I.T. Support's questions

We had a 2 node NLB cluster running IIS websites on virtual machines. Both nodes were online, the balancer functioned exactly as expected, (if traffic is 50/50 balanced, and you stop or drainstop a node, all traffic routes seamlessles to the other node.)

But when I rebooted a node, even if I stopped it prior to reboot, the OTHER node which should be receiving production traffic during the reboot stopped accepting requests.

To my knowledge this was NOT how NLB is supposed to work. If I power down a node, the other nodes in the NLB cluster shouldn't care, and should continue to accept traffic according to their port rules while the offline node reboots.

None of my port rules employed affinity, so I knew that wasn't the issue.

So after agonizing over it a bit, I stumbled on the answer (see my posted answer)

We're trying to fulfill the PCI Compliance requirement for a Wireless Analyzer that detects the presence of rogue AP's on the internal LAN.

Questions:

• Are there a class of devices that will accomplish this requirement?
• How does such a device determine the difference between an AP that's nearby (say from a local coffee shop) and one that's actually getting it's internet/network access from a hard line on the corporate LAN (USB AP tethered off a workstation, AP plugged into a wall jack in an office, etc.)
• Our AP is a DLink DWL-3200AP, which has a "wireless analyzer" built into it, but it does not seem to be able to do much more than a wifi card will do, since it simply detects every single AP that's broadcasting it's SSID nearby, regardless of whether or not that AP is connected to our LAN

EDIT: We're in a windows environment...

Any help would be much appreciated...

We have a 2 node NLB cluster. I recently added more IP's to the cluster range, after which point, the NLB NIC's on both of my nodes ended up in a permanent "acquiring network address" state.

The cluster appears to be functioning despite this hang in acquiring an address.

We've also rebooted the machines, and these NIC's remain in this state "acquiring network address" even after reboot, which I find troubling.

Questions:

1. Does anyone know where I can find documentation on how NLB binds to a NIC? (are there dll's involved, drivers, etc.)
2. Does anyone know of any programs that have known incompatability issues with NLB?

We have an application server installed on these NLB nodes (AOL Server) that interacts with the NIC's as well, and I suspect that it might be causing this issue. Before I go directly to Microsoft, I want to gather as much information as possible about the issue.

Any help / guidance would be much appreciated...

I'm trying to apply a custom GPO to an OU with a specific account in it. Even though I enforce the GPO, the default domain policy is still overriding my custom GPO and settings are not being applied to the account.

Questions:

1. Is the Default Domain Policy not subject to Enforcement?
2. How do I get a custom GPO to override the default domain policy?

Is there a "Run" command for the built in windows service "Offer Remote Assitance"?

The only way I know is to open "Help and Support", and search for "Offer Remote", then click the link that comes up. But this only works on XP worksations so far as I can tell.

I know you can save it as a bookmark once you locate it the first time, but If you can't get the "Offer Remote" search result then you're dead in the water.

Thanks

We're creating a Security Policy for our company. I'm looking for examples I can use as a boiler plate for ours.

Thanks

We're trying to pass PCI compliance on a few of our websites. After an outside scan, we still have this vulnerability:

Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential web pages. That is, by requesting valid web pages with purposely invalid credentials, you can ascertain whether or not the authentication scheme is in use. This can be used for brute-force attacks against known USerIDs.

How do we remedy this in IIS?

Thanks

We have a power user that we suspect has a corrupted MB (missing emails, etc.). To troubleshoot the issue further, we want to delete this user's Exchange MB, create a new one, associate it with his AD account, then restore the mail from Backup Excec (we have the exchange component).

Questions:

1. Is there a standard way to do this (in terms of MS Exchange)?
2. Any "gotchas" we should be aware of?

Thanks

We're in the process of developing a SQL Server reporting model that integrates with the new Excel 2010.

Questions:

1. Has anyone used the new Power Pivot addon?
2. What's your experience been like with it?
3. How user friendly is it?
4. What additional support requirements has your department taken on as a result of the integration?

Thanks

I've already located this question on server fault:

Server Fault Question

But there is no answer. Does anyone have any advice on how to fix the issue? We're running 2003 Server R2 Ent, latest service pack is applied, IIS 6.0

Here's what the compliance company is saying:

Synopsis : This web server leaks a private IP address through its HTTP headers. Description : This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. There is a known issue with Microsoft IIS 4.0 doing this in its default configuration. This may also affect other web servers, web applications, web proxies, load balancers and through a variety of misconfigurations related to redirection. See also : http://support.microsoft.com/support/kb/ articles/Q218/1/80.ASP

Any ideas?

Thanks

We have a clustered SQL server (2k5 Std) that's currently being hosted on 1 of 2 subnets on the server. We'd like to retire the subnet the SQL cluster is on as we're experiencing default gateway issues with the servers being multi-homed.

My question is what is the best way to migrate the SQL cluster from one network to the other? It would reside in the same cluster, same name, just dependent on another subnet.

My instinct tells me to just reinstall sql into the cluster, specifying the other subnet on the install, then clean up the mess afterwards.

But I was wondering if maybe there was any other ways, perhaps a best practice that I'm not aware of.

Thanks

I have reviewed both related posts on this site:

How do I disable SSL 2.0 support on IIS?

How to disable SSL 2.0 on IIS 7.5?

The issue I am having is that I have implemented the registry change, rescanned my websites, and I am still being told that IIS 6 is allowing SSL 2.0 connections.

Here's the verbage from the scanning site:

Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

QUESTIONS:

• How do I test this myself so I can continue to troubleshoot the issue?
• Is there a tool out there that I can use to test?
• Would I need to disable other connection methods? [PCT 1.0 / TLS 1.0]

Thanks

Our Domain Controller's Forward Lookup Zone for our Active Directory domain just disappeared. Our backup Domain Controller had a copy of the zone, but since the primary server was accessible but had no records, the standard failover from primary to secondary did not occur, and RPC requests simply failed.

I restarted the primary, and the zone seemed to come back, but I have 2 questions:

1. How is it possible for the zone on our primary domain controller to disappear, when it's entirely local to that machine?
2. When the zone disappeared, the failover did not occur because the server itself was still reachable. Could we have added the secondary domain controller's IP address to the primary domain controller's forwarding list to prevent the failure from happening? (As I see it, when the primary queried for a record and couldn't find it, it would in theory forward the request to the secondary domain controller, which would have resolved the record, still having a copy of the forward lookup zone in tact)

Thanks...

I'm trying to crearte a DB user account that only has access to a specific database, and can't read or change other databases, and can't alter credentials for any other accounts.

I accidentally removed this user from the "public" server role while troubleshooting a connection issue, which hosed my access to the server from Management Studio for the account

The only way to get access is to add the user to the sysadmin role, which won't work because the user now has access to all the databases.

now when I try to add the user back to the public server role I get an error saying membership in the role can't be changed.

Curiously, when I right click the user and view properties, it claims the user is a member of the public role, and won't allow me to alter the membership.

Questions:

• So if public role membership can't be changed then how was I able to remove the user from the role in the first place?
• How do I add the user back in so I can regain acces to management studio for that user?

We're trying to get network access to a hard drive on a server running SCO Unix from Windows Servers. I beleive we need to add the role "SAMBA File Server" to the server so we can mount the drive as a network share that we can access from Windows.

Is it possible to add the SAMBA role to a SCO Unix operating system? Are there any gotchas or concerns?

Thanks

Is it a good idea to use NLB to load balance DNS requests to primary and secondary dns servers on port 53?

We need to reformat the SQL cluster disk in our SQL cluster. The drive contains the shared installation files for SQL as well as databases.

My concern is how SQL/The Cluster will react to after we wipe the disk resource.

Questions:

• Is there a defined procedure for this?
• How should we backup and restore the disk?
• After the reformat, how do we get the clustered SQL server back online?

Thanks

We're using WSFTP, which has an Active Directory Integration module. To populate the user accounts you need to provide a connection string akin to:

• OU=Users,DC=domain,DC=com
• CN=Domain Users,OU=Users,DC=domain,DC=com

Questions:

• Is there a Tool/Program/Script/Formula that allows me to decipher how these strings might look based on what I can see in Active Directory Users & Computers?
• Is there a proper/accepted name for these types of connection strings? I don't even know what to Google to get more information about how to format one properly
• How would I troubleshoot the connection string if I think it looks correctly formatted, but it isn't working?

Thanks!

This is difficult to explain, so bear with me.

We have 2 domain controllers, each multi-homed to straddle 2 internal subnets, (subnet A and subnet B) and provide dns, dhcp, and ldap authentication.

Both domain controllers each have 2 DNS entries. both entries have identical host names, but correspond to subnet A & subnet B respectively (example entries shown):

dc1 host 192.168.8.1

dc1 host 192.168.9.1

dc2 host 192.168.8.2

dc2 host 192.168.9.2

We also have a 3rd subnet for our dmz, (subnet C) which neither domain controller has an IP address on, but our firewall/routing tables provide access to subnet A from subnet C and vice versa, but don't allow access to subnet B from subnet C.

Here's my issue. How can I force/determine which dns entry is used when a server on subnet C queries either domain controller by host name? Right now it seems to randomly pick one of the two entries, swaps out the name for the IP address and that's that.

The problem is if it randomly selects the entry that corresponds to the 9.x subnet B (no access from subnet C), then the server fails to resolve. If it picks the entry for the 8.x subnet A then it resolves (firewall/routing tables defined for communication between these 2 subnets)

Here's what I'd like to know:

• What are Best Practices (if any) for dealing with DNS resolution on subnets that the DNS servers don't have a presence on?
• Can I control something akin to a metric value to force an order of DNS resolution when there are multiple entries for the same host name that correspond to different IP subnets?
• Should I even have 2 DNS HOST entries for the same name?

Here's what I'd like to avoid:

• Making edits to the HOSTS files of servers on subnet C to force DNS resolution of the hostname to the appropriate subnet
• Adding NIC's to the DC's to have them straddle the DMZ as well, thus obtaining a third DNS entry that corresponds to subnet C

Again, my apologies if this was too verbose / unclear.

Thanks!

We just bought a Dell PowerEdge r510 (12 drive bays) that will fill the role of an archive server. We have 6 drives (1TB each) installed.

The plan is to have all the drives in a single RAID array and carve out an OS partition and an Archive partition.

We intend to expand to all 12 drives, but need to preserve the main archive partition when we do (i.e. we'd like to add more drives and expand the space available on the archive partition, not create another array or another partition to allocate the additional space).

Questions:

• Is there a good way to do this (if at all)?
• What would the preferred RAID type be if it's possible (5, 1+0, etc.)?