Saturday, August 23, 2014
Custom PowerShell PRTG sensor script
PRTG only run x32 PowerShell, so if you're having problems with the sensor returning "response not well formed <script> cannot be loaded because the execution of scripts is disabled on this system" you need to lower the execution policy in PowerShell to "remotesigned" in the x32 PowerShell. To do so navigate to C:\Windows\SysWOW32\WindowsPowerShell and run PowerShell.exe and then run the Set-ExecutionPolicy commandlet to set the execution policy there.
MS Exchange ActiveSync high CPU
If you're running Exchange 2010 and Symantec Enterprise Vault, after an archiving run when EV is removing the emails from Exchange it can greatly elevate the CPU utilization for the ActiveSync app pool on your CAS server. It will go back to normal once the emails are removed. It will also elevate the CPU utilization on the relevant mailbox servers.
CPU spiking on Microsoft Exchange Activesync
We had the MS Exchange ActiveSync app pool (W3WP process in task manager) spiking up to 99% and staying there. Recycling the ActiveSync pool only temporarily fixed it. It turned out that our HTTP redirect for OWA had been inherited by all virtual directories including the ActiveSync one. Due to a bug, this can happen even if you select not to apply the redirect to all sub-directories. Once we remove the redirect things started working again.
Thursday, August 7, 2014
Error 6003 in Exchange 2010
We demoted one of our old domain controllers and our Exchange 2010 mailbox server started giving us a 6003 error every 5 minutes:
SACL Watcher servicelet encountered an error while monitoring SACL change.
Got error 1722 opening group policy on system <old DC> in domain <domain name>.
The only thing which ended up clearing it was restarting the server.
SACL Watcher servicelet encountered an error while monitoring SACL change.
Got error 1722 opening group policy on system <old DC> in domain <domain name>.
The only thing which ended up clearing it was restarting the server.
Monday, July 28, 2014
Local audit policy keeps changing back to "not configured"
The local audit policy on one of our servers wouldn't stay and kept changing back to "not configured". We finally figured out that "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" under Security Options needs to be disabled for it to work.
http://support.microsoft.com/kb/921468/en-us
http://support.microsoft.com/kb/921468/en-us
Tuesday, March 25, 2014
WMI event 10 on Windows 2008 R2
Windows 2008 R2 will generate a WMI error event 10 on start up. This is a known issue, and while you can run a Microsoft provided script to keep from seeing the error in the event log, it can simply be safely ignored.
Log Name: Application
Source: Microsoft-Windows-WMI
Date: 3/25/2014 4:49:35 AM
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC3.hq.donohoe
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log Name: Application
Source: Microsoft-Windows-WMI
Date: 3/25/2014 4:49:35 AM
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC3.hq.donohoe
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
VSS event 8193 after installing DHCP on Windows 2008 R2
So it turns out that DHCP changes the permissions on the VSS registry key for some reason, and after installing it you'll get the following VSS error in the event log:
Log Name: Application
Source: VSS
Date: 3/25/2014 4:35:05 AM
Event ID: 8193
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC3.hq.donohoe
Description:
Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied.
The fix is pretty easy. Open Regedt32, go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS and give Network Service full access permissions to it.
Log Name: Application
Source: VSS
Date: 3/25/2014 4:35:05 AM
Event ID: 8193
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC3.hq.donohoe
Description:
Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied.
The fix is pretty easy. Open Regedt32, go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS and give Network Service full access permissions to it.
Monday, March 10, 2014
Deleting user in AD
Sometimes when we try to delete a user in AD it'll give us the message:
Object <name> contains other objects. Are you sure you want to delete object "name" and all of the objects it contains?
This is usually caused by a mobile phone which is syncing with the account. To fix this we go to the user's mailbox in Exchange 2010 EMC, right click the mailbox and manage mobile devices. Then we delete every partnership listed. Once that's done we can delete the user with the annoying message.
Object <name> contains other objects. Are you sure you want to delete object "name" and all of the objects it contains?
This is usually caused by a mobile phone which is syncing with the account. To fix this we go to the user's mailbox in Exchange 2010 EMC, right click the mailbox and manage mobile devices. Then we delete every partnership listed. Once that's done we can delete the user with the annoying message.
Wednesday, February 26, 2014
Remove additional mailboxes from Outlook
Once you add an additional mailbox to Outlook, you might not be able to remove it receiving the message:
"This group of folders is associated with an e-mail account. To remove the account, on the Tools menu, click Account Settings, select the account, and then click Remove."
However, the account isn't listed there and you're unable to remove it. This happens because, annoyingly, while you can give yourself access to a mailbox, you can't actually remove the access as well. To really remove access you need to open ADSIedit and drill down to the user account who's mailbox you're trying to remove in Outlook, go the properties of their object, find the property called "MSExchangeDelegateListLin
"This group of folders is associated with an e-mail account. To remove the account, on the Tools menu, click Account Settings, select the account, and then click Remove."
However, the account isn't listed there and you're unable to remove it. This happens because, annoyingly, while you can give yourself access to a mailbox, you can't actually remove the access as well. To really remove access you need to open ADSIedit and drill down to the user account who's mailbox you're trying to remove in Outlook, go the properties of their object, find the property called "MSExchangeDelegateListLin
Disabling computer password change
Windows 2003 and newer will regularly change their AD computer password. This can be troublesome if you ever have to restore a server from backup since the computer passwords can be out of sync and prevent the server from logging into the domain. While there are way to fix it after the fact, the only foolproof way to do it is removing the server from the domain and adding it back in, something which can cause all sorts of other problems.
Personally, unless there is a compelling security reason not to, I disable computer password changes on my servers. It can make a stressful situation (restoring a server) from becoming even more stressful. To do so open the registry and navigate to and change DisablePasswordChange to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Personally, unless there is a compelling security reason not to, I disable computer password changes on my servers. It can make a stressful situation (restoring a server) from becoming even more stressful. To do so open the registry and navigate to and change DisablePasswordChange to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Monday, January 13, 2014
NetFlow on CIsco ASA 5510
Getting NetFlow working on our Cisco ASA 5510 was a little more difficult than anticipated. It turns out you not only need to desginate the IP and port to send the NetFlow information to, but you also need to add that IP to a security policy to allow the information to be sent.
(config)# flow-export destination inside <IP address> <port>
(config)# logging flow-export-syslogs disable
(config)# access-list netflow-export extended permit ip any any
(config)# class-map netflow-export-class
(config-cmap)#match access-list netflow-export
(config)#policy-map global_policy
(config-pmap)# class netflow-export-class
(config-pmap-c)# flow-export event-type all destination <IP address>
What's nice is that PRTG can accept NetFlow traffic from an ASA and give you some nice data from it, including top talkers. On an aside, PRTG is great software and an incredible value. For monitoring, PRTG does some a everything and does it really well.
(config)# flow-export destination inside <IP address> <port>
(config)# logging flow-export-syslogs disable
(config)# access-list netflow-export extended permit ip any any
(config)# class-map netflow-export-class
(config-cmap)#match access-list netflow-export
(config)#policy-map global_policy
(config-pmap)# class netflow-export-class
(config-pmap-c)# flow-export event-type all destination <IP address>
What's nice is that PRTG can accept NetFlow traffic from an ASA and give you some nice data from it, including top talkers. On an aside, PRTG is great software and an incredible value. For monitoring, PRTG does some a everything and does it really well.
Subscribe to:
Posts (Atom)