ikon

Forum Replies Created

Viewing 30 posts - 61 through 90 (of 91 total)
  • Author
    Posts
  • Avatar
    ikon
    Member
    in reply to: AD FSMO role Seizure #354231

    Re: AD FSMO role Seizure

    Usually what happens is the Non FSMO role holder DC’s still get a full replication of AD etc so as long as the new DC had a recent update it ill have all AD information upto date, and it must be acting as the FSMO roles holder.

    the problem is you havent had a smooth sieze or transfer of the roles and AD is not in a clean state.

    so you must first check DNS to see where all clients and servers inc the DC itself is looking for AD Services, these are the SRV records in DNS.

    before you start to mess with anything, what is you disaster recovery plan if any at all?

    Avatar
    ikon
    Member
    in reply to: AD FSMO role Seizure #354230

    Re: AD FSMO role Seizure

    Yes you need be alot more clear on what you did?

    Did you always have 2 DC’s in your domain?

    It important that the second DC had a full replication before you seized the roles.

    run this command on the DC “netdom query fsmo”

    does it list all roles?

    You migth be lucky and the problem might just be DNS and all you need to do is delete the SRV records for old DC and make sure you have SRV records for new role holder.

    Avatar
    ikon
    Member
    in reply to: Tidying up AD #354229

    Re: Tidying up AD

    you need to flush both the server and your client cache, unless you are running a ping -a or nslookup from the dns server itself.

    Avatar
    ikon
    Member
    in reply to: Objects not displaying in AD #354228

    Re: Objects not displaying in AD

    When you created the Object did it show up on the server you created it on?

    are you using the console to do this or support tools from a workstation?

    Avatar
    ikon
    Member
    Avatar
    ikon
    Member
    in reply to: Active Directory Not Working #354226

    Re: Active Directory Not Working

    Run the following the commands.

    Secedit /configure /cfg C:Windowsrepairsecsetup.inf /db secsetup.sdb

    Secedit /configure /cfg C:Windowsrepairsecdc.inf /db secdc.sdb

    Thanks

    Avatar
    ikon
    Member
    in reply to: add PC in the domain controller #354225

    Re: add PC in the domain controller

    If you absolutely insist on having this PC on a Non-existant domain then you can use scripts to map drives using credentails Domainuser “password”

    you can also script the remote shutdown to provide credentails, i have some scripts if you ask em nicely.

    Thanks

    Avatar
    ikon
    Member
    in reply to: Domain controller authentication #354224

    Re: Domain controller authentication

    You need to change the replication topology in Sites and Services.

    you can add or remove DC,s replication partners, be aware that the DC’s in the new vlan must replicate with at least the DC in your main office, main vlan, and the remote sites can replicate with M in the main office, i dont see a problem with that..

    unless anyone else can.

    Avatar
    ikon
    Member
    in reply to: Cisco Pix 515e Version 8.04 – IPsec Site to Site #354223

    Re: Cisco Pix 515e Version 8.04 – IPsec Site to Site

    So far so good!

    connected for 2 hours 16 mins

    Thanks

    Avatar
    ikon
    Member
    in reply to: Cisco Pix 515e Version 8.04 – IPsec Site to Site #354222

    Re: Cisco Pix 515e Version 8.04 – IPsec Site to Site

    Everything is the same as far as the IKE negotiations go and IPsec SA’s are the same.

    However i did notice i had Perfect Forward Security enabled on the Vigor and on the PIX it was not enabled, I have disabled it for now to see how it it goes, i will enable PFS after as i prefer it for security.

    But as for Phase 2 negotiations both IKE and IPSEC settings where identical, PFS must of caused the issue, we will see in a few minutes.

    Thanks

    Avatar
    ikon
    Member
    in reply to: Cisco Pix 515e Version 8.04 – IPsec Site to Site #354221

    Re: Cisco Pix 515e Version 8.04 – IPsec Site to Site

    Ok i changed my

    access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0

    access-list outside_1_cryptomap extended permit ip any 10.0.1.0 255.255.255.0

    and the Vigor router config is set remote network to 0.0.0.0 0.0.0.0

    the VPN has come up and Traffic is flowing nicely, however it seems very unstable, it disconnects sometime after a few minutes and i get errors like

    Oct 01 12:25:49 10.0.0.5 :Oct 01 12:25:49 GMT/BDT: %PIX-vpn-4-713903: Group = 84.45.153.53, IP = 84.45.153.53, Error: Unable to remove PeerTblEntry

    Oct 01 12:25:49 10.0.0.5 :Oct 01 12:25:49 GMT/BDT: %PIX-auth-4-113019: Group = 84.45.153.53, Username = 84.45.153.53, IP = 84.45.153.53, Session disconnected. Session Type: IKE, Duration: 0h:06m:43s, Bytes xmt: 2194552, Bytes rcv: 2497331, Reason: Phase 2 Mismatch

    Oct 01 12:25:50 10.0.0.5 :Oct 01 12:25:50 GMT/BDT: %PIX-vpn-3-713122: IP = 84.45.153.53, Keep-alives configured on but peer does not support keep-alives (type = None)

    Oct 01 12:25:55 10.0.0.5 :Oct 01 12:25:55 GMT/BDT: %PIX–4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3194

    Oct 01 12:25:56 10.0.0.5 :Oct 01 12:25:56 GMT/BDT: %PIX-auth-4-113019: Group = 84.45.153.53, Username = 84.45.153.53, IP = 84.45.153.53, Session disconnected. Session Type: IKE, Duration: 0h:00m:06s, Bytes xmt: 1138, Bytes rcv: 0, Reason: Unknown

    Oct 01 12:25:57 10.0.0.5 :Oct 01 12:25:57 GMT/BDT: %PIX-vpn-4-713903: Group = 84.45.153.53, IP = 84.45.153.53, Freeing previously allocated memory for authorization-dn-attributes
    Oct 01 12:25:57 10.0.0.5 :Oct 01 12:25:57 GMT/BDT: %PIX-vpn-3-713122: IP = 84.45.153.53, Keep-alives configured on but peer does not support keep-alives (type = None)

    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-ids-4-400010: IDS:2000 ICMP echo reply from 87.127.88.145 to 87.127.88.147 on interface outside
    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-vpn-3-713902: Group = 84.45.153.53, IP = 84.45.153.53, QM FSM error (P2 struct &0x35a55d8, mess id 0x4da6d3e9)!

    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-vpn-1-713900: Group = 84.45.153.53, IP = 84.45.153.53, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

    Oct 01 12:26:05 10.0.0.5 :Oct 01 12:26:05 GMT/BDT: %PIX–4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3242
    [/CODE]

    Then the VPN comes backup and all is well, using my old cryptomap acl to just allow 10.0.0.0 255.255.255.0 to 10.0.1.0 255.255.255.0 to be protected the vpn is very stable.

    any ideas on this or advice on how to set this up better?

    Thanks[CODE]
    Oct 01 12:25:49 10.0.0.5 :Oct 01 12:25:49 GMT/BDT: %PIX-vpn-4-713903: Group = 84.45.153.53, IP = 84.45.153.53, Error: Unable to remove PeerTblEntry

    Oct 01 12:25:49 10.0.0.5 :Oct 01 12:25:49 GMT/BDT: %PIX-auth-4-113019: Group = 84.45.153.53, Username = 84.45.153.53, IP = 84.45.153.53, Session disconnected. Session Type: IKE, Duration: 0h:06m:43s, Bytes xmt: 2194552, Bytes rcv: 2497331, Reason: Phase 2 Mismatch

    Oct 01 12:25:50 10.0.0.5 :Oct 01 12:25:50 GMT/BDT: %PIX-vpn-3-713122: IP = 84.45.153.53, Keep-alives configured on but peer does not support keep-alives (type = None)

    Oct 01 12:25:55 10.0.0.5 :Oct 01 12:25:55 GMT/BDT: %PIX–4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3194

    Oct 01 12:25:56 10.0.0.5 :Oct 01 12:25:56 GMT/BDT: %PIX-auth-4-113019: Group = 84.45.153.53, Username = 84.45.153.53, IP = 84.45.153.53, Session disconnected. Session Type: IKE, Duration: 0h:00m:06s, Bytes xmt: 1138, Bytes rcv: 0, Reason: Unknown

    Oct 01 12:25:57 10.0.0.5 :Oct 01 12:25:57 GMT/BDT: %PIX-vpn-4-713903: Group = 84.45.153.53, IP = 84.45.153.53, Freeing previously allocated memory for authorization-dn-attributes
    Oct 01 12:25:57 10.0.0.5 :Oct 01 12:25:57 GMT/BDT: %PIX-vpn-3-713122: IP = 84.45.153.53, Keep-alives configured on but peer does not support keep-alives (type = None)

    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-ids-4-400010: IDS:2000 ICMP echo reply from 87.127.88.145 to 87.127.88.147 on interface outside
    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-vpn-3-713902: Group = 84.45.153.53, IP = 84.45.153.53, QM FSM error (P2 struct &0x35a55d8, mess id 0x4da6d3e9)!

    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-vpn-1-713900: Group = 84.45.153.53, IP = 84.45.153.53, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

    Oct 01 12:26:05 10.0.0.5 :Oct 01 12:26:05 GMT/BDT: %PIX–4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3242
    [/CODE]

    Then the VPN comes backup and all is well, using my old cryptomap acl to just allow 10.0.0.0 255.255.255.0 to 10.0.1.0 255.255.255.0 to be protected the vpn is very stable.

    any ideas on this or advice on how to set this up better?

    Thanks

    Avatar
    ikon
    Member
    in reply to: modifying ad user phone numbers #354220

    Re: modifying ad user phone numbers

    All the information you require is here

    http://www.computerperformance.co.uk/Logon/Logon_CSVDE.htm

    Avatar
    ikon
    Member
    in reply to: Single Vs Multiple Forests #354219

    Re: Single Vs Multiple Forests

    It is quite possible to use 1 Active directory Forest and domain and utilize sites.

    in fact if i remember rightly sites are the preferred way to manage remote locations. sites are manageable using Group Policies.

    you can also delegate control over the OU’s for each site to certain admins.

    you could implement DFS and some sort of Encryption, Cryptainer is very good software for managing encrypted volumes, you can create an encrypted volume within a share, the down side is you need a small client on each desktop/laptop to mount the volume.

    The decision to use more than 1 forest/domain is a tuff one in your case, i would certainly stay away form trust relationships, you just need to decide how much your going to lock things down, 1 domain/forest can be complicated managing large geographical areas with policies etc.

    Avatar
    ikon
    Member

    Re: Users cannot log in to restored exchange 2003 mailbox store

    Have you run the Mailbox cleanup tool, after doing so you may need to map the mailbox back to the user in AD.

    Avatar
    ikon
    Member
    in reply to: Addional DC questions… #354217

    Re: Addional DC questions…

    I agree there is no Rule of Thumb..

    Especially when using sites, there is link costing to consider, yo don’t want all sites updating from 1 main site, distance also plays a factor…

    the main purpose of the Infrastructure master is detect out of date data (if you like) with GC and Non GC’s, and making all Server GC’s is not always best case (rule of thumb) there are so many factors to consider and the bigger your AD is and more sites you have the more you have to consider, playing with costing is one way to combat replication.

    Some sites will need 1 or maybe more GC’s to handle the load if there are multiple exchange servers etc.

    the fact is my remote office with a 512Mbps DSL line has 4 users with 1 DC why would i want unnecessary replication from GC’s?

    in a 1 site small business 1 exchange server with 50 users, yeah make all dc’s GC’s why not…

    ms-ad-expert;179166 wrote:
    Thumb Rule: Either all DC’s need to have a GC or only one DC should be the GC. There are issues if both the GC and Infrastructure master role holding DC’s are the same when there are multiple DC’s in the same domain.

    There is only an issue with this case if all DC’s are not GC’s and you have the Infrastructure master on a GC, reason being when the Infrastructure Master tries check for topology/replication/ or user/group information it will always be up to date as its checking its self and because its a GC it has a Full uptodate copy of AD, there for any miss information problems with replication cannot be detected on non GC’s.

    Avatar
    ikon
    Member
    in reply to: Delegation Control #354216

    Re: Delegation Control

    In ADUC go to “View” click “advanced features”, then right click the OU go to “security tab” you will see the users with permissions to that OU.

    Avatar
    ikon
    Member
    in reply to: NT4 to 2008 external trusts – Are they possible? #354215

    Re: NT4 to 2008 external trusts – Are they possible?

    What is you 2008 Domain/Forest Function Level?

    Avatar
    ikon
    Member

    Re: Network connectivity on windows server 2008 is working only one way (From server

    Do you have another product key?

    Avatar
    ikon
    Member
    in reply to: FTP restrictions #354213

    Re: FTP restrictions

    Disable anonymous Auth?

    Avatar
    ikon
    Member
    in reply to: Active Directory shutsdown after 12 hours #354212

    Re: Active Directory shutsdown after 12 hours

    Firstly i assume you have available disk space?

    if so have you implemented any disk quota’s this maybe the problem.

    Avatar
    ikon
    Member
    in reply to: Windows 2000 DC with Windows 2003 member server #354211

    Re: Windows 2000 DC with Windows 2003 member server

    Try using GPMC, or run gpedit on the local machine to check that the policy is correct.

    it definatly sounds like policy issue, run GPMC on the win 2000 server and setup the policy.

    then run, gpupdate /force on both machines.

    Avatar
    ikon
    Member
    in reply to: IIS website for file sharing extention handling #354210

    Re: IIS website for file sharing extention handling

    Are you using webdav, or FTP, or has you friend created a page with links to the software?

    Avatar
    ikon
    Member
    in reply to: 1gbps between 2 Windows Servers #354209

    Re: 1gbps between 2 Windows Servers

    OK i removed the Z and V options from Xcopy and can now get 220Mbps, which is same as another machine i have tried with 0 load.

    So without further tweaking of things like “Tcp window size” i will assume this is normal for now.

    Thanks for all of your help.

    Avatar
    ikon
    Member
    in reply to: 1gbps between 2 Windows Servers #354208

    Re: 1gbps between 2 Windows Servers

    Avg Disk Queue Lenght of 10, baring in mind that there are 16 SAS 15k rpm drives.

    Avatar
    ikon
    Member
    in reply to: 1gbps between 2 Windows Servers #354207

    Re: 1gbps between 2 Windows Servers

    Thanks i will give that a try now.

    Avatar
    ikon
    Member
    in reply to: 1gbps between 2 Windows Servers #354206

    Re: 1gbps between 2 Windows Servers

    I did not do any calculations i just assumed someting in between, but im was pretty sure it was going to be more than 140Mbps.

    The tcp windows size is dynamic in windows server 2003, all-though i can set it.

    Using the correct formula for 100Mbit connection

    100 Mbits/s and the round trip time was 5 msec, the TCP window should be 100×10^6 times 5×10^-3 (65 kilobytes).

    Im using 1000Mbits and round trip is 1 msec
    1000×10^6 times 1×10^-3 (1000 Kilobytes)

    Throughput calc

    RCV buffer size / RTT = Max TCP throughput = ? bps, (Buffer size is normally 64Kbps)
    ex) (64Kbyte x 8bit) / 0.17 = 3011764 bps = 3Mbps, (RTT=170ms)

    In my case 1000Kb / .001 = 1000000000 bps = 1000Mbps

    8)

    So your saying i must manually set my tcp window size to this.

    I will try this reluctantly, as windows is supposed to calcumate this all for me.

    EDIT..

    I will try without the option in xcopy, the files i am copying are all large >1GB one file is actually 65GB ins size.

    i have recently just tried a drag n drop copy of some 1GB files on another server to the same Ethernet disk, this time at 220Mbps, so i am thinking without those xcopy options it will provide better throughput, i would just like to know what expect through-put wise copying data using 1Gbps Ethernet cards.

    Avatar
    ikon
    Member
    in reply to: 1gbps between 2 Windows Servers #354205

    Re: 1gbps between 2 Windows Servers

    Ok i have tried both but no joy.

    here is screen shot after a rebooted.

    Still get 140Mbps.. Frustrating, i will recheck the cable connected between the 2 machines.

    screenshot.jpg

    Avatar
    ikon
    Member
    in reply to: Promoting & Depromoting DCs #354204

    Re: Promoting & Depromoting DCs

    As long as you have Transfered and NOT siezed the Domina Naming Master, Rid Master, and Shema Master, you can safely demote the windows 2003 server, if you siezed those roles you must not bring the original server backonline.

    Avatar
    ikon
    Member
    in reply to: 1gbps between 2 Windows Servers #354203

    Re: 1gbps between 2 Windows Servers

    Dumber;152148 wrote:
    bites or bytes?
    quote]

    bits per second not Bytes.

    It is a cat5e cable between 2 devices both with 1Gbps Network cards.

    Thanks ill check those links

    ive done some searching, and seems like thise is very similar to my prob, i will also try this from the following link

    http://forums.techarena.in/server-networking/922765.htm

    I will let you know the outcome, thanks for the help so far.

    Cheers

    Avatar
    ikon
    Member
    in reply to: 1gbps between 2 Windows Servers #354202

    Re: 1gbps between 2 Windows Servers

    Hi

    Thanks for taking the time to look that up.

    Yes i have tried disabling and uninstalling Sophos, there is no firewall on at the moment.

    the script is running at the moment @ 95mbps, the only thing i can think of is that the Host machine that is running 4 virtual machines is the server that is copying the images, they are on right now and being accessed, so maybe i will try an out of hours copy.

    But im not totally convinced.

Viewing 30 posts - 61 through 90 (of 91 total)