Here's one thats cropped up on a few of the sbs 2003 servers in Stevenage we support.
The fix was gathered from several locations, so thought I'd bring it all together here for anyone suffering the same issue.
If Blackberry express is filling up your C drive, the first thing to do is check the log directory, by default here: C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Logs
Blackberry will keep a new set of log files every day in a dated directory, so any old logs you no longer need can be safely deleted. You can also change the log location to another volume through the blackberry server configuration if required, and it's safe to compress the folder for big space savings.
The next place to look is here:
C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\jboss\ejb\server\default\data\wsdl
You may find thousands of WSDL files within the subdirectories.
There is a conflict between DNS on SBS & the default ports the Bes Administration service uses. This causes the BAS to constantly stop & restart, making new WSDL files in the process.
It is safe to delete the WSDL files:
source ( http://btsc.webapps.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB26024 )
It's easiest to do it via the command prompt if you have tens of thousands, navigate to :
C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\jboss\ejb\server\default\data\wsdl
and run:
del *.wsdl /s
The next step is to stop SBS using the ports that blackberry wants to use, to get the problem fixed permanently.
You may have already created the following registry key if you've suffered similar problems with SBS and the IAS or IPSEC services, if not, you may need to create it.
1.Click Start, click Run, type regedit, and then click OK.
2.Locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters 3.Right-click ReservedPorts, and then click Modify.
4.Type the range of ports that you want to reserve.
You need to reserve the following ports:
48857-48858, 48855, 45588
Source ( http://support.microsoft.com/kb/956189 )
Once thats done, restart the DNS service, and then the BAS-AS service.
Blackberry sugesst enable tcpping, we have not found that to be necessary, once the port reservations are done.
source ( http://btsc.webapps.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB18366 )
Friday, 23 December 2011
Friday, 11 November 2011
Monitoring a file or folder for NTFS permissions changes
I recently had the need to monitor NTFS permission changes on a particular folder on a 2003 server, in more or less real-time.
My first thought was to do so with windows auditing, but auditing a file or folder for change of permisions results in an event id 560. This is a very common event, so to be alerted to this in real time, it's seemed to be neccesary to use an app which would look into the detail of the event, and notify only if neccesary.
I tried a couple of apps, but running through the event log for specific detail seems quite processor intensive, and would lead to long cpu spikes.
I thought I'd take a different approach, using a batch file and BMAIL, which seems to work well enough, and is free.
If anyone finds this useful here was my approach:
Firstly create a folder to store your stuff.... we'll call it c:\myfolder
Download bmail from here: http://www.beyondlogic.org/solutions/cmdlinemail/cmdlinemail.htm
and stick the bmail.exe in c:\myfolder
We'll assume the folder to be monitored is c:\private
run:
CACLS c:\private>c:\myfolder\original.txt
This creates a snapshot text document containing the current permissions on that folder. (this will need to be redone if the permissions are changed purposely)
Next up create a batch file (mybat.bat) in your c:\myfolder
echo off
REM if a comparison txt file exists, delete it silently
del c:\myfolder\new.txt /q
REM create a new file to compare to original file
cacls e:\private>c:\myfolder\new.txt
REM Compare the original & comparison file
fc c:\myfolder\new.txt c:\myfolder\original.txt | FIND "FC: no dif" > nul
REM If it hasn't changed, skip the next setion
IF NOT ERRORLEVEL 1 goto notchanged
REM If it has changed, call bmail and tell it to email me about it.
:changed
echo yup it changed
c:\myfolder\bmail -s my.emailserver.local -p 25 -t me@myemail.com -f alert@domain.com -a "Permissions changed - check event 560"
GOTO END
:notchanged
echo no it didnt
REM echo messages are just for testing purposes.
:END
The next step was just to schedule this to run evey 5 minutes. The processor hit is negligable, and then (assuming you have turned on file auditing for that folder) you can look in event viewer to get the detail.
My first thought was to do so with windows auditing, but auditing a file or folder for change of permisions results in an event id 560. This is a very common event, so to be alerted to this in real time, it's seemed to be neccesary to use an app which would look into the detail of the event, and notify only if neccesary.
I tried a couple of apps, but running through the event log for specific detail seems quite processor intensive, and would lead to long cpu spikes.
I thought I'd take a different approach, using a batch file and BMAIL, which seems to work well enough, and is free.
If anyone finds this useful here was my approach:
Firstly create a folder to store your stuff.... we'll call it c:\myfolder
Download bmail from here: http://www.beyondlogic.org/solutions/cmdlinemail/cmdlinemail.htm
and stick the bmail.exe in c:\myfolder
We'll assume the folder to be monitored is c:\private
run:
CACLS c:\private>c:\myfolder\original.txt
This creates a snapshot text document containing the current permissions on that folder. (this will need to be redone if the permissions are changed purposely)
Next up create a batch file (mybat.bat) in your c:\myfolder
echo off
REM if a comparison txt file exists, delete it silently
del c:\myfolder\new.txt /q
REM create a new file to compare to original file
cacls e:\private>c:\myfolder\new.txt
REM Compare the original & comparison file
fc c:\myfolder\new.txt c:\myfolder\original.txt | FIND "FC: no dif" > nul
REM If it hasn't changed, skip the next setion
IF NOT ERRORLEVEL 1 goto notchanged
REM If it has changed, call bmail and tell it to email me about it.
:changed
echo yup it changed
c:\myfolder\bmail -s my.emailserver.local -p 25 -t me@myemail.com -f alert@domain.com -a "Permissions changed - check event 560"
GOTO END
:notchanged
echo no it didnt
REM echo messages are just for testing purposes.
:END
The next step was just to schedule this to run evey 5 minutes. The processor hit is negligable, and then (assuming you have turned on file auditing for that folder) you can look in event viewer to get the detail.
Monday, 3 October 2011
BT Major service outage Mon 3rd Oct
For those of you suffering todays major service outage on BT's adsl products you may just have come back online to find your smtp email (or any other service relying on a specific IP) no longer works.
Check your 'static' ip address, BT in their hurry to fix things seem to have allocated dynamic IP addresses from entirely different subnets.
We've worked round this for our clients, but I'm sure it's affecting a lot of people right now.
RSCC Offer IT support in Stevenage, Letchworth and Hitchin - call 0845 3889308 if you require assistance.
Check your 'static' ip address, BT in their hurry to fix things seem to have allocated dynamic IP addresses from entirely different subnets.
We've worked round this for our clients, but I'm sure it's affecting a lot of people right now.
RSCC Offer IT support in Stevenage, Letchworth and Hitchin - call 0845 3889308 if you require assistance.
Tuesday, 6 September 2011
Excel 2003 file too big?
While providing IT support for a client in Stevenage, I was tasked with troubleshooting an Excel 2003 file which had for some reason grown beyond all reasonable size. It was a relatively simple 8 sheet workbook, with a few hundred lines on each sheet. It gets updated quite regularly and had grown to 18mb in size, taking ages to open.
I followed just about every link I could find on google with suggestions to fix this, including several utilities, to no avail.
Copying & pasting it into a new workbook reduced the size, but messed up the formulas & formatting, which I didn't fancy going through manually to correct.
After a couple of hours of fiddling, the solution I found was to save the file in XML (2003) format, close excel, re-open the xml file, and resave as 2003 format. This shrunk the file down to 334kb. This kept all formatting and formulas.
No idea what Microsoft were saving in there...
I followed just about every link I could find on google with suggestions to fix this, including several utilities, to no avail.
Copying & pasting it into a new workbook reduced the size, but messed up the formulas & formatting, which I didn't fancy going through manually to correct.
After a couple of hours of fiddling, the solution I found was to save the file in XML (2003) format, close excel, re-open the xml file, and resave as 2003 format. This shrunk the file down to 334kb. This kept all formatting and formulas.
No idea what Microsoft were saving in there...
Friday, 22 April 2011
Barracuda link balancer 330 install
This week I've been spending a bit of time installing a Barracuda link balancer 330 for a client for whom RSCC provide IT support in Stevenage, so I thought I'd share a few thoughts on it, as there doesnt seem to be a lot in the way of real-world reviews on the web.
In this particular case the clients old Fatpipe Warp had finally given up the ghost, and as there was no need for the more advanced features of the fatpipe (such as the mesh vpn), this solution ticked all the boxes at a far lesser cost.
The most important thing for any prospective purchasers to understand is exactly what the unit will do, and more importantly, what it won't.
The link balancer 330 will take any 3 ethernet inputs - such as routers, ethernet modems, isdn modems etc, and can be configured to either load balance, or to use one or more routes as a backup for the main route.
It can perform both outbound load balancing over the links, and inbound load-balancing by using it's internal DNS server. By delegating a domain to the 330, incoming requests to that domain can be routed to any of the 3 inputs.
In the UK, one of the greatest IT problems SME's face is the limited upstream bandwidth permitted by ADSL connections. Leased lines or etherstream etc overcome this issue, but at a considerable cost. What is important to understand with the link balancer is that 3 * 1mbps upstream adsl links does NOT EQUAL 3mbps upstream bandwidth (a common misconception). Any single session is limited to the speed of a single link. It can however improve things greatly, by ensuring the link used is not heavily loaded with other sessions.
Configuring the unit is pretty straight forward via the web interface, but it does require a bit of planning, a reasonable knowledge of IP & DNS and there are some gotchas to be aware of. In my case, we weren't using the built in firewall to any great degree, as we use a Cisco ASA behind the unit, but it does contain a basic firewall if required. In this case, as the Cisco only supports one subnet on it's external interface, it was necessary to use NAT on the Barracuda.
The unit can use PPPOE, DHCP or static IP to configure each link - however there are some gotchas. For the DNS to funcion it is neccesary to use a static IP on each required link. Whilst PPPOE in the real world can be used with a static IP, the same
doesn't apply in Barracuda world, if using PPPOE with a static IP (or range of IP's), the interface simply does not let you configure the DNS, so no inbound load balancing. This means I have a couple of Draytek 120's sitting on the shelf...
You'll probaly want your routers or modems to operate in a no-nat manner, which will rule out many cheaper routers. Currently We are using a couple of Draytek 2820's and a old Cisco 837 (Which I'll replace when I get round to it as the old firmwares are becoming a bit of a liability.)
I came up against a bit of a glitch when installing. It seems under certain circumstances, inbound port forwards on the primary IP of the link interfaces can really mess up outbound traffic. For example, if port forwarding 25 from the 330 to an internal server, any OUTGOING requests to any IP on port 25 would be looped back to the internal server. This seemed to be an intermittent issue - sometime correcting itself after a reboot, sometimes not.
Fortunately I had a /29 subnet on the adsl connections to use, and assigning an additional IP from the range to the interface and using that for NAT/port forwarding worked fine. Suprisingly support had not come across this issue before. We were fortunate to have this option - I'd certainly want an answer from barracuda before attempting an install with only one ip for each link available.
Overall, once the unit is up & running it seems to work quite nicely. You can use policy routing to ensure certain protocols or destination IP's are routed out of certain lines; so far we haven't had to need to use this, as it seems quite sensible in its routing choices - no problems with SSL websites which often had to be manually specified for routing on the old fatpipe unit.
Costwise the unit comes in at around the 2k mark, though Barracuda like you do buy some add-ons. The first is the 'energiser' updates. This is compulsory for the first year and seems to be little more than an occasional firmware update. As the units do not do anti-spam or AV, there shouldn't really be much to update, so there's not really much there to justify the cost - bug fixes should be free. Barracuda would also like you to buy an 'instant replacement' warantee, which may be more valuable in a mission-critical situation.
Overall it seems to do a reasonable job, though I'd still prefer a 10mbps leased line. It does add considerable complexity to the network, and is not something I would recomend as a self install without a fiar bit of networking knowledge.
I'll update this post once in a while if any more issues come to view.
In this particular case the clients old Fatpipe Warp had finally given up the ghost, and as there was no need for the more advanced features of the fatpipe (such as the mesh vpn), this solution ticked all the boxes at a far lesser cost.
The most important thing for any prospective purchasers to understand is exactly what the unit will do, and more importantly, what it won't.
The link balancer 330 will take any 3 ethernet inputs - such as routers, ethernet modems, isdn modems etc, and can be configured to either load balance, or to use one or more routes as a backup for the main route.
It can perform both outbound load balancing over the links, and inbound load-balancing by using it's internal DNS server. By delegating a domain to the 330, incoming requests to that domain can be routed to any of the 3 inputs.
In the UK, one of the greatest IT problems SME's face is the limited upstream bandwidth permitted by ADSL connections. Leased lines or etherstream etc overcome this issue, but at a considerable cost. What is important to understand with the link balancer is that 3 * 1mbps upstream adsl links does NOT EQUAL 3mbps upstream bandwidth (a common misconception). Any single session is limited to the speed of a single link. It can however improve things greatly, by ensuring the link used is not heavily loaded with other sessions.
Configuring the unit is pretty straight forward via the web interface, but it does require a bit of planning, a reasonable knowledge of IP & DNS and there are some gotchas to be aware of. In my case, we weren't using the built in firewall to any great degree, as we use a Cisco ASA behind the unit, but it does contain a basic firewall if required. In this case, as the Cisco only supports one subnet on it's external interface, it was necessary to use NAT on the Barracuda.
The unit can use PPPOE, DHCP or static IP to configure each link - however there are some gotchas. For the DNS to funcion it is neccesary to use a static IP on each required link. Whilst PPPOE in the real world can be used with a static IP, the same
doesn't apply in Barracuda world, if using PPPOE with a static IP (or range of IP's), the interface simply does not let you configure the DNS, so no inbound load balancing. This means I have a couple of Draytek 120's sitting on the shelf...
You'll probaly want your routers or modems to operate in a no-nat manner, which will rule out many cheaper routers. Currently We are using a couple of Draytek 2820's and a old Cisco 837 (Which I'll replace when I get round to it as the old firmwares are becoming a bit of a liability.)
I came up against a bit of a glitch when installing. It seems under certain circumstances, inbound port forwards on the primary IP of the link interfaces can really mess up outbound traffic. For example, if port forwarding 25 from the 330 to an internal server, any OUTGOING requests to any IP on port 25 would be looped back to the internal server. This seemed to be an intermittent issue - sometime correcting itself after a reboot, sometimes not.
Fortunately I had a /29 subnet on the adsl connections to use, and assigning an additional IP from the range to the interface and using that for NAT/port forwarding worked fine. Suprisingly support had not come across this issue before. We were fortunate to have this option - I'd certainly want an answer from barracuda before attempting an install with only one ip for each link available.
Overall, once the unit is up & running it seems to work quite nicely. You can use policy routing to ensure certain protocols or destination IP's are routed out of certain lines; so far we haven't had to need to use this, as it seems quite sensible in its routing choices - no problems with SSL websites which often had to be manually specified for routing on the old fatpipe unit.
Costwise the unit comes in at around the 2k mark, though Barracuda like you do buy some add-ons. The first is the 'energiser' updates. This is compulsory for the first year and seems to be little more than an occasional firmware update. As the units do not do anti-spam or AV, there shouldn't really be much to update, so there's not really much there to justify the cost - bug fixes should be free. Barracuda would also like you to buy an 'instant replacement' warantee, which may be more valuable in a mission-critical situation.
Overall it seems to do a reasonable job, though I'd still prefer a 10mbps leased line. It does add considerable complexity to the network, and is not something I would recomend as a self install without a fiar bit of networking knowledge.
I'll update this post once in a while if any more issues come to view.
Friday, 12 November 2010
COD 7 Black ops sucks. Yes it does.
Well, I know this isn't strictly IT, but as you may know, us techies need time off one in a while to play Xbox or watch Star Trek - and if I can't rant here, I'll only bore the folks down at the Commodore 64 club.
I generally only get round to blogging when I've been a bit annoyed by something, it's a good release, and today my target is the horribly overly hyped COD7 Black ops. It sucks. Really. Badly. Truely.
I really wanted to enoy this game, I had it on pre-order for the princely sum of £42.00 and had eagerly been looking forward to it, having enjoyed the previous Modern Warfare 2. Modern warfare had such at atmospheric campaign, interesting maps, and an really good multi-player. It was however let down a *lot* by the lack of attention paid by the developers in fixing the boosting issues, who understandably, but annoyingly, preferred to focus on selling new maps instead.
I was kind of hoping Black Ops would be a fixed version of MW2 with new maps & some of the excellent team-play features pinched from BFBC2. Unfortunately Activision sacked the previous developers for some reason, and apparently found some guys in a pub who played a game once, so used them instead.
If you're unfortunate enough to have parted with your money, The first thing to strike you will be the the visuals - the graphics are horrible - brightly lit, lots of primary colours that invoke no war-like atmosphere at all. Once you've died a few times for actually trying to explore the terrain rather than following the arrow in front of you, you might try some fun stuff - like throwing grenades that drop like lead, or firing shotguns that sound like.. well, quite unlike shotguns really.
The single player campign in MW2 was pretty epic - as well as the usual battles, there was some really edge-of-the-seat moments where you would sneak around in dim light or snowstorms to avoid alerting the enemy. COD 7 Has discarded with such subtleties in favour of gameplay not too far evolved from Duke Nukem. But with worse AI.
Delving into multiplayer is like a step back in time; A horrendous mixture of instantly-forgetable small maps, halo-style rollerskate gameplay. There are a few saving graces in the leveling system, currency etc, but theres no hiding quite what a stinker of & run & gunner this is.
and Zombies? - well yes, quite fun, for a bit - but a suitable replacement for Special Ops? ...
Back to BFBC2 for me. Just roll on that Vietnam expansion.
I generally only get round to blogging when I've been a bit annoyed by something, it's a good release, and today my target is the horribly overly hyped COD7 Black ops. It sucks. Really. Badly. Truely.
I really wanted to enoy this game, I had it on pre-order for the princely sum of £42.00 and had eagerly been looking forward to it, having enjoyed the previous Modern Warfare 2. Modern warfare had such at atmospheric campaign, interesting maps, and an really good multi-player. It was however let down a *lot* by the lack of attention paid by the developers in fixing the boosting issues, who understandably, but annoyingly, preferred to focus on selling new maps instead.
I was kind of hoping Black Ops would be a fixed version of MW2 with new maps & some of the excellent team-play features pinched from BFBC2. Unfortunately Activision sacked the previous developers for some reason, and apparently found some guys in a pub who played a game once, so used them instead.
If you're unfortunate enough to have parted with your money, The first thing to strike you will be the the visuals - the graphics are horrible - brightly lit, lots of primary colours that invoke no war-like atmosphere at all. Once you've died a few times for actually trying to explore the terrain rather than following the arrow in front of you, you might try some fun stuff - like throwing grenades that drop like lead, or firing shotguns that sound like.. well, quite unlike shotguns really.
The single player campign in MW2 was pretty epic - as well as the usual battles, there was some really edge-of-the-seat moments where you would sneak around in dim light or snowstorms to avoid alerting the enemy. COD 7 Has discarded with such subtleties in favour of gameplay not too far evolved from Duke Nukem. But with worse AI.
Delving into multiplayer is like a step back in time; A horrendous mixture of instantly-forgetable small maps, halo-style rollerskate gameplay. There are a few saving graces in the leveling system, currency etc, but theres no hiding quite what a stinker of & run & gunner this is.
and Zombies? - well yes, quite fun, for a bit - but a suitable replacement for Special Ops? ...
Back to BFBC2 for me. Just roll on that Vietnam expansion.
Saturday, 11 September 2010
Cisco VPN Client not working with Vodafone 3g dongle?
We've recently been approached by a client to provide a remote access solution for travelling representatives. RSCC provide IT support for them in their office in Letchworth, but they needed to extend the reach of their network to travelling representatives. As they require access to a data-heavy database and had limited upstream bandwidth, VPN access itself wouldn't cut it, so we've put together a solution utilising laptops with mobile 3g cards, a Cisco VPN and a Windows 2008
terminal server.
I've just spent a few happy hours this morning trying to figure out why my test laptop wouldn't connect to the Cisco VPN when using the Vodafone dongle. It would connect and complete x-auth, but no data would pass.
The usual cause for cisco/mobile card issues is NAT Traversal - this needs to be enabled on the firewall/router for the client to work over a mobile card, however after checking and double checking, this turned out not to be the cause in this case.
I decided to bypass my prime suspect - the Vodafone Connect software, by setting up a dial-up connection using the dongle as a modem (to do so, set the dial-up number to *99# and use the username/password: web/web This instantly fixed the issue, allowing the VPN client to connect, and suprisingly snappy access to the terminal server.
A bit more research shows that the problem was not Vodafone connect, but actually Cisco's lack of support for the new NDIS 6.2 driver model used by Windows 7. Judging by how long we had to wait for a 64-bit IPSEC client, I'm not holding my breath for an update.
On the positive side, the windows dial-up client takes only a second or two to connect, wherease the supremely bloated Vodafone client takes some 20-30 seconds to start up & connect. Unfortunately I'm going to have to find another way
of monitoring the data usage as the windows client does not do this.
terminal server.
I've just spent a few happy hours this morning trying to figure out why my test laptop wouldn't connect to the Cisco VPN when using the Vodafone dongle. It would connect and complete x-auth, but no data would pass.
The usual cause for cisco/mobile card issues is NAT Traversal - this needs to be enabled on the firewall/router for the client to work over a mobile card, however after checking and double checking, this turned out not to be the cause in this case.
I decided to bypass my prime suspect - the Vodafone Connect software, by setting up a dial-up connection using the dongle as a modem (to do so, set the dial-up number to *99# and use the username/password: web/web This instantly fixed the issue, allowing the VPN client to connect, and suprisingly snappy access to the terminal server.
A bit more research shows that the problem was not Vodafone connect, but actually Cisco's lack of support for the new NDIS 6.2 driver model used by Windows 7. Judging by how long we had to wait for a 64-bit IPSEC client, I'm not holding my breath for an update.
On the positive side, the windows dial-up client takes only a second or two to connect, wherease the supremely bloated Vodafone client takes some 20-30 seconds to start up & connect. Unfortunately I'm going to have to find another way
of monitoring the data usage as the windows client does not do this.
Subscribe to:
Posts (Atom)