Super-Networking Blog

So I ran across something kind of interesting the other day. I was setting up Microsoft CRM 4.0. I got the server setup and the website configured but when I went to the website it prompted me for my username and password. I would type it in and the authentication would fail. I tried it in Firefox and it would work using my correct logged in credentials which is what Integrated Windows Authentication is.

So I check out my IIS settings, I have anonymous access disabled and Integrated Windows Authentication is checked. Why would Integrated Windows Authentication work in Firefox but not in IE. I go into Internet Options on my browser and select the advanced tab. There is an option “Enable Integrated Windows Authentication” and I have it enabled. I tried a couple of more times to make sure I wasn’t fat fingering my login and still get 401 authentication errors.

Well I thought just for the heck of it I would try unchecking the “Enable Integrated Windows Authentication” box in IE. I restarted my browser and bang it works, doesn’t prompt for password or anything. So I uncheck use Integrated Authentication and the Integrated Authentication starts working. Now I am really scratching my head.

I start searching through user groups on the Internet and I finally find the answer. In IE 6 and IE 7 the browser will use Integrated Windows Authentication if you have that checkbox enabled or disabled. The difference is the authentication type. With the box checked it with try Kerberos authentication first then fallback on NTLM. If you uncheck the box then it will just use NTLM. Thank you Microsoft for mislabeling that feature. The really annoying thing is if both ends support Kerberos authentication, you have that Integrated Windows Authentication box checked, and Kerberos fails it will not fail back to NTLM. The only way it will fail back to NTLM is if your website doesn’t support Kerberos.

What I ended up finding out was that Kerberos authentication was broken on my CRM server, quick workaround was to uncheck the box in IE. The problem with that is most features in CRM 4.0 don’t work on NTLM. I will post another time on how I fixed Kerberos on that server.

If you setup a folder to replicate using DFS and you want to lock down the folder rights on it you might have issues. You have to be sure to give the System account on each server write and modify rights for the replication to work.

If you add the system account to the folder you should be able to lock the rights down as far as you want and the replication will still work.

So I am running Solarwinds Orion 8.5 on a Windows 2003 R2 server. I installed Microsoft .NET Framework 2.0 Service Pack 1 (KB110806) on the server and it broke Orion’s website. The website would come up then when I tried to login I would get the following error:

Orion Website Error
An error has occurred with the Orion website.
Additional Information
System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.HttpWebRequest.GetResponse()
at ClassicSiteProxy.Login(HttpContext context, String
username, String password)
at Login.InitiateLogin()
at Login.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

To fix it I did a repair on Orion, then I installed SP3 for Orion 8.5

It is now working again.

I am still running Endpoint Protection on my laptop, only one issue so far. Endpoint Protection 11 breaks WPA and WPA2 authentication for your wireless network. From reading in some Symantec forums it is a known issue with this software. The easiest way around it is to disable Network Threat Protection while you are authenticating then enable it was the connection is established.

I looked for more of a permanent solution but even when I disabled the HIPS rules and allowed all traffic to pass on my wireless card it still failed. I guess this is the case when the client is unmanaged, if you have a managed client which I don’t you can work around it by allowing EAPOL. I can’t test this because I don’t have the server and so it isn’t managed. Hopefully they come out with a workaround.

If you are running Virtual Server 2005 on a server with multiple processors you should be aware that the virtual machines you run on the server can only use one processor. So if you have a four processor server and are running two Virtual Machines you will only be able to utilize two out of the four processors. To make things worse if you have hyper-threading enabled on your processors the Virtual Machines can only use one logical processor or half of the physical processor. This will slow down your Virtual Machines a lot.

It is always recommended that you disable hyper-threading to get the best performance out of your Virtual Machines. Dual core processors are fine because it is actually two full speed processors in one instead of cutting the processing power in half like hyper-threading does. That said Virtual Machines in Virtual Server 2005 can still only use one core on a dual core processor but it is the same as running one physical processor.

Also I am hearing that the new Microsoft Server 2008 Hyper-V server will be able to utilize multi-core processors in Virtual Machines. This will break the single processor restriction in the current 2005 server.

How often do you find that one of your servers has a drive that is full or overnight has doubled in space usage. If you are like me you don’t want to spend the time to look through explorer to find out what the size of each folder is manually.

An easy free tool to tell you exactly what all the folder sizes are on any Windows drive is called TreeSize Free. You don’t even have to install it, just move over a folder with two files that are under a meg and you are up and running. It will make a quick scan of the drive of your choice and list the folders in order by size, you can then drill down in the folder structure to find what you need right away.

I installed a trial of Symantec’s Endpoint Protection which is the new version of Symantec’s Enterprise Antivirus. I have used Symantec in business all the way back to version 7 and have always liked it. Version 10 switched its servers to client communication from UDP to TCP which improved network stability. They also changed new virus definitions to be deltas instead of full definitions.

Well Symantec has taken it to the next level now with Endpoint Protection. Now the firewall package is built into all of their clients instead of just their SCS clients. They have also added a HIPS or Host Intrusion Protection Software into this client. This is the next step that a lot of companies have been trying to pull off but haven’t done well yet. IPS watches for known and unknown attacks by watching for activity that could be trying to do malicious things.

Firewalls are great because it blocks connections that aren’t specifically allowed but that still allows all traffic on open ports, the IPS piece will analyze the traffic and watch for malicious activity. So far I have been very impressed how well it is designed, I have not had to make any changes to allow things to work on my machine. I am on a domain and typically you have to allow a ton of stuff just for your machine to function and I did not. Only change I made was to turn off the alerts when the firewall blocked something.

One more note that a lot of standards including PCI require you to run HIDS/HIPS on your machines.

So I am not a DBA, I have never done much work on SQL servers other than back them up, patch them or install new copies of them. At my new job I have started to take on some of the tasks of a DBA including troubleshooting poor performing SQL boxes.

Don’t expect me to be adding in a ton of query statements of SQL traces because I try to stay out of most of that stuff at this point of the game. The first thing I did to aid me in maintaining and troubleshooting SQL was to install SQL Server Management Studio from the SQL 2005 install media. This allows you to connect to SQL instances without having to login to the console of the box.

Two places to take a look right away to see what is going on in that SQL instance is go under SQL Server Agent - > Job Activity Monitor. In here you will be able to see if any scheduled jobs are running, the history of the jobs etc… The other place to look right away is under Management go into Activity Monitor. In here you will see what Processes are currently running. You can see pretty much in real time what is using resources like disk, memory, and CPU. You can also see what processes might have locks.

Now getting back to high SQL on your SQL box, unless it is one job or one long running query that is using all the CPU the Activity Monitor isn’t going to really help you. It could be that a short running query is running 100s or 1000s of times a minute and this is causing the CPU issues. One easy way to tell what is taking of the CPU is built in reports of SQL 2005. Right click on the Instance name in Management Studio -> Go to Reports - > Standard Reports - > Find “Performance - Top Queries by Total CPU” This will give a break down of what queries being running again this instance are using the most CPU and are being run the most times. These stats are being taking all the time by SQL 2005 and so you aren’t taking up for resources to monitor the instance.

This is just one place to start looking but it gives you a lot of good info.

So we have a couple of down and dirty backup servers that run backup scripts and a free backup program called SyncBack. These methods of backups are cheap (free), easy and fast. One problem you run into is when replicating data to multiple locations that have different retention times you need a way to clean-up old files.

We are talking about over 1TB of backed up data and some individual files that are over 100GBs in size. What we have done in the past is use batch files to run clean-up jobs. Robocopy is used to move aged files from backup locations to another location and then the del command is used to empty the directory. The problem with this method is it takes quite some time to move the files and takes additional space as a queue before deletion. The del command doesn’t have age switches built in.

I found a freeware product called delage32 that adds the age functionality into the mix. Now instead of my cleanup scripts moving the old files to a new directory and then del everything in that clean-up directory it just deletes files with a certain age out of the backup directories. This is much more efficient.

Download it here

Well I just got through switching some 700+ domains from VegaDNS to our new Simple DNS Plus platform. Vega DNS ran on Linux and in a 99% Windows environment keeping Linux around just to run DNS was not viable. Simple DNS Plus running on Windows 2003 and is a simple, easy to manage, but powerful DNS solution.

VegaDNS was a complicated DNS program. Most people who run DNS on Linux run on some version of BIND. VegaDNS did run on BIND but did not take the simple approach of BIND. Basically how Vega worked was you take BIND, run TinyDNS on top of it, then run VegaDNS on top of TinyDNS. VegaDNS adds a web front-end and a MySQL back-end onto the BIND framework. You could keep all of the DNS servers insync off of that one MySQL database. It then kept local BIND files on the DNS server for serving up DNS. To maintain, backup and troubleshoot VegaDNS was complicated and annoying, to make things worst we had two installs of VegaDNS on all of our DNS servers with two different databases. If any one piece broke the whole thing became a mess.

Now everything is running on one program. Simple DNS Plus has master and slave servers and keeps all DNS servers synced. It keeps all of the data in one folder on all DNS servers, you backup that folder and you can have your entire DNS infrastructure rebuild in a matter of minutes. It can be managed with a Web front-end or a fat client, both are built-in. Import tools make migrations from other platforms easy. It has real-time DNS hit and cache stats as well as detailed logs if you want. It has built-in DOS mitigation and attack mitigation technics like telnet disconnect, version masking etc…

So far performance has been great and I would recommend to anyone looking for a solid Windows based DNS platform. Did I also mention that it is inexpensive. Check it out!