMIT_TIME),

and Last Modified: (PR_LAST_MODIFICATION_TIME).

If any of these flags are less than the age specified on the mailbox manager policy settings, that message will not be processed. In other words, if you have a policy set to 30 days and at 29 days a user reads a message that falls under this policy (and hence sets the last modified flag back to 0 days) the message will not be processed after the 30th day because it will fail on 1 of the 3 criteria. It will not be processed until all the criteria are met (in this scenario after 30 more days)

This behavior is different than in Exchange 5.5. In Exchange 5.5, if the delivery time flag is present on a message then no other criteria will be checked. So in the above scenario, 30 days after receiving the message it would be purged.

The design was changed in Exchange 2000/2003 to better accommodate certain workflow programs, journaling and non-ipm.note message classes that would look at different message properties for cleanup.

However, in certain environments you might want to have Exchange 2000/2003 behave the same as Exchange 5.5. This can be done in Exchange 2000 with the post SP3 roll-up or with Exchange 2003 RTM by setting the msExchMailboxManagerAgeLimit attribute on the mailbox manager policy to a hex value of "0x3".

There are three values you can set this to depending on your needs:

0x1: The Last modification time will not prevent the deletion of a message. If the last modified modified date is greater than the limit, the item may be deleted.

0x2: The time that the message was submitted will not prevent the deletion of a message. If the submission time is greater than the limit, the item may be deleted.

0x3: This value sets both bits 0x1 and 0x2, and mimics the behavior from Exchange 5.5.

Note that Mailbox Manager does not ever delete recurring appointments or tasks, regardless of age. You cannot turn off evaluation of delivery time.

More information on setting this is in the following article: KB 326397

4/15/2008

HP Servers::iLo


Reset iLo Administrator Password

Thanks NetNerds !

1. Installed SNMP because it was a preprequesite
2. Download and Install the HP Insight Management Agents.
3. Download HP Lights-Out Online Configuration Utility.
4. Download HP Lights-Out XML Scripting Sample for Windows


reset.xml
<ribcl VERSION="2.0">
<login USER_LOGIN="Administrator" PASSWORD="boguspassword">
  <user_INFO MODE="write">
   <mod_USER USER_LOGIN="Administrator">
    <password value="newpass"/>
   </mod_USER>
  </user_INFO>
</login>
</ribcl>

hponfig.exe /f reset.xml

3/28/2008

HTML::Style Sheet::Page Breaks


This is a wonderful thing:

<STYLE TYPE="text/css">
HR {page-break-before: always}
</STYLE>

2/29/2008

Windows::Exchange 2007::Power Shell


Cryptic result from Get-StorageGroupCopyStatus
Get-StorageGroupCopyStatus ExchMbx01ccr\TestStg01 -StandbyMachine ExchDR
Resulted in SummaryCopyStatus = "not configured"
Documentation on TechNet did not even list "not configured" as a possible value.

It turns out that the server name was incorrect.

Get-StorageGroupCopyStatus ExchMbx01ccr\TestStg01 -StandbyMachine ExchDR01
Results in SummaryCopyStatus = "Healthy"

1/30/2008

SMTP::From Address Spoofing


Sender Policy Framework
The Problem: Sender Address Forgery
Today, nearly all abusive e-mail messages carry fake sender addresses. The victims whose addresses are being abused often suffer from the consequences, because their reputation gets diminished and they have to disclaim liability for the abuse, or waste their time sorting out misdirected bounce messages.

The Solution: SPF
The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery. More precisely, the current version of SPF — called SPFv1 or SPF Classic — protects the envelope sender address, which is used for the delivery of messages. See the box on the right for a quick explanation of the different types of sender addresses in e-mails.

1/24/2008

Storage::Alphabet Soup


JBOD = "Just a Bunch Of Disks"
SBOD = "Switched Bunch Of Disks"

Switched = Better ;)

Article

1/17/2008

Data Center::Fire Suppression


FM200
Interesting information gleaned from overview from vendor:
- This system puts out a fire by quickly lowering the temperature of the room by 20 degrees or more. This also creates a vaccum in the room which, in addition to lower temp, puts out the fire. This change in pressure can displace ceiling tiles and stir up dust from the floor. Very shortly after the gas is deployed the room warms back up and the pressure in the room returns to normal.
- The gas is inert and not toxic to breath.
- The gas disperses sideways from a nosel that looks like a sprinkler head.
At our site this will be integrated with the same control system as our pre-action system.
So...it will work as follows:
- smoke alarm in the data center => the preaction system will release water control valve making water available to the system. The pipes remain pressurized so pipes still have only air in them until the heat from a fire causes a sprinkler to open.
- multiple smoke alarms in the data center => FM200 system will alarm, 30 second delay, the gas will be released. temp will go way down, ceiling tiles will be sucked down into the room--some will fall out, "hurricane" wind may blow more dust up from the floors, A/C system will be shut down to prevent air flow that would further feed fire. A few seconds later the room will warm up and the pressure will become normal. No cleanup procedure required. (just dust things off...)
Other interesting info from Q&A
- It is required to have a 4 foot square of ceiling around our sprinkler heads to allow for proper operation. If the sprinkler head is not at the top of the ceiling it will not heat up at the same rate as the rest of the room and not kick in soon enough.
- Sprinkler heads - bottom plate will melt off at 135 degrees F. That exposes an element that will melt at about 155 degrees F.
- in some cases locality may allow water fire suppression systems to be removed. This would likely require a backup system. Many times this is not allowed however either by the local statutes and/or building management.

Windows::Server Performance::Troubleshooting::Citrix


Troubleshooting Server Performance
The discussion of a specific issue below is perhaps useful in a more general sense for troubleshooting and performance monitoring topics.

Problem: After upgrading to Citrix Presentation Server 4.5 a higher average cpu utilization is observed as well as a high rate of context switches. Previously we have often received warnings in Citrix Performance Monitor for %interrupt -- this issue continues and is perhaps seen more often in 4.5 servers as well.

Background: Running PS4.5 using published applications and desktops on a Microsoft Windows 2003 SP2 server on a physical machine. Running several "high maintenance" accounting applications on two PS4.5 as published applications on virtual machines on VMWare Virtual Infrastructure 3.0 cluster. These all exhibit the symtoms above just since the upgrade to 4.5. Also, we are still running 4.0 on several other servers in the same Citrix Farm and various versions of PNA are in use by client machines (predominantly 8.x)

Investigation regarding context switches
A lot of good resources turned up:
Intel: Using Windows Performance Monitor
Sysinternals
www.thomaskoetzing.de
MSDN-Context Switches
Analyzing Processor Activity
Since this issue occurs on both physical and virtual servers it is not a VM problem, but will investigate this avenue as well to ensure correct and optimal configuration.
VMware: improving scalability for Citrix PS
http://redmondmag.com/features/article.asp?editorialsid=718


- definition: CPU's share their time between all threads according to priority. When the CPU stops working on one thread and starts working on another that is a context switch.
- monitoring: A ballpark rule of thumb is "normally" there should be no more than 28000 context switches per CPU on a system.
- What to look for
- Page file - too small, or is allowed to dynamically grow - recommendation: set to larger fixed size.
- Consider write cache on RAID controller
- insufficient hardware
- poorly designed device drivers or applications

Tools
- PerfMon - system/context switches
- SysInternals - Process Explorer - View > select columns > Process Performance > context switches, context switch delta
- pstat.exe (windows resource kit or support tools

VMWare
Some asides that came up during this investigation explained some issues we have had with virtualizing citrix servers. We needed to keep 2 cpu's in the VM after we converted them. That is the opposite of the VMWare recommendations we have seen.
- The multiprocessor HAL had not been downgraded to single processor HAL.
- Hidden devices in device manager had not all been removed.
1. Click Start, click Run, type cmd.exe, and then press ENTER.
2. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.
3. Type Start DEVMGMT.MSC, and then press ENTER.
4. Click View, and then click Show Hidden Devices.
5. Expand the Network Adapters tree.
6. Right-click the dimmed network adapter, and then click Uninstall
uninstall any other physical devices not needed


Investigation
- Interesting - on the VM servers when looking at Task Manager the %cpu listed individually for all the processes for all users did not appear to add up to what was showing up on the Performance tab (at least 50% discrepency.) This was not observed on the physical server
- For both VM's and physical servers: Citrix Performance Monitor was showing warnings and intermittent error conditions on %cpu, %interrupt, context switches/sec.
- The VM's cpu utilization on the host machine is extremely high. On the server with the greatest number of users it maxed out the host cpu for much of the time I watched it.
- Watching performance monitor a few minutes showed context switches/sec to be in the hundreds of thousands.
- Opened Process Explorer and set view to show context switches and context switch deltas. I observed that at times it reported up to 50% cpu was due to hardware interrupts (this was not as dramatic when I checked it on the physical machine so I wonder if this is a reporting issue related to vmware's magic behind the scenes.) Also, the highest context switch delta was for hardware interrupts so Process Explorer was no help to further isolate it.
- To isolate what driver or program might be causing this issue, I piped the output of pstat.exe to a file and looked for the highest count of context switches. I took the memory address of that thread and looked it up in the bottom section to find what address range it fell in. In this case it was CDM.SYS
- google search of CDM.SYS turned up multiple articles about Citrix servers. I think CDM stands for Client Data Mapper. Of greatest interest is an article about a hotfix for PS4.5:
http://support.citrix.com/article/CTX114121 (and I see a lot of other post FR1 hotfixes out there too.)
The issue resolved in this hotfix is:
"Winlogon.exe shows higher than average CPU consumption on the server. The issue occurs because the server refreshes the smart card reader state more frequently than necessary. This occurs even if smart cards are not being used. With this fix, the reader state is refreshed only once per noticeable event."