Eriq :: Third Tier

Author Archive for Eriq – Page 3

Apr
23

Eriq Presenting to SMBTN Fresno Group Meeting

by Eriq

Tonight I’ll be presenting to the Fresno chapter of SMBTN during their monthly meeting. Susan Bradley has blogged the meeting info, including the LiveMeeting access information, so the meeting is open to any who wish to attend. See Susan’s post for the LiveMeeting information.

In the first hour of the meeting, I’ll be talking about my anti-virus of choice, Sophos. I’ll demo the management console, discuss how the product itself works, and talk about the business side of being a Sophos reseller as well. Stop by if you’re able!

0 Categories : EBS, User Group

Apr
22

SSL Certificate Validation

by Eriq

I put up a post this morning regarding SSL certificate request validation over on the Third Tier web site. If you’ve been wondering how SSL certificates work in SBS 2008 or if you’re about to renew an SSL certificate on an SBS 2003 box, you might want to check out that post.

Categories : Eriq Neale, SBS 2008

Apr
20

Troubleshooting Tale: Remote Access Loss on Server

by Eriq

You can almost always count on interesting things happening during Update Weekend. Sometimes a patch will yield unexpected results, sometimes you lose access to the server after initiating a restart (and yet the server doesn’t actually restart), and so on. Well, this past weekend was no different, but the types of issues encountered was.

As such, I’m going to start a new series of posts in the vein of demonstrating how troubleshooting was approached during a particular situation to help others identify other possible troubleshooting steps or avenues when encountering problems. We’ll start with a rather typical behavior (restarted a server remotely and could not get access back to the server when it should have come up) that had a very unusual root problem.

As mentioned, this started when I lost access to the server in question following a remote restart request. When doing updates, we always do a clean restart of the system prior to installing updates to make sure the server will come up cleanly, so if there are problems, we know they’re NOT related to the updates. Anyway, I restarted this server in question Saturday morning at 8:30am, and by 9:00am I knew it wasn’t coming back. Not only could I not connect via RDP, but telnet to port 25 to check SMTP was also failing, so the server was pretty clearly not coming back.

I was able to reach a contact for this customer and got someone on site to take a look. Maybe it received a shutdown command instead of a restart, maybe they lost power, whatever. The on-site contact was able to log into the server, but it was running really slowly. We checked the basics: did it have a valid IP address, and it did. Was the server able to ping the default gateway, it could. Was the server able to ping www.google.com, it could not. Hm. Sounds like a DNS issue. I asked the on-site person to open the Services control panel, and it took about 5 minutes to open. Not good. At that point, I arranged for an on-site visit myself.

When I arrived, the server was running very sluggishly. I confirmed the tests we had already done: ipconfig is correct, basic networking is working (can ping the gateway and other internal resources by IP), but DNS was failing. I tried an nslookup and the DNS server timed out. OK, sounds like the DNS service isn’t running. Looked in the open Services console, and sure enough the DNS Server Service is in a Starting, but not Started, state. That’s when I noticed that a number of Automatic services were not started, including (but not limited to) DHCP server, Event Log, Terminal Services, SMTP, WINS Server, and a few others.

OK, so that explains why the server can’t get out to the Internet, and why I couldn’t remotely access the server. Now what? Let’s try to start some of the services and see if it’s just a startup glitch that kept them from launching at boot. I started with DHCP simply so we could get workstations back up if needed. DHCP Server wouldn’t start because one of its service dependencies didn’t start. OK, that’s another step towards the solution. Let’s look at the dependencies for the DHCP Server service and the other services that didn’t start and find a common service.

After looking at the dependencies for most of the services, the common thread is the EventLog service. So if we can get the EventLog service running, we’ll probably get several of the other started. Next step, let’s try to reboot into Safe Mode and see if that alters the behavior. So, we restart the server in Safe Mode with Networking, and have the same problems. EventLog and other services that should start in Safe Mode are not starting. At this point we reboot back into normal mode and troubleshoot from there.

So it’s possible that a corrupt event log file might be keeping the service from starting. So I went into C:\WINDOWS\system32\config and moved the event log files (*.evt) to a different directory and tried to start the EventLog service. It failed to come up, but only 4 log files got created, and I moved 8 or 9 out of the folder. Hm. What’s the last log that was created? The DNS log. Let’s take a look in the event viewer and see which logfile might be causing the problem.

Boom, that’s when I found the issue. Even though the event viewer couldn’t display the contents of the log files (since the service wasn’t started), I could see all the logs it wanted to display, and that’s when I found the errant log entry. One of the log files had a name that started with FSSCRM and looked more like an error message than a legitimate event log title. Since the event log service loads its component logs from the registry, I opened regedit and browsed to the HKLM\SYSTEM\CurrentControlSet\Services\Eventlog. Sure enough, I see a Key with the unusual name in there, and when I look at the values in that key, they point to places on the server that don’t exist. I saved the key to a registry file (just in case) and then deleted the key and closed the registry editor. When I attempted to launch the EventLog service again, it fired right up. As did all of the related services. Of course, we did another full reboot of the system to make sure all services started as expected, and sure enough they did.

While I still have no idea how this key got into the registry, or if it was a valid key that somehow got corrupted, we got the server back online and the system running, giving me time to do some research to see what service might have been associated with that erroneous log setting. But it also serves as a lesson that just because something looks like a networking problem doesn’t mean that it’s truly a networking problem at the core. And also another good reason why you shouldn’t go mucking around in the registry without good reason. One small incorrectly-formatted registry value effectively brought down this server, at least from the business owner’s perspective.

Categories : Eriq Neale

Apr
16

SSL Webinar Available for Download

by Eriq

The recording of today’s SSL on SBS 2008 webinar is now available for download from the Store. If you weren’t able to join the session, you can watch the recording to catch up on how to manage SSL with SBS 2008 with live demos of the entire process.

I’ve you’ve missed any of the other webinars, those are also available for download from the Store at http://www.thirdtier.net/store.

1 Categories : Eriq Neale, SBS 2008, Webinar

Apr
16

Q&A from the SSL Webinar

by Eriq

Here is the Q&A from the just-completed SSL on SBS 2008 webinar. Not many questions, so we either did a good job of covering the material in the webcast, or we had a lot of sleepy attendees!

Question: What is the URL for that blog post?
Answer: http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html
Question: this is great. We get to see reality.
Private Answer: Welcome to the real world
Question: Yup
Answer: Sometimes you’re the windshield.
Question: i had a customer order SSL cert from GoDaddy for their SBS box. Then they wanted to install a SSL cert to their Calyptix betwork/firewall box, which does not support the intermediate cert. Is their any problems with going to a different cert provider to get a second, different SSL cert for the same public domain name?
Answer: For devices with out the ability to add additional intermediate certs, it would be best to go with another trusted provider like Verisign
Question: Can I move a cert from a SBS2003 that I am decommissioning?
Answer: If the certificate provider allows you to re-key the certificate to your new server, then yes.
Question: Are there any recommended vendors for the SSL certs that people have used and feel they did a good job for the price?
Answer: We’ve used Dotster which issues a Thawte cert (so no intermediate cert needed). Only issues with them is making sure your domain registration is correct (no ex-employees as admin or techinical contact), but that’s the same with any SSL certificate provider.
Question: the certificate renewal process… how much effort is required each year on an annual renewal? Can it be disruptive to business?
Answer: You will need to load the certificate into any devices that required manually installation the first time around.
Question: We use two static IPs for autofailover. SSL certs works well. We use DynDNS now, used to use dns made easy. We use our domain name. Our GoDaddy Cert works fine without the itermediate cert, since GoDaddy is not a top level cert auth.
Answer: Good info. Any issues with Windows Mobile devices?
Question: Even with a paid cert, don’t I still have an issue using dyndns? since my cert if for domainname.net and using dyndns makes it domainname.dyndns.org
Answer: The certificate has to be assigned to your domain, not to dyndns.org. there’s an additional service you need to purchase from them to make that happen.
Question: ENOM have a very good cert for SBS
Answer: Good to know.
Question: Yes, I know I need to go with a different provider. But when you request a cert, it asks if you are using IIS or Apache. So we already have the GoDaddy cert for IIS, and now we want to get a cert for an Apache (Calyptix box) with the same public domain name.
Answer: Yes you can do that.
Question: I notice that this presentation is # 6. Are the previous presentations available to be viewed? If so, where?
Answer: http://www.thirdtier.net/store
Question: No with Win Moblie 6. No old stuff.
Answer: Thanks for that!
Question: Is it difficult to add an SSL cert to a website in SBS 2008 that isn’t part of the “package” SBS install?
Answer: Amy is answering this live.
Question: how do I get on the other session?
Answer: http://www.thirdtier.net/store/
Question: thanks
Answer: np
Question: one cert per ip address right?
Answer: yes
Question: Great info, thanks
Answer: thanks for attending!

0 Categories : Eriq Neale, Q&A, SBS 2008, Webinar

Apr
15

Remotely Installing This Month’s ISA Update

by Eriq

Just a heads-up for those of you who remotely install security updates for your customers. This month includes an update for ISA, and if you don’t know about it beforehand, you could end up in a bit of a jam.

As expected, when installing the ISA update, access to the Internet through the server is interrupted. Unlike some previous updates, however, when the installation of this update completes, Internet access is NOT restored. You don’t get Internet back until you restart the server.

So if you don’t have some mechanism in place for restarting the server automatically after updates install, you could find yourself, and your customer, in a rather unexpected place.

Categories : Eriq Neale

Apr
15

Excel Security Update Applies to Mac Office, Too

by Eriq

Microsoft released a couple of updates for their Excel spreadsheet product in the slate of monthly updates for April 2009. The security issues addressed in the update also apply to the Mac version of Excel as well. As such, Microsoft has released updates for both Office 2004 and Office 2008 for the Mac. The files can be downloaded from http://www.microsoft.com/mac/downloads.mspx. Because of the nature of the update, all Mac Office users are encouraged to install this update as soon as possible.

Categories : Eriq Neale, Security

Apr
9

Troubleshooting Delayed Message Delivery in Exchange

by Eriq

As more and more anti-spam solutions start doing “interesting” things with SMTP and mail delivery, there is an increased chance of users reporting that mail messages to certain domains are delayed. Unlike a full non-delivery report (NDR) which will list the SMTP error codes for easy identification of the reason for the rejection, a delayed delivery report could be the result of an Internet connection issue, spam filter, offline server, or any number of other causes. The remainder of this post details how to track down possible causes for Internet delivery issues.

First, start with Exchange System Manager. After you open Exchange System Manager, expand Servers, expand the server, then select Queues.

Viewing the SMTP queues in ESM

Look for the connector with the domain that you are having trouble sending to. In the image above, it’s the last queue in the list. We can tell from ESM that there is a problem with this queue because it shows to be in a Retry status under the State column. And when you select the queue, look under Additional Queue Information at the bottom of the screen and you’ll see the result of the last connection attempt. In this case, we can see that the connection was dropped by the remote host. So, in this case, we were able to connect to the remote mail host, which rules out internet connectivity issues, and now we need to see why the remote host is dropping the connection. Before we can do that, we need a couple of other pieces of information.

If you double-click on the connector for the problematic domain, you will get the Find Messages window to open. Click on the Find Now button to see all the messages that are stuck in the queue:

Using Find Messages to view the hung messages in the queue

In this example, we can see two messages that have been sent by the Administrator account are waiting in a Retry state in the queue. Now, we need one more piece of information, so double-click one of the messages.

Looking for the recipient in the hung message

If you look in the Recipients block, you can see the e-mail address of the recipient for this message. Remember that for later.

Next, we want to look in the SMTP logs to see if the remote server sent a valid SMTP code before it dropped the connection. Usually, when a remote host drops a connection, the SMTP service on the Exchange server does not log the code sent by the remote host before the connection is dropped, but we might get lucky. So, let’s open the LogFiles folder and see what the SMTP logs have to say. Open the start menu and enter the path to the LogFiles folder, usually C:\WINDOWS\system32\LogFiles

Opening the LogFiles folder

Now, if SMTP logging has been enabled on your server, you will have an SMTPSVC1 or similarly-named folder inside of the LogFiles folder.

SMTPSVC1 folder missing from LogFiles

In this example, we can see that the SMTP service has not had logging enabled. No worries, we can quickly and easily enable logging for our testing. Go back into ESM, expand Protocols under the server, expand SMTP, right-click on the Default SMTP Virtual Server, and select Properties.

Opening the properties of the Default SMTP Virtual Server

Once you open the Properties, turn on the Enable Logging checkbox, then select Microsoft IIS Log File Format from the Active Log Format drop-down menu.

Enable the Microsoft IIS Log format logging

Close the Properties window and stop and restart the SMTP service on the server. You will probably need to force the connection again after you restart the SMTP service to ensure that SMTP makes another delivery attempt on the messages. Back in the Queues node, right-click on the problematic SMTP connector and select Force Connection.

Forcing teh SMTP connector to retry a connection

Forcing the SMTP connector to retry a connection

After the connection attempts and fails, you can go into the SMTPSVC1 folder that now appears under the LogFiles folder and open the log file to review the connection. If you already had logging enabled, you can force the connection attempt and then open the most recent SMTP log file to look for the connection data.

Here is the pertinent information from the log file in this example:

71.n.n.n, OutboundConnectionResponse, z/z/2009, 17:34:33, SMTPSVC1, SERVER, -, 31, 0, 117, 0, 0, -, -, 220 xx.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959
71.n.n.n, OutboundConnectionCommand, z/z/2009, 17:34:33, SMTPSVC1, SERVER, -, 31, 0, 4, 0, 0, EHLO, -, yy.com,
71.n.n.n, OutboundConnectionResponse, z/z/2009, 17:34:33, SMTPSVC1, SERVER, -, 62, 0, 45, 0, 0, -, -, 250-xx.com Hello [70.n.n.n.n],
71.n.n.n, OutboundConnectionCommand, z/z/2009, 17:34:33, SMTPSVC1, SERVER, -, 62, 0, 4, 0, 0, MAIL, -, FROM:<
Administrator@yy.com>,
71.n.n.n, OutboundConnectionResponse, z/z/2009, 17:34:33, SMTPSVC1, SERVER, -, 78, 0, 59, 0, 0, -, -, 250 2.1.0 
Administrator@yy.com....Sender OK,
71.n.n.n, OutboundConnectionCommand, z/z/2009, 17:34:33, SMTPSVC1, SERVER, -, 78, 0, 4, 0, 0, RCPT, -, TO:<
mm@xx.com>,
71.n.n.n, OutboundConnectionResponse, z/z/2009, 17:34:44, SMTPSVC1, SERVER, -, 15, 0, 117, 0, 0, -, -, 220 xx.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959
71.n.n.n, OutboundConnectionCommand, z/z/2009, 17:34:44, SMTPSVC1, SERVER, -, 15, 0, 4, 0, 0, EHLO, -, yy.com,
71.n.n.n, OutboundConnectionResponse, z/z/2009, 17:34:44, SMTPSVC1, SERVER, -, 47, 0, 45, 0, 0, -, -, 250-xx.com Hello [70.n.n.n.n],
71.n.n.n, OutboundConnectionCommand, z/z/2009, 17:34:44, SMTPSVC1, SERVER, -, 47, 0, 4, 0, 0, MAIL, -, FROM:<
Administrator@yy.com>,
71.n.n.n, OutboundConnectionResponse, z/z/2009, 17:34:44, SMTPSVC1, SERVER, -, 78, 0, 59, 0, 0, -, -, 250 2.1.0 
Administrator@yy.com....Sender OK,
71.n.n.n, OutboundConnectionCommand, z/z/2009, 17:34:44, SMTPSVC1, SERVER, -, 78, 0, 4, 0, 0, RCPT, -, TO:<
mm@xx.com>,

As suspected, the dropped connection from the remote site does not give us a complete SMTP transaction log on our Exchange server. We see the initial connection attempt, the EHLO command our server sends, the MAIL command out server sends, and the RCPT command our server sends. After that, the connection is reset by the other end, and the SMTP process on our server does not capture the information. Not to worry, we can still get that information. How? Telnet.

Open a command prompt on your server. Run the nslookup command. At the nslookup prompt, enter set type=mx and press Enter. Then enter the domain name of the site you are trying to send to and press Enter. You’ll get a response similar to:

Reading the results from the nslookup command

The key piece of information needed is the mail exchanger, which will be the last item listed in the response. Make note of that server name. Now, in the same command prompt, type telnet mailserver 25, where mailserver is the name of the server you identified from the nslookup command. When the connection is made, type ehlo and press return. You should get a response similar to:

Connecting to the remote mail server

Now, type the following commands and press Enter after each one. You will use the FROM address that you got from the Find Now search in the ESM Queues, and you will use the TO address that you got earlier as well.

mail from: sender@domain.com
rcpt to: recipient@domain.com

In our case, we get our answer as soon as we provide the recipient’s address:

Responses from the remote SMTP server

The remote mail server responds to the rcpt command with a 550 5.7.1 response, indicating that it will not accept the message. In this case, the remote host is using Trend Micro’s Email Reputation service, and that service, for whatever reason, has denied access for the sender to send mail to that recipient.

Unfortunately, because the remote server issues the response and then immediately drops the connection, the sending server never has an opportunity to log the response, so the message goes into a retry state, and the server will continue to try to deliver the message until the timeout value is reached (72 hours by default in Exchange) and then the sender will get an NDR indicating that the message could not be delivered within the timeout window. This doesn’t tell the sender that their message was blocked by a spam filter, and their only real recourse, without our troubleshooting, is to try to contact the recipient some other way and let the receipient know that the sender had problems getting an e-mail through.

I’m afraid that this type of SMTP behavior is only going to become more prominent, meaning that we will likely get called into action to try to figure out why a message never got delivered. So long as we have access to the sending mail server, it’s not that hard to figure out. Just follow these steps to find the SMTP code returned by the receiving mail server, and you can then continue troubleshooting from there.

Categories : Eriq Neale

Mar
28

Restoring SBS 2008 to Different Hardware

by Eriq

While doing some testing on the restore capabilities of SBS 2008 using the native Server 2008 backup and restore tools, I ran cross an interesting tidbit regarding the restore process. Once I thought about it, it made sense, but not having tested a full system restore yet, I hadn’t run across it just yet.

When doing a bare metal restore of SBS 2008 using the native Windows Backup tools, your restore system must match the disk configuration of the source server as closely as possible. Specifically, if you have your backup from a server with two partitions on a single volume, you must restore to a single volume whose size is at least as large as the source volume. You cannot restore the two partitions from the original backup to a system with two volumes and expect that one partition would restore to one volume and the second partition would restore to the second volume. If your backup came from a system with a single volume and two partitions, you must restore to a system with a single volume so the backup can put two partitions on it.

I’m assuming that the reverse is true (if you have two volumes as the source for the backup, you must have two volumes for the restore) but have not had the ability to test this yet.

Again, this holds for a bare metal restore using the recovery method available when booting from the SBS 2008 installation CD. Using the native tools when SBS 2008 is running, you have the option to restore to alternate locations.

Categories : Eriq Neale, SBS 2008

Feb
19

SBS 2008 and Companyweb Offline

by Eriq

Over the last couple of weeks, I’ve seen reports of companyweb not displaying on some SBS 2008 servers. Same when trying to load the SharePoint 3.0 Central Administration site. Poking through the event logs, we’re seeing errors and warnings like:

Error Windows SharePoint Services 3 3760 Database

SQL Database ‘ShareWebDb’ on SQL Server instance ‘np:\\.\pipe\MSSQL$Microsoft##SSEE\sql\query’ not found. Additional error information from SQL Server is included below.

Cannot open database "ShareWebDb" requested by the login. The login failed.
Login failed for user ‘NT AUTHORITY\NETWORK SERVICE’.

Restarting the Windows Internal Database (Microsoft##SSEE) service restores access, at least temporarily.

Thus far, I’ve been unable to identify any commonality that might be triggering this behavior. If you have encountered this issue, especially if all you’ve had to do is restart the Windows Internal Database service to recover access, please post a comment back so we can try to collect additional information and see what might be triggering this issue.

Categories : Eriq Neale, SBS 2008

« Previous Page

Author Archive for Eriq – Page 3

Eriq Presenting to SMBTN Fresno Group Meeting

SSL Certificate Validation

Troubleshooting Tale: Remote Access Loss on Server

SSL Webinar Available for Download

Q&A from the SSL Webinar

Remotely Installing This Month’s ISA Update

Excel Security Update Applies to Mac Office, Too

Troubleshooting Delayed Message Delivery in Exchange

Restoring SBS 2008 to Different Hardware

SBS 2008 and Companyweb Offline

Search

Support