Blog

We recently experienced a very strange issue with Exchange 2007 CCR. We had the MNS cluster w/file share witness running and the CCR mailbox servers were all replicating nicely. However, at very random intervals, replication would just stop happening from the primary to the secondary node. During these times, I could not RDP to the server, but I could ping it and log on locally so it wasn’t frozen in the literal sense. File share FROM the machine worked, but file share TO the machine didn’t. Rebooting the passive node would fix the issue. After about 4 days of troubleshooting (2 of those with Microsoft), I think the mystery may be solved. It goes something like this… [more]

In Windows Server 2003 SP2, Microsoft introduced a new set of features collectively known as “Scalable Networking Pack”. This package of features includes a TCP Chimney Offload (TOE) feature, a Receive-side Scaling feature, and a NetDMA feature. Basically, this allows network card driver developers to implement offload features on the NICs so that the a certain portion of the network stack can be offloaded to the NIC card processor. It is a great idea, but unfortunately, the driver manufacturers haven’t implemented the technology correctly. Partly because the feature set is buggy and partly because the NIC drivers are not thoroughly tested. One of the worst instances of this situation is with Broadcom NICs (yes both HP and Dell use Broadcom chipsets). Generally, what happens is that the server starts exhibiting very strange RCP-related issues. RDP may not work, management via WMI may be broken, event log viewing will be VERY slow, etc. In my case, Exchange 2007 replication stopped working. So, if you notice these types of behaviors or experience any type of issue where RCP just doesn’t seem to be working correctly, set the following registry keys to 0.


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPChimney
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableRSS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPA

Then reboot the server. This basically turns off any offloading features at the OS level.


 

On February 12, Microsoft plans to make an updated Internet Explorer 7 installation package available via Windows Server Update Services (WSUS). The installation will be released as an Update Rollup package. Customers that require IE6 and have WSUS configured to auto-approve critical updates will need to disable the auto-approval feature before February 12 to ensure the rollup package is not released to clients.

Once the Update Rollup package for IE7 has synchronized with the WSUS server, the auto-approval feature can be turned back on and installation of the IE7 update can be managed manually. [more]

Please note that if you have previously deployed the Blocker Toolkit to restrict automatic installation if IE7, Microsoft has not yet announced if this will continue to prevent the installation of the new IE7 update.

For more information about the Blocker Toolkit, refer to the following link:
http://go.microsoft.com/fwlink/?linkid=65788

If you need help planning for and testing Internet Explorer 7, please contact us.

For more information regarding automatic delivery of Internet Explorer 7, please visit:
http://technet.microsoft.com/en-us/updatemanagement/bb226738.aspx


 

The shredding of printed information is an important part of information security.  It's important to use a cross cut paper shredder as apposed to a strip cut shredder, but most of all it's important to verify that all your printed information is being shredded before it's thrown away.  [more]

During a recent audit we had a client tell us that they collect all their paper to be shredded, lock it up daily, and then send it to one of their main branches for shredding on a weekly basis.  It's our standard procedure to check the dumpsters behind our customers during our audits and in this case we found a few trash bags of non-shredded paper containing customer information. A trash bag full of paper with customer information appears to be regular trash to the untrained janitorial staff.  In this case proper labeling and more training could have helped avoid this problem.  Taking the time periodically to ensure that your paper shredding procedures are being followed could prevent exposing your confidential information.


 

A word of caution when upgrading the hard drive on a ThinkPad T43, R52, X41, or X41 Tablet.  These systems contain an IDE to Serial ATA bridge that allows IDE hard drives to be used with the Serial ATA controller.  This configuration can cause programs to function incorrectly and/or slowly when using a hard drive/firmware version that is not approved by Lenovo.  An unapproved hard drive/firmware version will generate a POST Error 2010 at system startup. [more]

The Lenovo website on this issue: http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-60169

List of approved hard drives/firmware versions: http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-62282#harddrives

In addition, some Hitachi hard drives purchased on the retail market come pre-installed with a firmware version that generates the Error 2010, but also appears to be up-to-date to Lenovo’s firmware update utility.  Specifically, I ran into this issue with the Hitachi TravelStar HTS7210xxG9AT00.   In order to load a firmware version that will not generate the error, you must update the firmware manually.  Instructions can be found here:  http://forum.thinkpads.com/viewtopic.php?t=20858

Another good reference site for this issue: http://www.thinkwiki.org/wiki/Problem_with_non-ThinkPad_hard_disks


 
 

The Symantec Mail Security Appliance software uses passive mode for ftp when backing up the configuration. Since this device is usually installed in the DMZ, an ISA server publishing rule needs to be created to publish your internal ftp server.  This rule needs to be edited to support passive mode with a port range to be used. [more]

When backing up the configuration, a path is required and it puts a / in front of the path specified.  Specifying "." for the path works, but it drops the file name and creates a file named ".".  I found the best solution is to specify "./" for the path and then it will transfer the backup file into the ftp server's user's default directory.


 

When using the Advanced Open File Option with Backup Exec, make sure you check the Job Log to see if it is actually getting used correctly. I wanted to use it to back up VMWare Server virtual machines at CITBA. The job was running successfully, so I thought it was working correctly. We started getting calls that VMs running on that server could not be reached by users trying to RDP to them. Once the OSE connected to them via the VMWare Server console, the app would show an "access denied" error (only once) and then go away and stuff would start working. [more]After research, it was discovered that Backup Exec was actually using standard backup (not AOFO) to backup the VM vmdk files thus causing a file lock issue with VMWare Server. Note the very inconspicuous log below.

You can find this is the "Job History" tab of the job log. The reason was that no AOFO licenses were installed. So, the moral of the story is Backup Exec will let you select the AOFO option in a backup job and let you deploy the Backup Exec agent with the AOFO option even in you don't have the license installed. Thus, making you think AOFO will actually work, but don’t be fooled. It doesn't.


 

Here are a couple Symantec Mail Security for Exchange tips concerning scanning.  [more]

  • Be careful when selecting the “…force rescan before allowing access to information store” option. This forces a rescan of the entire information store every time virus definitions are updated. Depending on how big the information store is, this could take days to complete. And since Symantec usually releases updates at noon, this kicks off on the Exchange server right in the middle of the day.

  • If you are going to schedule scans of the information store, but sure to monitor the start and completion times so you can make sure you are not causing performance issues. The logs will report the start of the scan and the end with the following logs.

 

Notice here it took over a week for the scan to finish. This is an extreme case with a large information store, but even a medium size store could take a couple days to finish.

 

Those of us that use Vista have learned to use VPNs sparingly due to the new TCP/IP stack.  In Vista, shortly after establishing a VPN using the Windows client (not the Cisco VPN client), you will lose authentication to your local domain resources, particularly file shares (including the DFS).  The only consistent workaround I’ve been able to find for this problem is to delete my VPN credentials right after I bring up the VPN (before my local authentication goes away).  Just open a command prompt once your VPN is established and type:

cmdkey /delete /ras

This will remove your VPN authentication and preserve access to local shared resources.  If you need to browse to something over the VPN, you will be prompted for credentials on the remote system.


 

We had a customer that was seeing logon failures on their domain  controller (Event ID 680) generated from their Exchange server.  The usernames requested were completely outlandish, and were determined to be simply coming from a dictionary attack.  The only service the bank had exposed was its SMTP service (Exchange server exposed directly to Internet via SMTP PAT).  We did some research and found that the failures were related to the SMTP "Auth Login" command.  The SMTP service was configured to allow Basic and Integrated authentication.  It appears that someone was using some type of dictionary attack from the Internet to try to guess valid user accounts and passwords via the SMTP service.  We disabled authentication support for the SMTP service so “Auth Login” is not available. [more]