Richard Gadsden's questions

I've migrated my Active Directory Certificate services Enterprise CA to a new server (and from Windows 2003 R2 x86 to Windows 2008 R2 x64). I have been having problems with checking the Certificate Revocation Lists, but I've republished the revocation lists from the Root CA and when I run certutil -urlfetch -verify I don't get any errors any more:

Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

But I still get the same errors when I try to start the CA. I get the following pop-up:

Microsoft Active Directory Certificate Services
---------------------------
The system cannot find the file specified. 0x2 (WIN32: 2)

The policy module for a CA is missing or incorrectly registered. To view or change
policy module settings, right-click on the CA, click Properties, and then click the
Policy Module tab.
---------------------------
OK   

and I get the following error in the log:

Log Name:      Application
Source:        Microsoft-Windows-CertificationAuthority
Date:          26/06/2012 15:59:45
Event ID:      100
Task Category: None
Level:         Error
Keywords:      Classic
User:          SYSTEM
Computer:      SRV112.cobbsch.cobbetts.co.uk
Description:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  Cobbetts LLP Enterprise CA The system cannot find the file specified. 0x80070002 (WIN32: 2).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
    <EventID Qualifiers="49754">100</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-06-26T14:59:45.000000000Z" />
    <EventRecordID>852</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>SRV112.cobbsch.cobbetts.co.uk</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="MSG_E_CA_CERT_INVALID">
    <Data Name="CACommonName">Cobbetts LLP Enterprise CA</Data>
    <Data Name="ErrorCode">The system cannot find the file specified. 0x80070002 (WIN32: 2)</Data>
  </EventData>
</Event>

Microsoft have documentation for this error: http://technet.microsoft.com/en-us/library/cc774550(v=ws.10).aspx

But the documentation just talks about the CA chain not verifying, which it now is.

I was wondering if it was some sort of a cached failure, or a cached copy of an incorrect CRL (I migrated the root CA earlier on and had to republish the CRL before certutil would verify properly), so I tried a reboot to flush out the caches.

That didn't change anything.

I've also tried running Certutil as SYSTEM to see if there was a permissions issue and that didn't solve the problem either.

[To run as system: run psexec -i -s cmd.exe from an elevated command prompt and it will launch a command prompt as system. You can run whoami to check.]

I'm trying to rebuild a clustered index on a SQL Server 2005 table, and I keep getting the error:

Cannot create a row of size 8078 which is greater than the allowable maximum of 8060.

The command is just a standard ALTER INDEX <name> ON <table> REBUILD.

I have no idea how I've managed to get 8078 bytes into a single row - from my understanding of SQL, that shouldn't be possible.

If I do a query to check how much data there is in the rows (ie Datalength(col1)+datalength(col2) ...) then the largest row in the table appears to be 6389 bytes, which is fine in relation to the 8060 limit.

I've tried copying the table (using Import Export Wizard) to another database or another server and I get the same errors about an 8078-byte row.

I've tried googling this, but I can't get anywhere near an answer, and this is the only place I can imagine getting one.

If I do whois twitter.com, then I get a really odd response. If it's advertising, then it's the oddest place I've ever seen for an advert.

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Server Name: TWITTER.COM.ZEN.THE.BEST.WEBHOSTING.AT.WWW.FATUCH.COM
   IP Address: 209.126.190.70
   Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
   Whois Server: whois.PublicDomainRegistry.com
   Referral URL: http://www.PublicDomainRegistry.com

   Server Name: TWITTER.COM.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM
   IP Address: 209.126.190.71
   Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
   Whois Server: whois.PublicDomainRegistry.com
   Referral URL: http://www.PublicDomainRegistry.com

Does anyone have a clue what is going on here, and why on earth unimundi.com and fatuch.com are running adverts in twitter's whois?

I'm updating root hints on a Windows 2003 server, and I push "Copy from server" and type in the IP address of a known root server, e.g. 198.41.0.4 (a.root-servers.net).

When I do this, a number of servers get an address in 32.1.. in addition to their real address. What is happening?

I get:

32.1.5.0 for h.root-servers.net
32.1.7.254 for i.root-servers.net
32.1.5.3 for j.root-servers.net
32.1.7.253 for k.root-servers.net
32.1.13.195 for m.root-servers.net.

Spamhaus and other well-known DNSBLs don't yet support IPv6, and I'm not sure they ever will. What alternatives are there for spam filtering on IPv6?

One approach is to rely entirely on content-based filtering which requires that the MTA receive the whole content of the email before deciding whether to accept or reject it - which will significantly increase the inbound bandwidth requirements for a public MTA.

Another possible approach is to require SPF for inbound email and combine it with a blacklist of sending domains (as distinct from sending MTAs, as at present with DNSBLs). This would require all mail-forwarders to rewrite the envelope-sender, which is the underlying reason why SPF doesn't really work. DKIM works fine, but doesn't get the advantage of dropping the connection before DATA is reached in the SMTP/ESMTP session.

OK, so are there solutions for spam-filtering in IPv6 that allow for dropping a large fraction of spam connections to the recipient MTA before the content is transferred?

Under IPv4, I often use nmap to scan my entire IP range to identify newly-connected devices and update my documentation, track down and shut off things that don't belong on the network, etc. I even have tools that do this automatically, for instance my AV software scans a defined IP range and then installs AV software on anything it can see in that range.

That's going to be infeasible under IPv6, as I will go from scanning a few thousand IP addresses to many quntillions.

What will the alternative be? Will routers/switches be able to report what IPv6 addresses they've seen lately so I can port scan everything on the network? That's the only approach I can see, but I expect that SF will have more and better ideas.

I'm running Windows 7 (Enterprise, x64 if it makes any difference)

My account has admin privileges on this PC, but is a regular user on the domain.

I have another user account that is a member of Domain Admins. Generally, I can run admin tools as that user, and the fact that they are sometimes not elevated locally doesn't matter - they have full privileges on the domain, and that's what usually counts.

But occasionally, I need to do things like copy a file I've downloaded into a folder on a server that I need admin privileges to access. My admin account, when non-elevated, doesn't have access to my own account's private data on the PC.

I can launch a command prompt elevated under my own account, or I can launch a command prompt non-elevated under my admin account. But, short of using switch user, I can't come up with a way to launch a command prompt elevated as another user.

Anyone got any brilliant ideas?

I was wondering what CPE (customer-premises equipment) had proper IPv6 support. I'm in the process of getting an AS and some IPv4 addressing (yes, I'm depleting IPv4. Sorry, folks) and I was intending to future-proof a bit by getting a /48 and getting IPv6 working properly.

If I were to set it up at our end, what CPE could I recommend to my users so they could use IPv6 end-to-end. Ideally, I'd be looking at a router with 802.11n support, that does DHCPv6 and/or NDP/SLAAC and also has a firewall with the default configuration being allow from the secured network to the insecure network and deny in the opposite direction (ie the equivalent of the usual IPv4 configuration, but with the NAT taken out). Also, it should probably also be able to terminate a 6to4 tunnel to SixXS or Hurricane Electric and be easy for a relative novice to set up.

I hear that the Apple AirPort Extreme is a good IPv6 option. Is that correct? What other manufacturers have something available now?

I've got an IIS server that is running a bit low on diskspace on the C: drive; I've moved the W3SVC logs from c:\windows\system32\LogFiles to another drive, but there is also a big HTTPERR folder there that I'd like to move somewhere else. How do I do it?

I know this is really basic, but I can't find the answer in Google or SF, so I thought I'd better just ask.

If I run SQL Server 2008 R2 Management Studio on my PC, can I manage a SQL Server 2000 database server?

I know I can do it from SQL Server 2008 (non-R2) Management Studio, though I need a legacy component to manage Data Transformation Services. I can cope fine without that component - all my DTS has been migrated to SSIS on a SQL 2005 / 2008 Servers, but I still have a legacy 2000 server and I'd like to be able to admin everything from one console.

Does anyone know where Acrobat Reader stores the setting to disable JavaScript?

I'd like to centrally apply an update (through a policy, or a startup script, or a login script) on every machine on our network rather than sending everyone an email telling them to do it.

Ref: How To Geek has a way of doing this (and an explanation why) through the UI, but I want to do it centrally for 700 users.

I've just installed this patch on a Live Communications Server 2005 server and LCS is refusing to start.

I'm getting a wonderful event log claiming that the LCS instance is an expired evaluation (!)

Looks like there's an incompatibility between this patch and LCS.

OCS people might want to check for their version too.

I'll detail my exact setup below, but general recommendations for a better web-browsing experience will be useful. A nice checklist of things to try would be great!

I have 600 users on a single site with an 8MB leased line. I get a lot of moans about the performance of "the internet" (ie web-browsing). What recommendations do the community have for speeding things up without just throwing more bandwidth at it? I expect I will end up buying some more, but good management tips are always valuable.

My setup is this: Cisco PIX (515E) firewall on the edge of the network. It's just doing some basic NAT, and opening up a handful of ports to various bastion hosts (aka DMZ servers).

The DMZ is just a switch that the servers are plugged into.

ISA 2006 Enterprise array (two servers) connecting DMZ to the internal LAN, with WebSense Web Security filtering HTTP traffic so users can't look at porn or waste bandwidth on YouTube during working hours.

I've done a few things - I've just switched my internal DNS over to use root hints, which halved DNS query latency from 500ms to 250ms. Well worth doing.

I'm trying to cache more aggressively, but so much more of the internet is AJAXy and doesn't cache very well as compared to five years ago. Plus the 70GB of cache which felt like a lot a few years ago really isn't any more. I'm getting about 45% cache hits by number of requests, but only about 22% by size, ie larger objects are less likely to be cached.

Latency seems to be part of the problem. Is that attributable to the bandwidth problem, or are there things I can look at to try to reduce latency even on heavily-loaded bandwidth?

I'm well aware of the widespread recommendation that any disk system that is holding a database should not be RAID-5 because of the poor write performance on RAID-5. You can look at BAARF's website to see the arguments over RAID-5 and the problems with it for databases.

I'm building an IDOL indexing server - our first - and I was wondering if people who have experience with IDOL know what the read/write balance is. RAID-5 is faster for read-heavy systems; RAID-10 for write-heavy systems (if more than about 5-10% of your disk accesses are writes, you're better off with RAID-10). I would expect that IDOL does enough writes to justify RAID-10, but I don't actually know and I was hoping someone else here does.

... so the question is: Is an IDOL indexing server likely to perform enough writes to justify RAID-10 over RAID-5?

Does anyone know of a good tool for managing updates to Acrobat Reader?

I've just noticed that there is yet another security update, and I'd love to find something as good as WSUS to manage it.

Do the third-party tools like Shavlik do the trick?

I'm trying to copy a database from one server to another by backup and restore.

I've created steps in an agent job to backup the database to file and to xcopy the file over to the other server.

I'm trying to do the restore now, and it's not working. The servers are linked, and the job is running on the source server.

I tried to do RESTORE DATABASE, but it doesn't seem to do two-part naming (server and database) when doing a restore.

I've also tried using OPENQUERY but that doesn't work either, I think because RESTORE DATABASE has neither inputs or outputs.

Possible Duplicate:
Can you help me with my software licensing question?

I think most of us have to buy Microsoft licences. I suspect all of us have got confused by Microsoft's licensing system before now - I know I have.

Can anyone explain it in straightforward terms?

I suggest making one answer for one bit (e.g. Desktop Windows; e.g. Software Assurance; e.g. SQL Server; e.g. Enterprise Agreement vs Select Agreement) and explaining that in detail so we can collect a wiki with a complete set of answers.

Possible Duplicate:
Can you help me with my software licensing question?

There are lots of tools in the Microsoft Desktop Optimization Pack (MDOP) that would be really useful.

However, the licensing on it is amazingly unclear. I thought I understood Microsoft licensing until I saw MDOP.

Can anyone explain how MDOP is licensed?

For instance, can I install a DEM server if I only have one (well five's the minimum, I guess) PC on Software Assurance, or does every PC I connect to DEM have to have SA on the OS?

In my workplace (c. 750 desks) we have standardised on Windows XP for non-technical users.

Technical users can use any OS they like as long as they support it themselves and they sort out the licensing. Quite a few tried Vista, but I think they're all back on XP now.

We find that there are a bunch of advantages in standardising and very few disadvantages, but perhaps I'm missing something and we'd be better off with a large number of Macs and Linux users and four or five Windows versions.

If you are standardised, what OS have you standardised on - and how big are you; I expect that the experience of a 10,000 desk organisation on NT4 will be very different from a 20 desk organisation on Mac OS X 10.5.

Are everyone else's server rooms noisy?

Do you have continuous sound metering, do you put meters in from time to time, or do you just put up with it?

Does anyone wear ear protectors in a server room?