I'm Back 

After a long time of this site being messed up... I'm back online.

I will be re-posting some of my old blog posting I think are still worth while.

Posted by Brian 08/25/2013

Test Mail Server for Inbound TLS 

Here's how to test if a mail server supports TLS using a windows pc:

  1. nslookup
    > set q=mx
    > google.com
  2. The results:
    google.com   MX preference = 100, mail exchanger = google.com.s9a1.psmtp.com
    google.com   MX preference = 300, mail exchanger = google.com.s9b1.psmtp.com
    google.com   MX preference = 200, mail exchanger = google.com.s9a2.psmtp.com
    google.com   MX preference = 400, mail exchanger = google.com.s9b2.psmtp.com
  3. > exit
  4. telnet google.com.s9a1.psmtp.com 25
  5. After connected type:
    ehlo google.com
  6. If you see this in the output, the mail server supports inbound TLS communication:
    250-STARTTLS
Posted by Brian 09/10/2010 Categories: Diagnostic SMTP System Administration TLS

The Virtual Storage Filter Driver is disabled through the registry. 

While looking through our new Windows 2008 SP2 server event logs, I noticed this unusual error:

Log Name: System
Source: storflt
Event ID: 5
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Description: The Virtual Storage Filter Driver is disabled through the registry. It is inactive for all disk drives.

After a little research, I found a knowledgebase article 951007 on Microsoft’s site.

How Microsoft explains this error message is so amusing to me….

If Windows Server 2008 is not running on a Hyper-V Server, this issue will not affect the performance of the operating system. Therefore, you can safely ignore this event.

Basically it’s another Warning message filling my event logs for not using a feature of the product!

Posted by Brian 03/24/2010 Categories: Hyper-V Windows

Event 29: Kerberos Key Distribution Center 

While looking through our new Windows 2008 Domain Controller’s event logs, I noticed this unusual error:

Log Name: System
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Event ID: 29
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Description: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

After a little research, I found a knowledgebase article 967623 on Microsoft’s site.

How Microsoft explains this error message is so amusing to me….

This is by design behavior.
The Kerberos-Key-Distribution-Center (KDC) service repeats this check in order to see if there is an existing, workable certificate or if a new one is present. In this case the error handling does not take into account a non-CA environment.

Basically in a nutshell, if you are not using CA, you can ignore this error message.

Posted by Brian 11/09/2009 Categories: Support System Administration Windows

DCdiag fails for NCSecDesc test on Windows 2008 Domain Controllers 

Ran into this error this morning while running DCdiag on one of our Windows 2008 Domain Controllers.

Starting test: NCSecDesc
        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
           Replicating Directory Changes In Filtered Set
        access rights for the naming context:
        DC=DomainDnsZones,DC=CONTOSO,DC=COM
        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
           Replicating Directory Changes In Filtered Set
        access rights for the naming context:
        DC=ForestDnsZones,DC=CONTOSO,DC=COM
        ......................... Contoso-DC1 failed test NCSecDesc

After a little research (967482, Known Issues for Installing and Removing AD DS & Ravindra Pamidi's Blog) I found the cause of this issue is:

If you have not run adprep/rodcprep, Dcdiag.exe will return an error when it runs the NCSecDesc test. This test checks that the security descriptors on the naming context heads have appropriate permissions for replication. The error indicates that the Enterprise Domain Controllers group does not have Replicating Directory Changes In Filtered Set access rights for the DNS application directory partitions.

So here’s Microsoft’s resolution to the issue:

If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.

So here we are again… another warning message because I’m not using a “feature” of the product!

Additional Note:

This bug is for any Windows Server 2008 domain controller with Active Directory installed in Windows 2003 mode, ie a default Windows 2008 domain.

That could be a single Windows 2008 Server domain, only Windows 2008 domain or a mix of Windows 2008/2003.

Posted by Brian 11/07/2009 Categories: Support System Administration Windows

Understanding the “Nines of Availability” 

If you’ve spent any amount of time in the tech field you’ve probably heard of the “Nines of Availability”. Availability is usually expressed as a percentage of uptime in a given year. The following table shows the downtime that will be allowed for a particular percentage of availability, presuming that the system is required to operate continuously.

Availability %

Downtime per year

Downtime per month

Downtime per week

90% 36.5 days 72 hours 16.8 hours
99% 3.65 days 7.20 hours 1.68 hours
99.9% ("three nines") 8.76 hours 43.2 minutes 10.1 minutes
99.99% ("four nines") 52.6 minutes 4.32 minutes 1.01 minutes
99.999% ("five nines") 5.26 minutes 25.9 seconds 6.05 seconds
99.9999% ("six nines") 31.5 seconds 2.59 seconds 0.605 seconds
Posted by Brian 11/05/2009 Categories: High Availability

Windows Server 2008 x64 – Issue installing 32bit printer drivers 

I ran into this little issue today while migrating our network printers to our new Windows Server 2008 x64 print server.

While installing 32 bit drivers for a Color LaserJet 3800, I received this error message:
”The specified location does not contain the driver for the requested processor architecture.”

After some quick research I found this little kicker…
The 32bit and 64bit driver names must match. HP Color LaserJet 3800 PCL6 driver is not the same driver as HP Color LaserJet 3800 PCL 6.

Note:
You might not be able to extract some printer drivers without installing them. If this is the case, log on to a client computer that uses the same processor architecture as the printer drivers that you want to add to the print server, and install those printer drivers. Then use Print Management from the client computer to connect to the print server, and add the additional drivers from the Additional Drivers dialog box. Windows automatically uploads the drivers from the client computer to the print server.

Posted by Brian 11/04/2009 Categories: System Administration

How to ask for help! 

During my career I have run into support issues where I needed additional help and I had difficulty asking for that help. Soon I realized that most successful people know how and when to ask for help. And most people are inclined to offer help when asked (research backs this up.)

Based on these experiences, I’ve developed some guidelines for how I ask for help:

Identify the problem. This might sound simple, but it’s not.

Learn as much as you can on your own.  Do your own research! Some support issues are so common a simple Internet search can yield a resolution.

Make it easy. Based on the research, perform some preliminary diagnostics which can yield a resolution.

Be clear. If the preliminary diagnostics does not yield a resolution, it's time to ask for help. During your conversation with the helper, be clear and in great detail describe your issue, research, and preliminary diagnostics preformed. 

Posted by Brian 08/04/2009 Categories: Education Support