Tuesday, September 29, 2009

552 552 Message exceeds fixed maximum message size

A client sent a 6MB email to one of my users and got the following message:
This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:


Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 552 552 Message exceeds fixed maximum message size (state 18).

Checking my Trend Micro IMSS log I couldn't find any reference to this email.
Now I know IMSS will not send a notification anyway even if the size limit exceeds my 10MB limit per message and it should log it. 2 points that sent me off track with this.
I asked the client to contact her email provider (she is using an Exchange based hosting solution) and they sent me the following response:
Title: NDR: Message rejected; too large
Created: 09/29/2009 12:03:36
Summary of issue(s): Receiving a NDR that states that the recipient is rejecting the message because of its size.

Steps taken: Had her send the message to our test account. It works. The email is about 6 MB. The limit of outgoing on our servers it around 52 MB's. It is an issue on the recipients end. She will get in contact with them.

At this point I asked her to forward the original email to a test GMAIL account I hold. From there I forwarded the email to my user and got a similar failure message.
Calling Trend Micro was the next step. I had a technician on the line in no time and he Webex'd my IMSS server to find no logs and tell me that it must be something before IMSS, maybe my firewall. The only way to prove him wrong was bypassing IMSS and forwarding all SMTP directly at my Domino server. yeah, exactly what I need...

Googling gave me nothing. It was all around Exchange 2007.
So I was thinking again about IMSS settings and started playing with the settings. When I doubled the message size limit from 10MB to 20MB I was able to receive the email and see it in the log.
I guess that is a bug in the IMSS software. Great product but it is the 2nd bug I found in it this year...
following Gmail's problems of last week I must share this comic from Rosscott.

Friday, September 25, 2009

HP Printers backorder

This is one of those unbelievable recession stories.
One of my users called in with a broken printer. His HP 2015P stopped rolling paper and since new printers cost just like a technician's visit (the printer is over a year old and its warranty already expired) we have a no fix policy for this type of printers.
I buy most of my equipment via CDW and when I placed the order for a new HP 2035 (HP2015 is not at the make any more) I was struck to see a shipping date for the end of September. That was late August.
Stunned by the obvious mistake I called my CDW sales rep and he told me that there is a national shortage of HP printers. They shutdown a line last summer because they expected reduced demand. Well, I would check their analysts...
CDW had a waiting list, a back order for this specific item for over 1500 pieces!!!

Thursday, September 24, 2009

Google fail. Again...

Google is aware that some people are experiencing an e-mail outage. This is becoming a quarterly or even bi-monthly event...

at 10:29AM this message was posted:
We're aware of a problem with Google Mail affecting a small subset of users. The affected users are unable to access Google Mail, but we've provided a workaround below. We will provide an update by September 24, 2009 11:29:00 AM UTC-4 detailing when we expect to resolve the problem. Please note that this resolution time is an estimate and may change.
You can access Gmail via IMAP

at 12:58PM, after few additional messages they posted the following message:
The problem with Google Mail should be resolved. We apologize for the inconvenience and thank you for your patience and continued support.

My users had problem with both Gmail contacts and Gtalk (or Gmail chat). At few points they couldn't log in or refresh their Gmail mailbox.
I had users both in NY & London complaining and I doudt it was just a "small subset of users" as Google claim.

Wednesday, September 23, 2009

Recovering a file from Backup

Earlier today I've received a call from one of my users asking to recover a file from backup. He explained that last week's power shutdown caused some files mess up in his home directory.
Blame it on the network, that's the way to go!

I wrote down the file name and exact path and loaded Backup Exec's Restore wizard. Looking at all my weekly full backups I found the Friday prior to the power shutdown and restored the file he was looking for. He wasn't happy.

The explanation I received was that "the system" saved a second copy of that file under a different name!
I had to insist it is not possible since systems do not save files or rename them and no other user has access to the home folder of that user.
More to the fire he claimed that the recovered file is older then the one he was looking for. At this point I had to ask him how does it relate to the power shutdown if whatever happened more then a week earlier???

Went back to Backup Exec and located the file from previous week where the creation date and modified date where exactly identical, similar to the date he created the file. That file also was "wrong".

At this point I innocently suggested that he might have saved it in a different location. 10 minutes and a long lecture on his methodical file organization system later he called again: He found the file under a different folder.

One technical tip I want to share from my experience this morning relate to the recovered file.
I did not want to recover the file to the original location (and by now you understand why). I usually recover files to the local disk at c:\BE_Recovery
When the recovered file come from a home folder the NTFS permissions are still in affect and you can't access it.
In order to see the files at \\Home\DomainName\Username, copy them to any other location or delete the folder and files when you're done, you have to do 2 things:
Add the domain admin with modify permissions
Allow permission inheritance to sub folders

Tuesday, September 22, 2009

Advanced Group Policy Management 4.0

Advanced Group Policy Management (AGPM) is coming out next month and it is time to take a first look at this new exciting tool.
It will be released as part of Microsoft Desktop Optimization Pack (MDOP) 2009 R2.
The new release include 3 main features you should know about:
Multi Forest/Multi Domain Support
AGPM 3.0 does not support multi-forest/multi-domain environments and requires to use import/export which essentially breaks the change management workflow. AGPM 4.0 allow moving GPOs from one environment to another. Even in my shop I have 2 forests and few domains.
Check mark for the SMB environment usability!

Windows 7/Windows Server 2008 R2 Support
The new version will add support for Windows 7 & Windows Server 2008 R2 settings reporting and editing.
Microsoft recommend that if you edit policy with Windows 7, make sure you run Windows Server 2008 R2 on the back end.
Another check mark for the SMB environment usability!

Search and Filtering
Well, don't get too excited. You still can't search for settings.
The search feature allow you to locate a policy by it's name or partial name.
While it is a nice improvement it is not really useful for the average SMB.

You can download the Microsoft guide for AGPM 4.0 here.

Wednesday, September 16, 2009

It’s 3 a.m. Who Do You Want Answering the Phone?

Last night, just before 3AM most of our floor lost power.
The first to take the hit where PCs as they do not have any power backups.
My servers and routers kept going for additional 90-110 minutes based on the UPS they connected to.
I have a bunch of APC UPS systems both from the 2200 & 3000 series.

An hour and a half later, just few minutes after most UPS died, the power came back. For most servers it was too late...

When I received that phone call I had to connect to my ASA and I was happy when it worked. Poking around I verified all the critical routers and switches are up and the Domain Controllers for all 3 domains are running.
One server didn't want to be cooperative, it did reply to ping but wouldn't allow and RPC based connection to the Windows environment. I had to reboot it but I was home in my pajamas and 45 precious minutes away.
iLO saved me! lucky me, this one server had a working, connected & configured iLO.
In few minutes I had this server restart itself and this time it did. what a relief!

In less then an hour I was able to start all the services, run all the programs and test all the network components. 1 hour - that is the time it would take me get dressed and commute to the office...

The aftermath:
Coming to the office I found that some PCs and few server where up all night. The meaning is that it was not some general building outage but a more specific one. I called the building electrician and he found out that the meter box, which is as old as our building got too hot and caused this power outage. We're going to replace all 3 meter boxes tonight after hours.

Preparing to such a major shutdown is very important. Few things to remember:
This is the time to check all your procedures and backups.
This is when you use the contact list you've collected all those years, calling all your vendors so they know your network will be down.
Make sure the users are aware of the shutdown.
Call your phone system support and make sure they know about it, you might need them.

Tuesday, September 15, 2009

Diskpart Command-Line Utility

I had to make some partitioning changes on few machines. The thought of doing it manually, one by one was depressing. So I spent some time reading and playing with DiskPart and saved myself precious time.

DiskPart is a text-mode command that enables you to manage objects (disks, partitions, or volumes) by using scripts or direct input at a command prompt.

DiskPart is present in XP, Vista and Windows 7. The XP version is more limited because it does not offer advanced features for resizing partitions.

It is a powerful tool that can be used in many ways. I'll go over some basics.
Before you can use DiskPart commands on a disk, partition, or volume, you must first list and then select the object to give it focus. When an object has focus, any DiskPart commands that you type act on that object.

To start the tool, all you have to do is type DiskPart in command line. You'll get a new prompt with the DISKPART> sign replacing c:\

The tool uses two types of commands:
1. Commands which specify the target of action: List, Help, Rem, Select, Exit
2. Commands that apply directly to the element: Active, Assign, Create, Extend, Shrink

You can resize partitions, add or remove them and generally speaking do most of the FDISK or Disk Partition utility functions

One big advantage for DiskPart is it's scripting power. You can use it in script for a range of tasks.
To initiate a Diskpart script, use the diskpart /s script.txt command. By default, Diskpart can quit command processing and return an error code if there is a problem in the script. To continue to run a script in this scenario, include the noerr parameter on the command.

Check the Microsoft Command-line page for DiskPart

DiskPart is a powerful tool. Make sure you're familiar with it and use it carefully

Monday, September 14, 2009

Wi-Fi 802.11n approved - do I care?

The technical blogosphere is buzzing. BBC, CNET, neowin and everyone else cover the approval of the 802.11n high-throughput wireless LAN standard by the IEEE.
It took almost 7 and we have a 6 time faster wireless connection. Most vendors already use it or require a firmware upgrade for the existing hardware.

As always, I try to look at the news in the OneManITShop eyes:
How would it change MY life?
Will it make a difference to MY Shop?

Networks that already use wireless will be better off upgrading to the new standard if hardware permit. But under the current economy I wouldn't invest in new hardware unless you work with huge files or video (but then, why are you on wireless?).
If you're just on the verge of installing a new wireless network or expand the current infrastructure you have to make sure 802.11n is supported. The problem is you 'll have hard time any piece of hardware that does not support it so it is a non issue.

The big difference would be for those who try to make a case for wireless. If you're one of those your case got 6 times stronger. Since most PCs come with a Gig NIC I see the network as the bottleneck and this is where you can make your case: Using 802.11n get you closer to the Gig NIC but with the flexibility of a laptop. You do not compromise that much on bandwidth as you had to with previous standards and you get to keep the wireless environment.
I see it as a big plus. With the right rap your management will too.

Friday, September 11, 2009

Domain Trust – part III

Part I covered the basic concept of Domain Trust.
Part II covered the different Trust types.
Now it’s time to go over Trust related troubleshooting skills

The first step is determining the type of Trust. There are few ways to complete this task:
Active Directory Domains and Trusts console - The Domain ‘Properties’ box has a Trusts tab with all available Trusts for the Domain

Active Directory Users and Computers console – For the Domain, the View menu has an ‘Advanced Features’ option. The ‘System’ container has a list of objects; we’re looking here at the ‘Trusted Domain’ type.

NLTEST - Resource kit tool that can display Trusts (among other data). The following command will show all trusted domain:
NLTEST /server:server name /trusted_domains

ADSI Edit – Another Resource kit tool that can do the job. Expanding the domain in question and browsing to the System class properties will give you the list of Trusted domains.

Each of these provides significant data on the Trusts and related problems. Make sure you’re familiar with each one of them and capable of using them if required.

WinNT presented a great tool that survived till this day: NLTEST
NLTEST test secure channels between domain controllers that trust other domains.
Though it is a WinNT document, this tool work great on every domain level and like the previous list, it is a very important tool that should be available and used by any domain admin.

“Restricted Groups” in Group Policy

Ever had to add users to a local admin group but had no access to the computer? Add a special user account in the Administrator group of every computer on the network for remote administrative functions?
Group Policy Restricted Groups enables you - as the administrator - to configure group memberships on the client computers or member servers. Cool. Useful!!!

The “Restricted Groups” option allow 2 types of settings:
Members Of

Members– This setting allows you to control the members of the group that you specify for the policy. The members can include both user and group accounts. When you configure the members of a group, it will overwrite the existing membership of the group and replace the members with those specified within the GPO. If you were to configure this setting and leave the members blank, then the group would not have any members after the GPO applied to the computer.

Member Of – This setting allows you to control which other groups the specified group has membership in. All groups that you configure in this interface must meet the approved group nesting rules. Therefore, you can’t configure a local group to have membership in another group, since local groups can’t be placed in Active Directory groups, nor placed in other local groups. If the list of groups in this section is left blank, it will not remove the specified group from any existing groups, it will just not place it in additional groups.

Simple yet an efficient time saver.

Derek Melber wrote a good security piece on restricted groups

Thursday, September 10, 2009

Well, this is embarrassing

After a long weekend and first day of school I walked in today and started my Firefox browser. After few seconds it crashed. up to this point, nothing much to tell about, happen every once in a while.
The story is the recovery process. When Firefox crashes it is coming up again and recovering all web pages so other then the irritating process, you do not have a real damage (though it is annoying). But this time I got a new message...

Thursday, September 3, 2009

Netsh.exe - DHCP backup and more

Early this morning I had a problem on one of my DHCP servers. One scope got messy and I wanted to get it fixed fast enough so ealy birds coming in will not notice the problem.
Lucky me i had a recent backup of my DHCP so all I had to do was restoring it to the server.

Netsh.exe utility is a functional tool that can be used for many tasks around your domain. my particular task here was importing the backup file I created as part of my DR plan.

Running the tool on the actual DHCP server those are the required commands:
dhcp server \\servername

export c:\backup\dhcpdb all (all=>backup ALL scopes)
export c:\temp\dhcpdb

import c:\backup\dhcpdb all (all=>import full config)
import c:\temp\dhcpdb

This is a very simple procedure that can save you time when DHCP fail.
You can use this tool for many more tasks, monitoring your system from command line.

Tuesday, September 1, 2009

How to change Drive Letter display

A simple request from a user made me work a bit before I found this neat solution:
Mapped drives at Windows Explorer are display by default as:
- (OneManITShop Data on FileServer\ShopData M:)
A much easier way to see it, and this users requrested just that is the other way around:
(M: OneManITShop Data on FileServer\ShopData)

An easy solution (I do not use 'the solution' since some other solution available out there) is a simple Registry change:
In regedit (type regedit in command line)look for the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
edit or create the DWORD value "ShowDriveLettersFirst" and set it to the desired value:

* 0 = Default display (drive letters after description)
* 1 = Network drive letters first, Local drive letters after
* 2 = Descriptions only, no drive letters displayed
* 4 = Drive letters before description

My user's request required option 4. Happy user at the end of the day :)