Author Archives: will

bad apples

Posted on by
2

So in my free time (HA!) I do some IT consulting work for a few small businesses.  Last month I ran into an interesting problem one of my clients was experiencing.  Felice emailed to report they could not send email from a particular account they have.  This account is set up to receive certain infrequent inquires from the company’s web site.  They then check the inbox via Outlook, yes infrequently, and may choose to bestow a courteous reply upon the sender.  I was somewhat surprised to hear that she had called Microsoft about this problem sending email and was supposedly told the computer had a virus.  This makes a modicum of sense when you consider Microsoft does offer free consumer support for…. wait for it….. virus problems.  At any rate they did not actually help in any way whatsoever.

applesI replied with the standard line of interrogation.  Do you have the password for the account?  Do you have access to webmail?  Are the messages sitting in the outbox?  Did you try a reboot?

Felice: no, no, yes, yes of course.

So no way to check easily via another method and no password…… hmm this may complicate things.  I could have tried to obtain an error message, but I happened to be busy working my day job at the time and decided responsibly to table this for the evening.

I took a drive over the Tappan Zee Bridge depicted so beautifully at the top of this page, which incidentally is not AS beautiful during the day when you can see all the rust and wear and tear and doubly not AS beautiful when you’re sitting in traffic.  It IS being replaced.  And luckily I do have my entertaining podcasts to get me through commuting nightmares (yay This American Life!)…. but I digress.

I reached my destination before dusk and got right to business.  Well not RIGHT to business; I always chat with my clients.  I’m not particularly outgoing or skilled in small talk, but I’ve developed just enough rudimentary social graces to “get by”.  So after catching up with Felice I got RIGHT to business.  I checked the send/receive error in Outlook and the error indicated that the outgoing mail server was refusing the connection.  I saw the hostname of the server and it had the word “Barracuda” in it.  My familiarity with the Barracuda SPAM firewall is evidenced by my earlier post on the love/hate relationship of our Barracuda and mail server as well as my collection of black EAT SPAM t-shirts.  I wish all our hardware vendors packaged clothing with their products.  I’d never have to go to the mall again!

Now, I neglected to mention one crucial detail.  While chatting with Felice, she revealed that they’ve had this issue for a week or so before calling me (wow).  More significantly, the emergence of the problem immediately followed a long power outage.  Now this is a small business with a Verizon FiOS internet connection and a dynamic IP address.  So when I hear power outage I immediately think “new IP address”.  So now getting back to the Barracuda, I found the web page to check Barracuda’s SPAM blacklist.  I entered their current IP address and sure enough POSITIVE HIT.  So that seals it.  Another FiOS customer, who had this IP in the past, somehow got themselves on a SPAM blacklist.  Now poor Felice ended up with it by chance and inherited its ugly reputation.

Thinking back a bit, I do have to give Microsoft some credit.  They may have indeed asked Felice for the error and surmised that HER computer was infected, zombified and spewing out SPAM.  This would be a logical line of deduction.  But A) why didn’t they help her remove the infection?, B) they were wrong anyway and C) i’m giving Microsoft too much credit.  Oh and D) suck it Microsoft, computers under my care do not become SPAM zombies.

So I could either try to get their email / web host to whitelist their IP in the Barracuda or get them a new IP.  Seeing as their email host is a mom and pop shop with no after-hours support, I opted for the latter option.  I rebooted the FiOS router, checked WhatIsMyIP.com, and same damn IP.  I got Verizon FiOS support on the horn and the technician had me turn the router off and on several times while he “tried something”.  No dice.  After succumbing to the reality that he lacked the power to do something so simple as get us a new IP address, we settled on the cop out of leaving the router turned off overnight.  Surely after 12 hours it would receive a different address.  And it did.  Problem solved.

The sad part about all of this IS……. what if Felice and her small business didn’t have an IT genius like myself?  She wasn’t even clear on who their email provider was and could not find a bill.  Microsoft blamed her.  And there’s no way Verizon would have helped if she simply explained she couldn’t send email.  They would have tested her internet connection and told her to talk to her email provider, after trying to sell her on some unnecessary “business services” including “advanced email hosting” or some such useless crap.  This type of thing should not just happen to people.  They’re just trying to run a business like good Americans, and they innocently inherit a tainted IP address from some porn addict who can’t stop from clicking everything bouncing around the screen.  Anyway I feel sorry for the next customer to get that IP.  Maybe I should track them down and send them a business card……..

collaborating across organizational borders

Posted on by
2

As of late we’ve been working on initiatives related to collaboration with a partner organization.  We have a high bandwidth metro-ethernet line to facilitate network communications and an AD forest trust so that we may grant permission to resources between our forests.

Last week I was tasked with working with my counterpart in the partner company to provide access to files on one of their servers to some of our people.  He granted the proper permissions to the designated security group in our domain and provided me the path to the shared folder:  \\Storage.PartnerCo.local\documents.  I added my user account to the security group for testing.  I found I was able to ping the server name but could not access the share.  I got the dreaded “network path not found” error.  I googled the error code but did not turn up anything helpful.

Adding confusion to the issue, my company has two servers stood up in this partner’s data center.  These servers are on our domain.  I was able to access the share just fine with my credentials from both of these servers.  Huh?  Is it a firewall problem?  Nope, firewalls are wide open on both sides between our networks.  Telnetting to SMB/CIFS ports works fine.  So what exactly is going on here?

After emailing back and forth with PartnerCo’s Systems Engineer, I was made aware that Storage was just a DNS name.  I was provided the host name and IP of the actual server hosting the share.  I was then able to enumerate the share using the actual server name.  I checked the properties of the share and found this.

File_Share

Aha!  A DFS tab.  And check out the path in the referral list.  Notice it’s not a fully qualified domain name.  So here’s how this goes…. Storage.PartnerCo.local is the DFS root name.  When accessing the Documents share that way, the user is directed, behind the scenes, to the path \\Server02\Documents.  For some reason Server02 is the only server with a referral.  The problem here is the lack of FQDN in the path.  My computer could not resolve it.  No computer in my office could.  However our two servers in PartnerCo’s data center COULD resolve it via NetBIOS!  Wow.

It turns out they were are running DFS in Windows 2000 mode.  Use of DNS names in referrals can only be turned on through a registry edit and existing shares must be RECREATED.  Since clients will automatically try to append their own domain name to non-FQDN names to query DNS, I simply added a CNAME pointing Storage.MyCompany.local to Storage.PartnerCo.local and that worked right around this pesky problem.

Now can I have those two hours of my life back please?

the reluctant print server

Posted on by
1

I’m not a big fan of printing and working with paper.  I like to keep my desk and drawers free of clutter.  A number of years ago I worked for a municipal government.  I’ll never forget the first time I laid eyes on the desk of one of our building inspectors.  It was entirely covered in a disorganized blob of papers several inches tall.  Whatever was on the bottom of that mess is likely still there.  Obviously the experience stuck with me.

A few weeks ago I was VERY surprised to find out one of our print servers decided, in spite of its nature, that my way is the better way, the way of the future.  It respectfully refused to honor the requests of our staff to use consumables and contribute to deforestation.  While the print server earned my respect and admiration for its idealistic stand, I had to dash its dreams.  For it is the sysadmin’s responsibility to keep the toner and paper fusing as it were.

I was first informed of the issue by the IT Support team late one afternoon.  People were reporting that their printers had disappeared in Citrix.  I took a look at their print server (called PS01) which is used by around 1,500 people.  When I first terminal’d in the spooler was running.  But upon inspection of the server logs I could see that the spooler was crashing every 1 to 5 minutes.  After each crash our monitoring software would dutifully detect the failure and restart the spooler.  Then it would again crash.  Windows Event Viewer unfortunately did not provide any specifics regarding the cause.

My first instinct was to clear all files out of the spool folder (C:\Windows\System32\spool\PRINTERS).  Often these repeated spooler crashes are caused by a print job which bugs out the driver.  Not this time.  My next move was to reach out to Support to see if anyone installed a new printer that day and to reboot the server.  The spooler continued to crash after reboot.  But I got a response back from one of the Support Analysts who installed a printer earlier in the afternoon.  I had noticed in Event Viewer that she had logged onto the server a few hours earlier.  I deleted the printer she had installed, but again no joy.  By this time it was well after 5:00.  I turned on logging of all print events including informational events in the print server properties.  I figured I could then check the logs to see which print job crashed the spooler.  I soon came to the realization that the spooler would crash regardless of print activity.  It would crash every few minutes even if no jobs were being processed.

At this point I got desperate and resorted to attaching a debugger to the spoolsv.exe (print spooler) process.  I used adplus from the Windows Debugging Tools as described in this article.  I waited a couple minutes for the spooler to crash and then examined the log file file.  Unfortunately the file made no reference to a print driver or any cause of the crash.  The adplus tool also left a bunch of dump (.dmp) files behind.  I fed some of these into Windbg.  No cause identified.  I repeated this process again with another crash.  The resulting log files were similarly unhelpful.  This is getting ridiculous, I thought to myself.

I had taken a break to drive home and eat dinner.  So now it was quite late in the evening.  I decided to call and open a ticket with Microsoft and continue to work on the problem while waiting for a callback from an engineer.  After getting off the phone I finally turned to my #1 favorite Windows diagnostic tool….. Process Monitor.  This tool was developed by Mark Russinovich and the Sysinternals team.  They were acquired by Microsoft a couple years ago.  Process Monitor captures all file system, registry, network and process activity on a system.  I ran it until the spooler crashed.  I then filtered to only show output which includes the spoolsv.exe process.  I scrolled to the time of the crash and here’s what I saw.

image

You can see here where the process is exiting.  Now all I had to do was scroll up and see what it was doing just prior to the crash.  Lo and behold I observed MANY lines referencing a particular printer and driver.

image

I saw hundreds of lines just prior to the crash which referenced a particular HP LaserJet 2030 series printer.  In Server Manager I sorted the printer list by driver and observed that this was the only printer on the server using this particular driver.  So I assume someone installed this printer earlier in the day and loaded the new driver.  I tried to look at the properties of the printer, but the window would freeze when I tried to bring the properties up.  So I deleted the printer and removed the driver through the Print Server Properties.  The crashes ceased.

Apparently the print spooler is very active in the background.  It seems to cycle through the registry looking for printers and it re-enumerates the printers on the machine.  Every time it hit this particular printer, CRASH!!!  In hindsight I should have thought to use Process Monitor before going through the trouble of attaching a debugger.  But hey it was an educational experience.  Needless to say this incident DID NOT improve my relationship with printers.  One of these days I will write a post about our myriad issues surrounding printing in Citrix……

working around IT

Posted on by
Reply

I recently had the opportunity to visit one of our “branch” office locations.  I put branch in quotes because it is these locations where the actual revenue-generating operations take place.  I work in the corporate office where the organization’s shared services operate.  We play the supporting roles for the branches.

But I digress.  This was the first opportunity for me in my current role to visit one of our branches.  For the most part it was what I expected.  But in one respect it was enlightening to me.  People were finding workarounds to overcome deficiencies in IT support and infrastructure.

First I encountered a gentleman who was using a laptop which I did not recognize.  I could tell right away it wasn’t one of the standard issue HP notebooks we provision.  Much to my dismay it was in fact the man’s personal laptop.  When I asked him about the situation he pointed me at his company desktop computer.  It was virus-ridden and unusable.  He had opened a Help Desk ticket months ago.  So I looked up the ticket.  It was closed because this gentleman failed to respond to email inquiries from the Support technician.  Why?  He had no reasonable way to access his email.  So he brought in his personal laptop, gave out his personal email address for correspondence, and was able to basically function at his job.  He did not need access to internal corporate data so he could get by with access to the public wifi.  I felt for this man.  And what made me feel worse was how delightful he was with me.  It turns out he was a computer programmer many moons ago in the early days of the software business.  We chatted about many things from the rise of the microprocessor to the information revolution of today to a possible future where no data is private and the possible implications on business and government.  Needless to say I apologized about the computer and re-opened the ticket.

Another example to IT workaround was a home router someone had purchased and connected to the network in order to get more network ports.  There is a reason why these devices are strictly forbidden.  Not only because we don’t know about themThe home router I found, but they have a built-in DHCP server.  And of course the patch cable from the wall was connected to the Internet port.  So the two computers and printer connected to the switch ports were firewalled off from the rest of the network.  When I asked about it no one could give me a good answer.  If they had made a request from IT we would have had new lines run or sent them a small switch.  I assume the people in this department were so disillusioned with IT, they didn’t want to waste time waiting on us.  People want to do the right thing.  They want to follow the rules.  But if you need to wait a week for a response and several weeks for a resolution, you won’t involve IT unless you HAVE to.

The third and final example was a workaround for an infrastructure problem.  We’ve been battling issues lately with printing through Citrix XenApp.  We have many different models of HP printers in the offices.  For use in XenApp we usually just use the tried and true LaserJet III driver.  Recently we started using a new software application in XenApp.  People have had all sorts of printing problems using the non-native LaserJet III driver.  When printing reports the text will go off the end of the page or will be scaled incorrectly, etc.  We started installing the proper drivers for the actual models of printers.  And things blew up.  Print spooler crashes, printers failing to map into XenApp sessions, utter chaos.  We have come up with partial workarounds and things are getting better.  But in the meantime the poor people out in our offices have needed to come up with all sorts of creative ways to print reports.  From emailing to themselves, to printing locally to who knows what.  There are probably people copying and pasting data into spreadsheets!

So there you have it.  People need to get their work done.  They literally cannot afford to always wait for IT.  What can we as an IT department do to fix this dysfunctional situation?

1)      First we can add some staff.  I won’t go into detail, but we got ourselves into a situation where we simply did not have enough staff to support the numbers of employees, devices and applications we offer.  I’m happy to report we very recently have brought on a couple new people.

2)      Now that we have (presumably) enough staff, we must focus on customer service.  Even with better service levels it will take time to change people’s perceptions of IT, to undo the damage we’ve done.

3)      Show our faces in the branch offices more often.  This demonstrates that we care and humanizes IT.  We’re no longer an unknown number of nameless faceless geeks who don’t give a damn about real people.

What else should we be doing to improve our customer service and our image presented to the organization?

relationship problems: barracuda and exchange have “communication issues”

Posted on by
Reply

I considered for a moment whether to ascribe gender roles to the enterprise tech involved in the spat.  I decided it might make this short story more entertaining.  And let’s face it, people just love anthropomorphizing their technology.  Forgive me for the clichéd gender stereotypes.

Meet the couple

The Barracuda stands guard and provides security so we’ll make him the dude (Arthur).  The Exchange server is far more complex and does the bulk of the work.  Definitely the chick (Anna).  Anna and Arthur have been together for a little over a year.  The relationship has been going well.  But they work together, so that can be trouble.

The fight

It’s hard to know how this particular fight started.  Anna and Arthur would tell completely different stories.  Like most tiffs between young lovers it probably started over something silly.  Anna forgot to lock the door in the morning or Arthur drunk-posted something stupid to facebook.  I was made aware of the trouble by my boss.  He informed me that people were reporting to him that they were not receiving emails they’d been expecting.  As the tech relationship counselor of the office I sprung into action.

My preconceptions were incorrect

I immediately expected Arthur was to blame.  He’d been acting erratically as of late.  Translation: We have a 2-node Barracuda cluster and the first node has been flaky.  It’s getting old and needs to be replaced.  I have the replacement sitting in my office, but I need to plan a trip to the datacenter to install it.  Given this knowledge I accessed the management interface of Barracuda 1 (B1) and right away saw something disturbing on the Status page.  The status of the energize updates and instant replacement subscriptions had a red error code with a message to contact Barracuda support.  Uh oh!  It also had ~500 messages queued up for delivery to our Exchange server.  I rebooted B1.  While it was rebooting I accessed B2.  It had no errors but it DID have ~500 messages queued up just like B1.  So the errors on B1 are a red herring!  Yes B1 is screwed up in general.  But Arthur may not be to blame after all.

Back pressure

My boss had mentioned to me something about “insufficient resources” messages in the Barracuda logs.  Indeed messages were being rejected by our Exchange CAS array with an SMTP code indicating this.  I checked our two Exchange CAS / Hub Transport servers.  I looked through Event Viewer on CAS1.  All clean.  CAS2 was a different story.  I found two events which indicated Exchange was refusing to accept incoming SMTP messages.  This was triggered by a feature called Back Pressure.  Exchange 2010 tracks a bunch of system metrics to determine whether or not it is at risk of serious impairment.  When it detects a dangerous state it backs off on its processing load.  In this case CAS2 decided it was getting too low on disk space on the drive containing its log files.  Never mind there were a few GB free.  Exchange feels that’s not enough.  So it stopped accepting incoming SMTP messages.  The services keep running.  It just writes 2 events to the Application log and sits there silently.  Anna decided to give Arthur the cold shoulder.  So mail was still being delivered by CAS1.  But any mail which happened to hit CAS2 would be rejected.  And the Barracudas would queue it up for a later redelivery attempt.  Since these are virtual machines I simply expanded the disk and restarted the Exchange Transport service.  CAS2 resumed service.

Not ready to make up

I checked the queues on the Barracudas.  They were starting to go down.  Then I witnessed them bump back up.  Wth?  Back to Event Viewer on the CAS boxes.  Lo and behold they are both dropping connection attempts from both Barracudas.  The reason is that the Barracudas are trying to establish more simultaneous connections than the Receive Connectors will allow.  Argh!  I didn’t find any obvious way to limit the SMTP sessions on the Barracudas.  So I increased the maximum number of sessions allowed on the CAS servers.  The default is 20.  I changed it to 50, which seemed like a reasonable number to me.  This got the couple communicating again.

Lessons learned

Keep plenty of free space on Exchange drives containing DBs or log files.  OR tweak the back pressure disk space thresholds as described at the bottom of the page here.  It involves some simple edits to the EdgeTransport.exe.config file.  Microsoft doesn’t recommend it.  But I don’t trust them anyway (see my previous post involving Network Load Balancing).

I’ll very soon be replacing Barracuda 1, which means Anna will be getting a new boyfriend.  I really hope he’s not a jerk.  But at least in this relationship there’s always Instant Replacement!

why you shouldn’t decommission exchange 2003 in the middle of the day

Posted on by
1

After reading the post title I know what you’re thinking.  I won’t try to justify the ill-advised nature of this decision.  Suffice to say if I only scheduled production changes for after-hours I’d either fall hopelessly behind or never sleep.

We have these two old Exchange 2003 servers configured in a cluster.  Let’s call the hostname for this cluster OldMailServer.bruteforce.local.  We already migrated all mailboxes to our 2010 cluster (NewMailServer.bruteforce.local) many months ago.  We were fully aware that many network devices, including scanners, were still pointing to OldMailServer.bruteforce.local or its IP address (2003 IP).  I decided on the following steps to complete the decommission of Exchange 2003.

The plan:

  1. Re-point OldMailServer.bruteforce.local  in DNS to 2010 IP.
  2. Assign a new temporary IP address to the 2003 cluster
  3. Since devices are still sending mail to 2003 IP, we assign this as a secondary IP on the 2010 CAS array.
  4. We must add a static ARP table entry in our data center switches for 2003 IP since it is being shared by two CAS servers in a Windows NLB cluster.
  5. Stop the 2003 cluster group (basically shut down exchange services).
  6. Wait a week and then uninstall Exchange 2003.

How did this blow up in our faces?

We completed the first 5 steps and the calls started hitting our homicidal Help Desk.  There were two problems being reported:

  1. Many users were getting username / password prompts from outlook purporting to be from OldMailServer.bruteforce.local!!  Yes the server that is OFF.  The only place that host name exists now is in DNS.
  2. No devices configured to send mail to 2003 IP are able to hit it.

Here we go.  It took a couple hours but we eventually got this ironed out.

So what went wrong with our poor innocent coworkers?

The cause of the username / password prompts from OldMailServer was some sort of reverse DNS function of Outlook.  When I pointed OldMailServer.bruteforce.local to 2010 IP I foolishly allowed it to update the PTR record.  So now 2010 IP has two PTR records.  So if one were to be conversing with NewMailServer, and one was so inclined to do a reverse DNS lookup on its IP, in reply one might get NewMailServer and one might get OldMailServer.  I’m not exactly sure what Outlook was doing here.  But the solution was to kill the PTR record pointing to OldMailServer.  Can someone explain this to me?

So what went wrong with the scanners?

Now why was nothing able to hit NewMailServer using the 2003 IP you ask?  If you remember we had configured this as a secondary IP on the 2010 CAS array.  The CAS array is configured to listen and accept traffic on all IPs.  Ok great.  The problem was with step 4 in our plan.  The dreaded static ARP entry.  I noticed that when I added the secondary IP in Windows Network Load Balancing Manager, it created a new MAC address for it (MAC 2).  I asked our Network Engineer to edit the static ARP entry for 2003 IP to point to MAC 2.  This had the effect of making 2003 IP virtually unreachable.

Why I now hate Windows Network Load Balancing (more than before)

I found a server in the data center which could successfully ping 2003 IP.  I checked its ARP table and observed that 2003 IP was associated with MAC 1.  This is the MAC address of 2010 IP, the first IP configured in NLB.  Huh?  Ok lets change the static ARP entry in the switches to point 2003 IP to MAC 1.  Now both 2003 IP and 2010 IP have static ARP entries pointing to MAC 1.  Guess what?  It works.  Thank you Microsoft.  I should send a handwritten letter to the Windows Server product manager to thank him for this useless new MAC address created for NO REASON.

What did I learn?

Two things really

  1. If you add additional IPs to Windows NLB, they just use the original MAC.  The new MAC addresses created for them are meaningless.  Software Developers call this a bug.
  2. Don’t turn off your old Exchange server in the middle of the day.Strike that second one.  I looked at my calendar and you wouldn’t believe what I’ve scheduled for this week.