RE: Anyone else using OpenFiler in a production environment?

2008-12-13 Thread Joseph L. Casale 
I didn't think so as IET does not support it and OF uses IET:

https://forums.openfiler.com/viewtopic.php?id=2102

jlc

From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Saturday, December 13, 2008 2:24 PM
To: NT System Admin Issues
Subject: RE: Anyone else using OpenFiler in a production environment?

Open Filer supports Persistent Reservations now. That was a requirement for 
Win2k8 clustering support IIRC...

Cheers
Ken

From: Jonathan Link [mailto:jonathan.l...@gmail.com]
Sent: Friday, 12 December 2008 11:40 PM
To: NT System Admin Issues
Subject: Re: Anyone else using OpenFiler in a production environment?

Thanks to all for the information, it confirmed my earlier assessment.  Looks 
like I'll be going with a storage on a stick solution.
On Thu, Dec 11, 2008 at 9:34 PM, Joseph L. Casale 
mailto:jcas...@activenetwerx.com>> wrote:

Yea, it always is based on the release cycle being much slower. I am not a fan 
of OF anyways.



As for IET being incomplete? It doesn't support persistent reservations and as 
far as HA on esx I have never done it but it supports multiple ini's pointed to 
the same target and it does work. Lots of guys do it. I have used it with esx 
(no vmotion) and windows/linux for a long time and it works _very_ well. I 
think the majority of issues you see "documented" are caused by improper setup, 
nothing is done for the user, so you must setup all required parameters 
yourself.



I had a CentOS box running 0.4.15 for 6 months with two windows ini's pointed 
at it writing a continuous 50-80 gig a day w/o stopping.



YMMV,

jlc



From: Michael B. Smith 
[mailto:mich...@theessentialexchange.com]
Sent: Thursday, December 11, 2008 7:06 PM

To: NT System Admin Issues
Subject: RE: Anyone else using OpenFiler in a production environment?



Eh?



Openfiler uses IET. The current release of openfiler, is in fact BEHIND on IET 
patches.



I don't know freenas.



Regards,



Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP

My blog: 
http://TheEssentialExchange.com/blogs/michael

I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php



From: Jonathan Link 
[mailto:jonathan.l...@gmail.com]
Sent: Thursday, December 11, 2008 8:40 PM
To: NT System Admin Issues
Subject: Re: Anyone else using OpenFiler in a production environment?



The iscsi target on most distros has documented problems with VMWare, 
especially with regard to HA functions.  IIRC, IET is an incomplete 
implementation of iSCSI.




On Thu, Dec 11, 2008 at 5:26 PM, Greg Mulholland 
mailto:g...@krystaltek.com>> wrote:

Our storage requirements are pretty clear cut and needy so they were happy to 
pay to do it properly.



you dont need openfiler or freenas. just enable the iscsi target on most linux 
distros (fedora etc) plenty of google reading on that


Greg

From: Matthew W. Ross 
[mr...@ephrataschools.org]
Sent: Friday, 12 December 2008 9:09 AM

To: NT System Admin Issues
Subject: RE: Anyone else using OpenFiler in a production environment?

We use OpenFiler here, with good results.

Basically, if boils down to: If you want something you support yourself for 
cheap (This is our case), use OpenFiler or FreeNAS.

If you want something with paid support, especially for the hardware, go with a 
commercial product.

For us, the cost savings of OpenFiler iSCSI outweighed the support provided by 
the Commercial iSCSI solutions.

--Matt Ross
Ephrata School District

- Original Message -
From: Greg Mulholland
[mailto:g...@krystaltek.com]
To: NT System Admin Issues
[mailto:ntsysadmin@lyris.sunbelt-software.com]
Sent: Thu, 11 Dec 2008
13:48:29 -0800
Subject: RE: Anyone else using OpenFiler in a production
environment?


> i use it for our test clusters. but i wouldnt use it in production. Steve
> and i have had this discussion and he wont convince me. NEVER!!!
>
> Greg
> 
> From: Steve Moffat [st...@optimum.bm] On Behalf Of 
> NTSysAdmin
> [ntsysad...@optimum.bm]
> Sent: Friday, 12 December 2008 7:52 AM
> To: NT System Admin Issues
> Subject: RE: Anyone else using OpenFiler in a production environment?
>
> I'll second Openfiler. Been using it to run a powervault 220s for 2 years
> now with not one issue. And if you need enterprise support they have that
> too.
>
> From: Sam Cayze [mailto:sam.ca...@rollouts.com]
> Sent: Thursday, December 11, 2008 4:37 PM
> To: NT System Admin Issues
> Subject: RE: Anyone else using OpenFiler in a production environment?
>
> My ESX instructor learned us how to use OpenFiler, and he said many
> companies use it for production.
>
> I don't use it here, but I was very impressed with OpenFiler.  Maybe at
> som

RE: BIG IP

2008-12-13 Thread Benjamin Zachary - Lists 
Any service provider that you can recommend appreciated.

 

We have multiple public IP spaces via the 10-20mb pipes on each of the
sides, however in iana I don't know that they are listed as 'ours', Im sure
I could get on that. 

 

So obviously just getting a couple of devices isn't going to work for us, we
need to get a 3rd set of ip's which is where everything will be held and
then the devices will do the redirection behind it accordingly. 

 

My attempt at ascii drawings:

 

 

  Our IANA range

|   |

Device1Device2

 /  \

Colo Primary Colo Secondary

 

 

Im making assumption that with bgp I could point our ip range over to the
different locations.  I know what bgp is supposed to do but not something Im
overly familiar with.

 

Thanks

 

From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Saturday, December 13, 2008 10:35
To: NT System Admin Issues
Subject: RE: BIG IP

 

You need your own ASN, public IP network, and BGP; that's about it - or
someone who can provide those to you via services.

 

A number of geographically dispersed data companies offer those services,
but no, they don't come cheap.

 

Regards,

 

Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP

My blog: http://TheEssentialExchange.com/blogs/michael

I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php

 

From: Benjamin Zachary - Lists [mailto:li...@levelfive.us] 
Sent: Saturday, December 13, 2008 10:23 AM
To: NT System Admin Issues
Subject: BIG IP

 

Im looking for some global failover devices. These are the only guys I know
but in reading through their specs, besides being 20k, I didn't truly see
what was going to be required.

 

Basically I have 3 sites a primary and 2 failover locations (the company is
split into two divisions each one fails over to another locale)

 

I would like to be able to failover automatically to both. They are in the
same public ip subnet but just need routing to different areas.

 

I guess the overall question is what is required on our end to make this
scenario work, and is there something other than big ip that could
accomplish this successfully that I can research. At one of my colo's I see
a bunch of Coyote Points but those seem to be load balancers not really wan
failover type products.

 

I was also looking at global dns providers which apparently offer this kind
of masking service but I saw pricing from 1k-1.5k/month which doesn't make a
lot of sense either. 

 

Thanks

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Lose access to local domain servers when connected w/VPN to remote / different Windows domain

2008-12-13 Thread Carl Houseman 
nslookup server.remotetld.com using ns.remotetld.com returns NXDOMAIN.

That would suggest "no" to both of your suppositions.

Carl

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Saturday, December 13, 2008 2:37 PM
To: NT System Admin Issues
Subject: Re: Lose access to local domain servers when connected w/VPN to
remote / different Windows domain

On Sat, Dec 13, 2008 at 12:23 PM, Carl Houseman 
wrote:
> psexec \\server command
> Couldn't access server:
>
> Meanwhile, psexec \\server.mydomain.com worked just fine.

  Maybe the customer has a wildcard DNS record, or a server or other
entity with the same name as "server" in your local environment?

-- Ben



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Lose access to local domain servers when connected w/VPN to remote / different Windows domain

2008-12-13 Thread Carl Houseman 
You're still not making sense, to me anyway. 
Let me restate our respective claims:

My claim:  The first online nameserver of each network adapter is tried, in
turn, until one of them resolves the name.

Your claim:  Only the first online nameserver will be attempted to resolve a
name.  Once the nameserver of *any* adapter returns an IP address, or an
NXDOMAIN, resolution attempts stop.  (if that is not your claim, then I
misread your point a long time ago...)

In my situation:
a.com = local AD TLD, whose AD DNS is ns.a.com, assigned to LAN adapter
b.com = remote AD TLD, whose AD DNS is ns.b.com, assigned to PPP adapter
Both ns.a.com and ns.b.com resolve public names.
Both a.com and b.com are also defined in public DNSs.

Given these results:
1. Ping a.com - public IP of a.com is returned - resolved by ns.b.com
(because ns.a.com would not have returned a public IP).
2. NSLOOKUP server.a.com using ns.b.com - returns NXDOMAIN ('set debug'
tells me so).
3. Ping server.a.com - private IP is returned - resolved by ns.a.com

My conclusions:
b.com's nameservers are tried first due to result (1) above.
a.com's nameservers are resolving names AFTER an NXDOMAIN is returned by
ns.a.com.
This proves my claim as stated above.

I won't belabor the point after your next response, whatever it happens to
be.  You may have the last word.

Carl

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Saturday, December 13, 2008 2:35 PM
To: NT System Admin Issues
Subject: Re: Lose access to local domain servers when connected w/VPN to
remote / different Windows domain

On Sat, Dec 13, 2008 at 11:01 AM, Carl Houseman 
wrote:
> I'll let you explain them however you like!

  I don't have enough information to explain anything definitively,
I'm afraid.  :)

> A local LAN adapter references one Windows AD DNS - TLD= a.com

  Just so you know, TLD is "Top Level Domain", which means ,
, , and the like.   or  would be 2LD,
"Second Level Domain".

> Based on what you've said, an NXDOMAIN response was not returned - because
> the domain did exist, only the hostname was not found.

  At least one of us is confused in the above.  :)  If I understand
what you mean correctly, it sounds like things are working exactly as
I described: A query for the 2LD domain returned DNS resource records
("domain did exist"), but the domain name for the server resulted in
NXDOMAIN ("hostname was not found").

  Understand that in DNS, there is no such thing as a "hostname".  All
names are domain names.   is a domain name.   is a
domain name.   is a domain name.
 is a domain name.  NXDOMAIN is returned by a
nameserver when a query is received for a domain name which said
nameserver knows not to exist, regardless of whether said domain is a
TLD, 2LD, or the domain name assigned to a server.  :)

  This is in contrast to Active Directory, where a "domain name" is an
entity which groups objects (computers, users, etc.) within an AD
forest, but is not itself a single computer.  AD clients use DNS
domain names to locate AD Domain Controllers.  Thus, confusingly,
while every AD domain name has a DNS domain name, every AD member
computer name has a DNS domain name, too.

-- Ben



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Anyone else using OpenFiler in a production environment?

2008-12-13 Thread Ken Schaefer 
Open Filer supports Persistent Reservations now. That was a requirement for 
Win2k8 clustering support IIRC...

Cheers
Ken

From: Jonathan Link [mailto:jonathan.l...@gmail.com]
Sent: Friday, 12 December 2008 11:40 PM
To: NT System Admin Issues
Subject: Re: Anyone else using OpenFiler in a production environment?

Thanks to all for the information, it confirmed my earlier assessment.  Looks 
like I'll be going with a storage on a stick solution.
On Thu, Dec 11, 2008 at 9:34 PM, Joseph L. Casale 
mailto:jcas...@activenetwerx.com>> wrote:

Yea, it always is based on the release cycle being much slower. I am not a fan 
of OF anyways.



As for IET being incomplete? It doesn't support persistent reservations and as 
far as HA on esx I have never done it but it supports multiple ini's pointed to 
the same target and it does work. Lots of guys do it. I have used it with esx 
(no vmotion) and windows/linux for a long time and it works _very_ well. I 
think the majority of issues you see "documented" are caused by improper setup, 
nothing is done for the user, so you must setup all required parameters 
yourself.



I had a CentOS box running 0.4.15 for 6 months with two windows ini's pointed 
at it writing a continuous 50-80 gig a day w/o stopping.



YMMV,

jlc



From: Michael B. Smith 
[mailto:mich...@theessentialexchange.com]
Sent: Thursday, December 11, 2008 7:06 PM

To: NT System Admin Issues
Subject: RE: Anyone else using OpenFiler in a production environment?



Eh?



Openfiler uses IET. The current release of openfiler, is in fact BEHIND on IET 
patches.



I don't know freenas.



Regards,



Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP

My blog: 
http://TheEssentialExchange.com/blogs/michael

I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php



From: Jonathan Link 
[mailto:jonathan.l...@gmail.com]
Sent: Thursday, December 11, 2008 8:40 PM
To: NT System Admin Issues
Subject: Re: Anyone else using OpenFiler in a production environment?



The iscsi target on most distros has documented problems with VMWare, 
especially with regard to HA functions.  IIRC, IET is an incomplete 
implementation of iSCSI.




On Thu, Dec 11, 2008 at 5:26 PM, Greg Mulholland 
mailto:g...@krystaltek.com>> wrote:

Our storage requirements are pretty clear cut and needy so they were happy to 
pay to do it properly.



you dont need openfiler or freenas. just enable the iscsi target on most linux 
distros (fedora etc) plenty of google reading on that


Greg

From: Matthew W. Ross 
[mr...@ephrataschools.org]
Sent: Friday, 12 December 2008 9:09 AM

To: NT System Admin Issues
Subject: RE: Anyone else using OpenFiler in a production environment?

We use OpenFiler here, with good results.

Basically, if boils down to: If you want something you support yourself for 
cheap (This is our case), use OpenFiler or FreeNAS.

If you want something with paid support, especially for the hardware, go with a 
commercial product.

For us, the cost savings of OpenFiler iSCSI outweighed the support provided by 
the Commercial iSCSI solutions.

--Matt Ross
Ephrata School District

- Original Message -
From: Greg Mulholland
[mailto:g...@krystaltek.com]
To: NT System Admin Issues
[mailto:ntsysadmin@lyris.sunbelt-software.com]
Sent: Thu, 11 Dec 2008
13:48:29 -0800
Subject: RE: Anyone else using OpenFiler in a production
environment?


> i use it for our test clusters. but i wouldnt use it in production. Steve
> and i have had this discussion and he wont convince me. NEVER!!!
>
> Greg
> 
> From: Steve Moffat [st...@optimum.bm] On Behalf Of 
> NTSysAdmin
> [ntsysad...@optimum.bm]
> Sent: Friday, 12 December 2008 7:52 AM
> To: NT System Admin Issues
> Subject: RE: Anyone else using OpenFiler in a production environment?
>
> I'll second Openfiler. Been using it to run a powervault 220s for 2 years
> now with not one issue. And if you need enterprise support they have that
> too.
>
> From: Sam Cayze [mailto:sam.ca...@rollouts.com]
> Sent: Thursday, December 11, 2008 4:37 PM
> To: NT System Admin Issues
> Subject: RE: Anyone else using OpenFiler in a production environment?
>
> My ESX instructor learned us how to use OpenFiler, and he said many
> companies use it for production.
>
> I don't use it here, but I was very impressed with OpenFiler.  Maybe at
> some point...
>
> From: Jonathan Link 
> [mailto:jonathan.l...@gmail.com]
> Sent: Thursday, December 11, 2008 2:22 PM
> To: NT System Admin Issues
> Subject: Anyone else using OpenFiler in a production environment?
>
> Planning a move to VMWare ESX, and I'm evaluatiing my SAN choi

Re: BIG IP

2008-12-13 Thread Ben Scott 
On Sat, Dec 13, 2008 at 10:23 AM, Benjamin Zachary - Lists
 wrote:
> I guess the overall question is what is required on our end to make this
> scenario work ...

  As MBS says, the right way to do this is with IP routing.  You
obtain your own IP address space from an IP registry.  You obtain an
ASN (Autonomous System Number) from IANA.  You configure your routers
with various connections to clueful Internet providers.  You advertise
routes to your Internet providers using BGP.  If a connection fails,
the rest of the world routes around it.  If you need to a fail over an
entire site, you adjust your interior routing appropriately.

> I was also looking at global dns providers which apparently offer this kind
> of masking service ...

  Failover using DNS trickery is not nearly as reliable as failover
using IP routing.  DNS trickery will almost always encounter
situations where some do not see the tricks the way you want them to.
Generally due to caching.  Normal caching, deliberate caching beyond
TTL by some systems, or other weird side-effects of the way DNS works
keeping cached records alive longer than you want.

  If you're okay with a random minority of users not being able to
fail over when you want them to, DNS trickery is fine.  If so, you
don't need expensive devices or services.  You just need some scripts
which change DNS records when a failure is detected.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Lose access to local domain servers when connected w/VPN to remote / different Windows domain

2008-12-13 Thread Ben Scott 
On Sat, Dec 13, 2008 at 12:23 PM, Carl Houseman  wrote:
> psexec \\server command
> Couldn't access server:
>
> Meanwhile, psexec \\server.mydomain.com worked just fine.

  Maybe the customer has a wildcard DNS record, or a server or other
entity with the same name as "server" in your local environment?

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Lose access to local domain servers when connected w/VPN to remote / different Windows domain

2008-12-13 Thread Ben Scott 
On Sat, Dec 13, 2008 at 11:01 AM, Carl Houseman  wrote:
> I'll let you explain them however you like!

  I don't have enough information to explain anything definitively,
I'm afraid.  :)

> A local LAN adapter references one Windows AD DNS - TLD= a.com

  Just so you know, TLD is "Top Level Domain", which means ,
, , and the like.   or  would be 2LD,
"Second Level Domain".

> Based on what you've said, an NXDOMAIN response was not returned - because
> the domain did exist, only the hostname was not found.

  At least one of us is confused in the above.  :)  If I understand
what you mean correctly, it sounds like things are working exactly as
I described: A query for the 2LD domain returned DNS resource records
("domain did exist"), but the domain name for the server resulted in
NXDOMAIN ("hostname was not found").

  Understand that in DNS, there is no such thing as a "hostname".  All
names are domain names.   is a domain name.   is a
domain name.   is a domain name.
 is a domain name.  NXDOMAIN is returned by a
nameserver when a query is received for a domain name which said
nameserver knows not to exist, regardless of whether said domain is a
TLD, 2LD, or the domain name assigned to a server.  :)

  This is in contrast to Active Directory, where a "domain name" is an
entity which groups objects (computers, users, etc.) within an AD
forest, but is not itself a single computer.  AD clients use DNS
domain names to locate AD Domain Controllers.  Thus, confusingly,
while every AD domain name has a DNS domain name, every AD member
computer name has a DNS domain name, too.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Lose access to local domain servers when connected w/VPN to remote / different Windows domain

2008-12-13 Thread Carl Houseman 
Here's a new way I can see this problem... I don't know if this would have
happened before the reboot, but I rebooted the DC in my local environment
(it's the only DC).

 

Following that, from the Vista machine I wanted to run something on the
DC I typed

 

psexec \\server   command

 

Response:

Couldn't access server:

Logon failure: unknown user name or bad password.

 

Login failures on server showed the attempted use of the VPN credentials -
by psexec (no other explanation for those events).

 

Meanwhile, psexec \\server.mydomain.com 
worked just fine.

 

Still no problem pinging \\server  , keeping in mind, my
local AD TLD is in the DNS suffix search list.  And still no problem with
the drives mapped to FQDN's on the DC that rebooted.

 

So it's a NETBIOS thing, maybe, except that I've seen drives that were
mapped to \\ip.ad.dr.ess stop working with the same wrong-credentials login
failure.

 

Carl

 

From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Wednesday, December 10, 2008 2:28 PM
To: NT System Admin Issues
Subject: Lose access to local domain servers when connected w/VPN to remote
/ different Windows domain

 

This problem has bothered me a long time, and happens daily.  It's so
bothersome, I'll send some Dale & Thomas popcorn to the first person who can
come up with a solution or a tip that quickly (without many hours of effort
on my part) leads to a solution.  Advice such as "call Microsoft" does not
qualify for the popcorn!

 

Past history:  The problem was seen for Windows XP but seems to be worse
under Vista.  In fact I wrote about it in reference to XP to this list a
year or two ago without any resolution.  Certainly what I'm doing here can't
be that unique, aside from relying on Microsoft-based VPN solutions...
(kindly withhold comments on the worthiness of those solutions).

 

Goes like this:

 

In my local office, there are two 2003 servers - member and domain
controller.  My everyday Vista SP1 is joined to that domain.  I have drives
mapped to both servers.

 

I use an L2TP/IPSEC VPN connection to connect to a client's network.   The
client's VPN gateway is ISA 2006, joined to the client's Windows domain, but
I authenticate for the purpose of the VPN connection using a local username
on the ISA server.  We'll call the ISA server "ISAVPN" in further
discussion.

 

What happens:  Sooner or later I will be unable to access the drives mapped
to my local domain's servers (UNC references to those servers also fail).
The error returned when just trying to do anything at the CMD prompt
defaulted to a mapped drive on either server is:

 

Logon failure: unknown user name or bad password.

 

Once I disconnect from ISAVPN, at the very same CMD prompt, I again and
immediately have access to files on my local servers.

 

This seems to affect access to the member server a short time after
connecting to ISAVPN.  Access to files on the domain controller usually
keeps working much longer, but eventually I lose it as well.  This behavior
has guaranteed repeatability 100% of the time.

 

I should note that the domain controller's mapped drive is "available
offline" but Vista does not switch to offline because of this problem. 

 

Looking in the security event log of the server, I see events 529 and 680
(source Security), in pairs, related to the login failure, with the 529
having the most information:

 

Logon Failure:

Reason:Unknown user name or bad password

User Name:   local_username_on_ISAVPN

Domain:ISAVPN

Logon Type: 3

Logon Process: NtLmSsp 

Authentication Package:NTLM

Workstation Name:MYVISTAPC

 

My take on it:  At some point, SMB access has to re-authenticate and is
using the more recent credentials from the VPN connection to talk to my
local servers.  I'm guessing binding order somewhere is the problem, but
where can I find and fix this binding order?  A permanent one-time solution
would be nice, but it's OK if I have to fix it every time after making the
VPN connection.

 

thanks all,

Carl

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Lose access to local domain servers when connected w/VPN to remote / different Windows domain

2008-12-13 Thread Carl Houseman 
OK, I don't speak DNS as well as you but I can report my results.  I'll let
you explain them however you like!

My scenario:
A local LAN adapter references one Windows AD DNS - TLD= a.com
A PPP adapter referencing another Windows AD DNS - TLD= b.com

When I start NSLookup, the PPP adapter's DNS is identified.  So I know the
PPP adapter's DNS is first in line.

That being the case,
1. Ping can resolve server.a.com, only defined in a.com's DNS.
2. Ping can resolve server.b.com, only defined in b.com's DNS.

Both TLDs also exist in the public DNS world.  So the TLDs are resolvable by
both DNS's.  But server.a.com and server.b.com are not defined in the public
DNS's.

Based on what you've said, an NXDOMAIN response was not returned - because
the domain did exist, only the hostname was not found.

Carl

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Friday, December 12, 2008 7:35 PM
To: NT System Admin Issues
Subject: Re: Lose access to local domain servers when connected w/VPN to
remote / different Windows domain

On Fri, Dec 12, 2008 at 12:37 PM, Carl Houseman 
wrote:
> When there are multiple adapters each with their own DNS, DNS
> resolution is attempted on each adapter in turn until one resolves
> it and only fails if none of them resolve it.

  I believe that is inaccurate.

  To the best of my knowledge, an NXDOMAIN response from an
authoritative nameserver *is* considered a successful result for a DNS
query.  The query did not fail.  The local stub resolver *did* receive
an answer.  That answer said, "I contacted a nameserver which is
authoritative for the zone in question, and that nameserver said the
domain name you want does not exist".  A failure would be a SERVFAIL
response from an intermediate full-service resolver, or no response at
all (timeout).

  In every relevant situation I've encountered, observed behavior has
corroborated the above.

  It's the difference between sending an email message and getting a
failure notice stating "The recipient address does not exist on this
server", vs sending an email message and getting a failure notice
stating "The destination email server could not be reached after
several tries; I'm giving up".  The former says authoritatively the
recipient address is bogus; the message could never be delivered
(unless configuration changes).  The later just says your message
could not be delivered, but it might be a temporary problem.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: BIG IP

2008-12-13 Thread Michael B. Smith 
You need your own ASN, public IP network, and BGP; that's about it - or
someone who can provide those to you via services.

 

A number of geographically dispersed data companies offer those services,
but no, they don't come cheap.

 

Regards,

 

Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP

My blog: http://TheEssentialExchange.com/blogs/michael

I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php

 

From: Benjamin Zachary - Lists [mailto:li...@levelfive.us] 
Sent: Saturday, December 13, 2008 10:23 AM
To: NT System Admin Issues
Subject: BIG IP

 

Im looking for some global failover devices. These are the only guys I know
but in reading through their specs, besides being 20k, I didn't truly see
what was going to be required.

 

Basically I have 3 sites a primary and 2 failover locations (the company is
split into two divisions each one fails over to another locale)

 

I would like to be able to failover automatically to both. They are in the
same public ip subnet but just need routing to different areas.

 

I guess the overall question is what is required on our end to make this
scenario work, and is there something other than big ip that could
accomplish this successfully that I can research. At one of my colo's I see
a bunch of Coyote Points but those seem to be load balancers not really wan
failover type products.

 

I was also looking at global dns providers which apparently offer this kind
of masking service but I saw pricing from 1k-1.5k/month which doesn't make a
lot of sense either. 

 

Thanks


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Lose access to local domain servers when connected w/VPN to remote / different Windows domain

2008-12-13 Thread Carl Houseman 
No wins server in the local environment.

 

Regarding "Kerb lifetime of the remote", there are two "remotes" in play

 

1. The remote domain.  But the remote domain is not authenticating my VPN
session with the remote network.

2. The remote ISA server that is authenticating my VPN session.

 

The problem is that VPN session credentials are being applied to my local
servers.  So from which platform exactly would you want to see klist
information?  The ISA server, the remote domain DC, or my local Vista?  I've
not installed Win2003 RK tools on my local Vista machine.

 

I will say this, everything involving Kerberos is operating at
Microsoft-installed defaults.  I would not play with such things, and yes, I
know the remote well enough to say they did not play with such things.

 

The title of KB 180362 is "services and redirected drives".  It seems to
care more about redirected drives and drive letters, but my problem is not
specific to drive letter mappings - if a drive mapped to \\server\share
  is failing, a UNC reference to \\server\share
  is also failing.

 

Meanwhile, I've been actively working with the VPN connected for the last 3
hours and haven't lost any drives mapped to FQDN's   I know that any result
of less than 24 hours experience is inconclusive, so I'm going to wait until
at least Monday p.m. to declare success or failure.

 

Carl

 

From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
Sent: Friday, December 12, 2008 3:06 PM
To: NT System Admin Issues
Subject: RE: Lose access to local domain servers when connected w/VPN to
remote / different Windows domain

 

What does your wins look like?

 

What's the Kerb lifetime of the remote and are they defaulting to UDP or TCP
and what do your tickets look like? (kerbtray and klist are your friends)

 

The title of this KB says "services", and it's old (but still valid), but
it's about any time you are changing security contexts:

 

http://support.microsoft.com/kb/180362

 

Regards,

 

Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP

My blog: http://TheEssentialExchange.com/blogs/michael

I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php

 

From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Friday, December 12, 2008 2:45 PM
To: NT System Admin Issues
Subject: RE: Lose access to local domain servers when connected w/VPN to
remote / different Windows domain

 

Well crap.   The problem just happened again.  Sorry John, looks like you
don't get the popcorn.

 

pinging my local AD TLD is hitting the correct server.

 

Big heavy sigh.  What else could it be?   I guess I'll go with mapping
drives to FQDN's and see where that gets me.

 

Carl

 

From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Friday, December 12, 2008 1:29 PM
To: NT System Admin Issues
Subject: RE: Lose access to local domain servers when connected w/VPN to
remote / different Windows domain

 

It looks like the problem is solved.  I've been reviewing all the responses
to see if anyone won the popcorn... :)

 

John Gwinner's answer was the first to call DNS into question and he also
described what ended up being the problem - the fact that my AD domain name
was being resolved by the remote org's DNS to a public IP.  If I'd not been
so skeptical I could have solved the problem faster based on his answer.

 

So John, if you want a bag of popcorn, send me your mailing address
privately and choose one of these flavors (they're all good!):

 

-   Peanut butter and white chocolate

-   Chocolate chunk and caramel

-   Milk chocolate and white chocolate

 

Again, thanks to everybody for their comments, and Happy Holidays to all.

 

Carl

 

From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Wednesday, December 10, 2008 2:28 PM
To: NT System Admin Issues
Subject: Lose access to local domain servers when connected w/VPN to remote
/ different Windows domain

 

This problem has bothered me a long time, and happens daily.  It's so
bothersome, I'll send some Dale & Thomas popcorn to the first person who can
come up with a solution or a tip that quickly (without many hours of effort
on my part) leads to a solution.  Advice such as "call Microsoft" does not
qualify for the popcorn!

 

Past history:  The problem was seen for Windows XP but seems to be worse
under Vista.  In fact I wrote about it in reference to XP to this list a
year or two ago without any resolution.  Certainly what I'm doing here can't
be that unique, aside from relying on Microsoft-based VPN solutions...
(kindly withhold comments on the worthiness of those solutions).

 

Goes like this:

 

In my local office, there are two 2003 servers - member and domain
controller.  My everyday Vista SP1 is joined to that domain.  I have drives
mapped to both servers.

 

I use an L2TP/IPSEC VPN connection to connect to a client's network.   The
client's VPN gateway is ISA 2006, joined to the client's Windows domain, but
I authenticate for the purpose of the VPN conn

BIG IP

2008-12-13 Thread Benjamin Zachary - Lists 
Im looking for some global failover devices. These are the only guys I know
but in reading through their specs, besides being 20k, I didn't truly see
what was going to be required.

 

Basically I have 3 sites a primary and 2 failover locations (the company is
split into two divisions each one fails over to another locale)

 

I would like to be able to failover automatically to both. They are in the
same public ip subnet but just need routing to different areas.

 

I guess the overall question is what is required on our end to make this
scenario work, and is there something other than big ip that could
accomplish this successfully that I can research. At one of my colo's I see
a bunch of Coyote Points but those seem to be load balancers not really wan
failover type products.

 

I was also looking at global dns providers which apparently offer this kind
of masking service but I saw pricing from 1k-1.5k/month which doesn't make a
lot of sense either. 

 

Thanks

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Word 2007 cannot save due to file permission error

2008-12-13 Thread Benjamin Zachary - Lists 
 

Getting this on an xpsp3 pc w/ office 2007sp1.

 

I poked around there's about 500k hits that match with no reasonable answer.
A lot of people were talking about usb drives. This is a network share in a
2003 AD environment. If I do a runas and run as administrator the problem
goes away, making the user a domain admin does not however. 

 

If the user hits Save As.. and then clicks ok he gets prompted to overwrite
hits yes and it works. So it's not *really* a permissions error.

 

I tried disabling all add-ins (although Symantec AV is on the machine, it
wasn't listed as an available add-in). I re-applied all permissions on the
share. 

 

Any one?


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: locating phish domains

2008-12-13 Thread Benjamin Zachary - Lists 
Try opendns, they block all that stuff but do have some tools that you might
be able to query against. 

 

From: Bill Songstad (WCUL) [mailto:administra...@waleague.org] 
Sent: Thursday, December 11, 2008 18:08
To: NT System Admin Issues
Subject: locating phish domains

 

Does anyone know of a tool or website that allows you to submit a search for
domains with wildcards.  I have a colleague that has some phishing sites
popping up using related domain names.  I was hoping to do some DNS queries
to try and spot some other potential phish sites.  Does anyone know a way to
search for all active domains containing a particular string like
*joesfinancial*.com?

 

Thanks for any insight

 

Bill 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~