Been a long day today, but I won...

[Kurt Buff]

So, it's month end, and our UK office is noticing that emails are not
processing outbound from their office. All of their emails come
through the US server, to be delivered wherever, and there are some
big emails (4-8mbytes) with proposals and orders and such, and they're
getting desperate. Lots of little emails are stuck in queue too,
though if left alone they seem to trickle out, while the big messages
go to retry status.

It's already been a long day for me, having been woken up at 3am
because they switched over to a new DSL provider, and couldn't log
into the router to set up the PPOA configuration. (pay attention -
that's a clue...)

While I'm trying to troubleshoot this, the nominal IT manager above me
is freaking out and deleting messages from the outbound queue on the
UK Exchange server, restarting services multiple times, rebooting the
UK server, and generally showing all of the patience and investigative
skill of a 4yo.

I leave the office at 18:00 to pick up my son at daycare, and arrive
home and start ignoring everything else except the problem with
Exchange. (I have a very good wife, and I deeply appreciate her
patience with me!)

I get frustrated, and turn up logging on a bunch of Exchange services,
then bounce both the UK and US servers remotely, just so I have a
clean starting point in the logs.

Finally I notice a 4000 message from MSExchangeTransport on the US
server (along with some 4006 messages from the same source on the UK
server), and hit paydirt.

EventID.net turns up reference to MTU sizes.

I adjust the firewall in our UK office from 1500 to 1450, and
transport of my test message with a 12mbyte text attachment flies
through.

I test once more with the same attachment, just to be sure.

Success.

I am now going to bed.

Good night.

Kurt

PS - I'll turn down the logging tomorrow, when I have a few minutes to
breathe at work.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Favorite VPN solution?

[Tim Evans]

Thanks, that gives me a couple of things to look into: I didn't know there was 
an OpenVPN service and the idea of supernetting, which should work for us.

...Tim

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, January 29, 2013 12:45 PM
To: NT System Admin Issues
Subject: Re: Favorite VPN solution?

On Tue, Jan 29, 2013 at 12:47 PM, Tim Evans  wrote:
> I was looking at OpenVPN, but it looks to me like it won't work in our 
> environment.
> We have multiple subnets on our internal network, and it looks like 
> the OpenVPN client needs admin rights on the endpoint to update 
> routes. Our users don't have admin rights and that's not something I'm 
> looking to change. Have you found a workaround for this or is it not an issue 
> in your environment?

  Nobody here runs with admin rights, either.  We use the OpenVPN service, 
which runs with admin rights and thus can do what's needed to configure the 
routes and network interface.  We then change permissions on the service (using 
GPO) such that users can start/stop it.

  But, if you have multiple subnets behind a single VPN gateway, and all the 
subnets fall within a the same supernet, then you can just create one route on 
the client, and do your routing at/past the gateway.

  For example, we use the 10.0.0.0/8 network internally.  Our main HQ LAN is 
10.0.0.0/23, but we also have various other nets for weird things, e.g., 
10.0.14.48/30 is something.  But the OpenVPN client just gets a route to 
10.0.0.0/8 and our router at HQ does the rest.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Where to get copies of my various documentation scripts

[Kurt Buff]

I do not use XenApp, nor Citrix, but I do have a word of advice.

Do not deprecate your skills with PowerShell. You have to start
somewhere, and this is a very large project on which to cut your
teeth.

In addition, you are obviously filling a very needed hole in the
ecosystem, and for this you will earn at least one day a year off in
hell, in spite of any of your other sins. :)

Kurt

On Tue, Jan 29, 2013 at 5:02 PM, Webster  wrote:
> You are welcome.
>
>
>
> I am currently working on my XenApp 5 script.  It is 99.9% complete.  Just
> trying to find more people to test it.  Feedback has been great so far.
> Here are some sample reports if you have a XenApp 5 farm.
>
>
>
> https://dl.dropbox.com/u/43555945/XA52003Farm.docx
>
> https://dl.dropbox.com/u/43555945/XA52008Farm.docx
>
>
>
> While I am waiting on testers to get back to me I started and finished
> updating my PVS script to create a Word doc.  I don’t have a PVS server to
> test against right now so I sent it off to a friend for testing.
>
>
>
> This same friend is also building me  a complete XenDesktop lab so I can
> create a XD script.  He will have all 3 supported Hypervisors and all
> supported versions of XD5.x.  That will be a “fun” project!
>
>
>
> If I actually knew anything about PowerShell I would be dangerous. J
>
>
>
> Thanks
>
>
>
>
>
> Webster
>
>
>
> From: Mark Boeck [mailto:netadmin...@gmail.com]
> Subject: Re: Where to get copies of my various documentation scripts
>
>
>
> thank you for sharing your hard work with us!
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: OT: Speaking of Barracuda...

[Richard Stovall]

The Barracuda tech wrote back a while ago and informed that the behavior
I'm seeing is indeed part of their intent scanning methodology.  What kind
of freaked me out initially, and alerted me to what is going on, was that
last Friday my UTM firewall blocked the spam filter from downloading what
the firewall deemed a virus.  I thought, "WTF is my spam filter doing
downloading binary content from somewhere other than Barracuda?"  That's
what precipitated this whole thing.

So, the official word is that it's much ado about nothing.  Pretty much
what I expected, but I was a little concerned because I couldn't find any
similar documentation out on the intertubez.

Thanks to all who responded.

Richard


On Tue, Jan 29, 2013 at 6:10 PM, Mark Boeck  wrote:

> that makes sense, kurt, and from there it stops the spam.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: OT: Speaking of Barracuda...

[Kurt Buff]

That should read "upon which"

On Tue, Jan 29, 2013 at 2:32 PM, Kurt Buff  wrote:
> My best guess is that it's parsing the content gained from the URLs
> for spam/malware. This is, IIRC, a feature of SpamAssassin, upon with
> the Barracudas are built.
>
> In the case of those for which it doesn't fetch content, I'm guessing
> that the embedded URLs are already known.
>
> Kurt
>
> On Tue, Jan 29, 2013 at 1:25 PM, Richard Stovall  wrote:
>> Would any of you who have Barracuda spam filters mind checking something for
>> me?
>>
>> The other day I noticed outbound traffic from my spam appliance to port 80
>> at destinations not owned by Barracuda Networks.  I started a packet cap on
>> my firewall and got some very interesting results.  In addition to traffic
>> for legitimate updates and whatnot, the appliance is actually going out to
>> and downloading content from the URLs embedded in some (but nowhere near
>> all) inbound spam messages.  I haven't yet figured out any pattern to why it
>> happens on some e-mails and not others.
>>
>> I created a case with Barracuda this morning just to confirm that it is
>> expected behavior and get an explanation of the logic behind it, but the
>> tech I spoke to had never heard of this.  I sent him the packet cap and he
>> said he would kick it upstairs and get back to me, but I haven't heard
>> anything yet.
>>
>> Anyone want to capture traffic from your Barracuda spam firewall on outbound
>> port 80 and see if you see anything similar?
>>
>> Thanks,
>> RS
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Speaking of Barracuda...

[Richard Stovall]

Thanks for having a look at it.

The activity is pretty frequent, actually.  The latest capture has about 30
gets to non-Barracuda sites in a few hours, all of which are embedded in
inbound spam messages.

My suspicion is that it is something along the lines you describe, but I
can't find anything in the config documents that explicitly states it will
pull down content.  The fact the technician hadn't heard of this is a
little strange, too.

The closest thing I can find is in the description of "Multi-Level Intent
Analysis" which is:

*Multi-Level Intent Analysis - Set to Yes to inspect the results of Web
queries to URIs of well-known free Web sites for redirections to known
spammer sites*.

However, does www.nicejordans23.com sound like a "well-known" free website?
 Or amazing.chloalt.us?

Maybe I'll get some more info when this e-mail comes in and hits the
filter.  Perhaps those URLs will trigger the activity.

Richard



On Tue, Jan 29, 2013 at 5:14 PM, N Parr  wrote:

> **
> How often are you seeing it?  What model do you have?  I've had my ASA
> logging for a few min now but nothing on port 80 yet.  I'll let it run
> overnight and search the logs.  It could be part of the the spam checking
> to see if URL's imbedded in emails are legit to aid in scoring?  Don't know
> if they do that sort of thing, just grasping at straws.
>
>  --
> *From:* Richard Stovall [mailto:rich...@gmail.com]
> *Sent:* Tuesday, January 29, 2013 3:25 PM
> *To:* NT System Admin Issues
> *Subject:* OT: Speaking of Barracuda...
>
>  Would any of you who have Barracuda spam filters mind checking something
> for me?
>
>  The other day I noticed outbound traffic from my spam appliance to port
> 80 at destinations not owned by Barracuda Networks.  I started a packet cap
> on my firewall and got some very interesting results.  In addition to
> traffic for legitimate updates and whatnot, the appliance is actually going
> out to and downloading content from the URLs embedded in some (but nowhere
> near all) inbound spam messages.  I haven't yet figured out any pattern to
> why it happens on some e-mails and not others.
>
>  I created a case with Barracuda this morning just to confirm that it is
> expected behavior and get an explanation of the logic behind it, but the
> tech I spoke to had never heard of this.  I sent him the packet cap and he
> said he would kick it upstairs and get back to me, but I haven't heard
> anything yet.
>
>  Anyone want to capture traffic from your Barracuda spam firewall on
> outbound port 80 and see if you see anything similar?
>
>  Thanks,
> RS
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: OT: Speaking of Barracuda...

[Kurt Buff]

My best guess is that it's parsing the content gained from the URLs
for spam/malware. This is, IIRC, a feature of SpamAssassin, upon with
the Barracudas are built.

In the case of those for which it doesn't fetch content, I'm guessing
that the embedded URLs are already known.

Kurt

On Tue, Jan 29, 2013 at 1:25 PM, Richard Stovall  wrote:
> Would any of you who have Barracuda spam filters mind checking something for
> me?
>
> The other day I noticed outbound traffic from my spam appliance to port 80
> at destinations not owned by Barracuda Networks.  I started a packet cap on
> my firewall and got some very interesting results.  In addition to traffic
> for legitimate updates and whatnot, the appliance is actually going out to
> and downloading content from the URLs embedded in some (but nowhere near
> all) inbound spam messages.  I haven't yet figured out any pattern to why it
> happens on some e-mails and not others.
>
> I created a case with Barracuda this morning just to confirm that it is
> expected behavior and get an explanation of the logic behind it, but the
> tech I spoke to had never heard of this.  I sent him the packet cap and he
> said he would kick it upstairs and get back to me, but I haven't heard
> anything yet.
>
> Anyone want to capture traffic from your Barracuda spam firewall on outbound
> port 80 and see if you see anything similar?
>
> Thanks,
> RS
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: OT: Speaking of Barracuda...

[Richard Stovall]

Holy cow!  That could be worse!

:)


On Tue, Jan 29, 2013 at 4:32 PM, Steve Ens  wrote:

> Sorry, no spam filter, just a web filter.
>
>
> On Tue, Jan 29, 2013 at 3:25 PM, Richard Stovall wrote:
>
>> Would any of you who have Barracuda spam filters mind checking something
>> for me?
>>
>> The other day I noticed outbound traffic from my spam appliance to port
>> 80 at destinations not owned by Barracuda Networks.  I started a packet cap
>> on my firewall and got some very interesting results.  In addition to
>> traffic for legitimate updates and whatnot, the appliance is actually going
>> out to and downloading content from the URLs embedded in some (but nowhere
>> near all) inbound spam messages.  I haven't yet figured out any pattern to
>> why it happens on some e-mails and not others.
>>
>> I created a case with Barracuda this morning just to confirm that it is
>> expected behavior and get an explanation of the logic behind it, but the
>> tech I spoke to had never heard of this.  I sent him the packet cap and he
>> said he would kick it upstairs and get back to me, but I haven't heard
>> anything yet.
>>
>> Anyone want to capture traffic from your Barracuda spam firewall on
>> outbound port 80 and see if you see anything similar?
>>
>> Thanks,
>> RS
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Speaking of Barracuda...

[N Parr]

How often are you seeing it?  What model do you have?  I've had my ASA logging 
for a few min now but nothing on port 80 yet.  I'll let it run overnight and 
search the logs.  It could be part of the the spam checking to see if URL's 
imbedded in emails are legit to aid in scoring?  Don't know if they do that 
sort of thing, just grasping at straws.


From: Richard Stovall [mailto:rich...@gmail.com]
Sent: Tuesday, January 29, 2013 3:25 PM
To: NT System Admin Issues
Subject: OT: Speaking of Barracuda...

Would any of you who have Barracuda spam filters mind checking something for me?

The other day I noticed outbound traffic from my spam appliance to port 80 at 
destinations not owned by Barracuda Networks.  I started a packet cap on my 
firewall and got some very interesting results.  In addition to traffic for 
legitimate updates and whatnot, the appliance is actually going out to and 
downloading content from the URLs embedded in some (but nowhere near all) 
inbound spam messages.  I haven't yet figured out any pattern to why it happens 
on some e-mails and not others.

I created a case with Barracuda this morning just to confirm that it is 
expected behavior and get an explanation of the logic behind it, but the tech I 
spoke to had never heard of this.  I sent him the packet cap and he said he 
would kick it upstairs and get back to me, but I haven't heard anything yet.

Anyone want to capture traffic from your Barracuda spam firewall on outbound 
port 80 and see if you see anything similar?

Thanks,
RS

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: OT: Speaking of Barracuda...

[Steve Ens]

Sorry, no spam filter, just a web filter.


On Tue, Jan 29, 2013 at 3:25 PM, Richard Stovall  wrote:

> Would any of you who have Barracuda spam filters mind checking something
> for me?
>
> The other day I noticed outbound traffic from my spam appliance to port 80
> at destinations not owned by Barracuda Networks.  I started a packet cap on
> my firewall and got some very interesting results.  In addition to traffic
> for legitimate updates and whatnot, the appliance is actually going out to
> and downloading content from the URLs embedded in some (but nowhere near
> all) inbound spam messages.  I haven't yet figured out any pattern to why
> it happens on some e-mails and not others.
>
> I created a case with Barracuda this morning just to confirm that it is
> expected behavior and get an explanation of the logic behind it, but the
> tech I spoke to had never heard of this.  I sent him the packet cap and he
> said he would kick it upstairs and get back to me, but I haven't heard
> anything yet.
>
> Anyone want to capture traffic from your Barracuda spam firewall on
> outbound port 80 and see if you see anything similar?
>
> Thanks,
> RS
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

OT: Speaking of Barracuda...

[Richard Stovall]

Would any of you who have Barracuda spam filters mind checking something
for me?

The other day I noticed outbound traffic from my spam appliance to port 80
at destinations not owned by Barracuda Networks.  I started a packet cap on
my firewall and got some very interesting results.  In addition to traffic
for legitimate updates and whatnot, the appliance is actually going out to
and downloading content from the URLs embedded in some (but nowhere near
all) inbound spam messages.  I haven't yet figured out any pattern to why
it happens on some e-mails and not others.

I created a case with Barracuda this morning just to confirm that it is
expected behavior and get an explanation of the logic behind it, but the
tech I spoke to had never heard of this.  I sent him the packet cap and he
said he would kick it upstairs and get back to me, but I haven't heard
anything yet.

Anyone want to capture traffic from your Barracuda spam firewall on
outbound port 80 and see if you see anything similar?

Thanks,
RS

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Shocking? Somehow, not...

[Patrick Salmon]

Not surprisingly, you're going to see a lot of alerts coming out on this
subject. Here's the Cisco one:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnpwhich
you can expect to be updated as more is learned about which products
are affected.

On Tue, Jan 29, 2013 at 9:44 AM, David Lum  wrote:

>
> http://news.cnet.com/8301-1009_3-57566366-83/upnp-networking-flaw-puts-millions-of-pcs-at-risk/
> 
>
> *David Lum*
> Sr. Systems Engineer // NWEATM
> Office 503.548.5229 //* *Cell (voice/text) 503.267.9764
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Favorite VPN solution?

[Don Ely]

LOL!  Beat me to it!!!


On Tue, Jan 29, 2013 at 11:19 AM, Webster  wrote:

> So Java and Barracuda?  Two exploited products in one.  Sweet! :)
>
> Thanks
>
>
> Webster
>
> > -Original Message-
> > From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
> > Subject: Re: Favorite VPN solution?
> >
> > We use Barracuda's SSLVPN. It is based off the old sslExplorer open
> source
> > product, and does the Java-based install of their vpn client. In many
> ways, I
> > think this is similar to the Sonicwall SSLVPN.
> >
> > The barracuda didn't have any per-user license fees. This was a major
> factor
> > in our choice of VPN solutions.
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Favorite VPN solution?

[Ben Scott]

On Tue, Jan 29, 2013 at 12:47 PM, Tim Evans  wrote:
> I was looking at OpenVPN, but it looks to me like it won't work in our 
> environment.
> We have multiple subnets on our internal network, and it looks like the 
> OpenVPN
> client needs admin rights on the endpoint to update routes. Our users don't 
> have
> admin rights and that's not something I'm looking to change. Have you found a
> workaround for this or is it not an issue in your environment?

  Nobody here runs with admin rights, either.  We use the OpenVPN
service, which runs with admin rights and thus can do what's needed to
configure the routes and network interface.  We then change
permissions on the service (using GPO) such that users can start/stop
it.

  But, if you have multiple subnets behind a single VPN gateway, and
all the subnets fall within a the same supernet, then you can just
create one route on the client, and do your routing at/past the
gateway.

  For example, we use the 10.0.0.0/8 network internally.  Our main HQ
LAN is 10.0.0.0/23, but we also have various other nets for weird
things, e.g., 10.0.14.48/30 is something.  But the OpenVPN client just
gets a route to 10.0.0.0/8 and our router at HQ does the rest.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Favorite VPN solution?

[Andrew S. Baker]

I knew someone would say it before too long. :)





*ASB
**http://XeeMe.com/AndrewBaker* *
**Providing Virtual CIO Services (IT Operations & Information Security) for
the SMB market…***





On Tue, Jan 29, 2013 at 2:19 PM, Webster  wrote:

> So Java and Barracuda?  Two exploited products in one.  Sweet! :)
>
> Thanks
>
>
> Webster
>
> > -Original Message-
> > From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
> > Subject: Re: Favorite VPN solution?
> >
> > We use Barracuda's SSLVPN. It is based off the old sslExplorer open
> source
> > product, and does the Java-based install of their vpn client. In many
> ways, I
> > think this is similar to the Sonicwall SSLVPN.
> >
> > The barracuda didn't have any per-user license fees. This was a major
> factor
> > in our choice of VPN solutions.
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Favorite VPN solution?

[Matthew W. Ross]

From: Kennedy, Jim
> Ok, you owe the taxpayers of Elyria a new screen. I haven't C&C'd like that
> in years.

Webster: You win.


--Matt Ross
Ephrata School District


- Original Message -
From: Kennedy, Jim
[mailto:kennedy...@elyriaschools.org]
To: NT System Admin Issues
[mailto:ntsysadmin@lyris.sunbelt-software.com]
Sent: Tue, 29 Jan 2013
11:20:00 -0800
Subject: RE: Favorite VPN solution?


> Ok, you owe the taxpayers of Elyria a new screen. I haven't C&C'd like that
> in years.
> 
> -Original Message-
> From: Webster [mailto:webs...@carlwebster.com] 
> Sent: Tuesday, January 29, 2013 2:19 PM
> To: NT System Admin Issues
> Subject: RE: Favorite VPN solution?
> 
> So Java and Barracuda?  Two exploited products in one.  Sweet! :)
> 
> Thanks
> 
> 
> Webster
> 
> > -Original Message-
> > From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
> > Subject: Re: Favorite VPN solution?
> > 
> > We use Barracuda's SSLVPN. It is based off the old sslExplorer open 
> > source product, and does the Java-based install of their vpn client. 
> > In many ways, I think this is similar to the Sonicwall SSLVPN.
> > 
> > The barracuda didn't have any per-user license fees. This was a major 
> > factor in our choice of VPN solutions.
> 
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
> 
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> 
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
> 
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> 
> 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Favorite VPN solution?

[Matthew W. Ross]

Sm:)e. Ya know it!

-

In all fairness, Barracuda has fixed their issue. As for Java...


--Matt Ross
Ephrata School District


- Original Message -
From: Webster
[mailto:webs...@carlwebster.com]
To: NT System Admin Issues
[mailto:ntsysadmin@lyris.sunbelt-software.com]
Sent: Tue, 29 Jan 2013
11:19:08 -0800
Subject: RE: Favorite VPN solution?


> So Java and Barracuda?  Two exploited products in one.  Sweet! :)
> 
> Thanks
> 
> 
> Webster
> 
> > -Original Message-
> > From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
> > Subject: Re: Favorite VPN solution?
> > 
> > We use Barracuda's SSLVPN. It is based off the old sslExplorer open source
> > product, and does the Java-based install of their vpn client. In many
> ways, I
> > think this is similar to the Sonicwall SSLVPN.
> > 
> > The barracuda didn't have any per-user license fees. This was a major
> factor
> > in our choice of VPN solutions.
> 
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
> 
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> 
> 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Favorite VPN solution?

[Kennedy, Jim]

Ok, you owe the taxpayers of Elyria a new screen. I haven't C&C'd like that in 
years.

-Original Message-
From: Webster [mailto:webs...@carlwebster.com] 
Sent: Tuesday, January 29, 2013 2:19 PM
To: NT System Admin Issues
Subject: RE: Favorite VPN solution?

So Java and Barracuda?  Two exploited products in one.  Sweet! :)

Thanks


Webster

> -Original Message-
> From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
> Subject: Re: Favorite VPN solution?
> 
> We use Barracuda's SSLVPN. It is based off the old sslExplorer open 
> source product, and does the Java-based install of their vpn client. 
> In many ways, I think this is similar to the Sonicwall SSLVPN.
> 
> The barracuda didn't have any per-user license fees. This was a major 
> factor in our choice of VPN solutions.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Favorite VPN solution?

[Webster]

So Java and Barracuda?  Two exploited products in one.  Sweet! :)

Thanks


Webster

> -Original Message-
> From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
> Subject: Re: Favorite VPN solution?
> 
> We use Barracuda's SSLVPN. It is based off the old sslExplorer open source
> product, and does the Java-based install of their vpn client. In many ways, I
> think this is similar to the Sonicwall SSLVPN.
> 
> The barracuda didn't have any per-user license fees. This was a major factor
> in our choice of VPN solutions.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Favorite VPN solution?

[Matthew W. Ross]

We use Barracuda's SSLVPN. It is based off the old sslExplorer open source 
product, and does the Java-based install of their vpn client. In many ways, I 
think this is similar to the Sonicwall SSLVPN.

The barracuda didn't have any per-user license fees. This was a major factor in 
our choice of VPN solutions.


--Matt Ross
Ephrata School District


- Original Message -
From: Bill Humphries
[mailto:nt...@hedgedigger.com]
To: NT System Admin Issues
[mailto:ntsysadmin@lyris.sunbelt-software.com]
Sent: Tue, 29 Jan 2013
10:55:59 -0800
Subject: Re: Favorite VPN solution?


> Have you looked at any of the sslvpn options.  I use a sonicwall sslvpn and 
> like it a lot.  Has clients for mac and linux as well as windows.
> 
> Bill
> 
> -Original Message- 
> From: Tim Evans
> Sent: Tuesday, January 29, 2013 12:47 PM
> To: NT System Admin Issues
> Subject: RE: Favorite VPN solution?
> 
> I was looking at OpenVPN, but it looks to me like it won't work in our 
> environment. We have multiple subnets on our internal network, and it looks 
> like the OpenVPN client needs admin rights on the endpoint to update routes.
> 
> Our users don't have admin rights and that's not something I'm looking to 
> change. Have you found a workaround for this or is it not an issue in your 
> environment?
> 
> 
> ...Tim
> 
> 
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Tuesday, January 29, 2013 8:53 AM
> To: NT System Admin Issues
> Subject: Re: Favorite VPN solution?
> 
> On Tue, Jan 29, 2013 at 7:46 AM, Tom Miller  wrote:
> > The clients work fine, but I'm wondering if there are other solutions
> > out there.
> 
>   We're using OpenVPN because (1) it's based on extremely well-tested code, 
> (2) it's light-weight, and (3) it's free.
> 
>   The main UI is extremely limited.  Basically an on/off indication.
> That can be disconcerting to users.  OTOH, the log is quite detailed and 
> useful.
> 
>   It provides no PKI management infrastructure of its own.  We use OpenSSL. 
> I'm told Windows Certificate Services also work.
> 
>   OpenVPN has nothing in the way of sophisticated management facilities. 
> Just text config files and text log files.  We only have one 
> site/policy/config, so it's no problem for us, but in a larger environment 
> with many differing policies that could get burdensome.
> 
> > Thoughts?  Anyone using clientless VPN with a PIX?
> 
>   "clientless" VPNs just mean they dynamically install/run the client via a 
> Java applet/ActiveX control.
> 
>   Deciding whether or not this is a good idea is left as an exercise to the 
> reader, but I note that allowing such things in general is a common security
> 
> problem.
> 
> -- Ben
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
> 
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> 
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
> 
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin 
> 
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
> 
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Favorite VPN solution?

[Bill Humphries]

Have you looked at any of the sslvpn options.  I use a sonicwall sslvpn and 
like it a lot.  Has clients for mac and linux as well as windows.


Bill

-Original Message- 
From: Tim Evans

Sent: Tuesday, January 29, 2013 12:47 PM
To: NT System Admin Issues
Subject: RE: Favorite VPN solution?

I was looking at OpenVPN, but it looks to me like it won't work in our 
environment. We have multiple subnets on our internal network, and it looks 
like the OpenVPN client needs admin rights on the endpoint to update routes. 
Our users don't have admin rights and that's not something I'm looking to 
change. Have you found a workaround for this or is it not an issue in your 
environment?



...Tim


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Tuesday, January 29, 2013 8:53 AM
To: NT System Admin Issues
Subject: Re: Favorite VPN solution?

On Tue, Jan 29, 2013 at 7:46 AM, Tom Miller  wrote:

The clients work fine, but I'm wondering if there are other solutions
out there.


 We're using OpenVPN because (1) it's based on extremely well-tested code, 
(2) it's light-weight, and (3) it's free.


 The main UI is extremely limited.  Basically an on/off indication.
That can be disconcerting to users.  OTOH, the log is quite detailed and 
useful.


 It provides no PKI management infrastructure of its own.  We use OpenSSL. 
I'm told Windows Certificate Services also work.


 OpenVPN has nothing in the way of sophisticated management facilities. 
Just text config files and text log files.  We only have one 
site/policy/config, so it's no problem for us, but in a larger environment 
with many differing policies that could get burdensome.



Thoughts?  Anyone using clientless VPN with a PIX?


 "clientless" VPNs just mean they dynamically install/run the client via a 
Java applet/ActiveX control.


 Deciding whether or not this is a good idea is left as an exercise to the 
reader, but I note that allowing such things in general is a common security 
problem.


-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/

or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/

or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin 



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Favorite VPN solution?

[Tim Evans]

I was looking at OpenVPN, but it looks to me like it won't work in our 
environment. We have multiple subnets on our internal network, and it looks 
like the OpenVPN client needs admin rights on the endpoint to update routes. 
Our users don't have admin rights and that's not something I'm looking to 
change. Have you found a workaround for this or is it not an issue in your 
environment?


...Tim


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, January 29, 2013 8:53 AM
To: NT System Admin Issues
Subject: Re: Favorite VPN solution?

On Tue, Jan 29, 2013 at 7:46 AM, Tom Miller  wrote:
> The clients work fine, but I'm wondering if there are other solutions 
> out there.

  We're using OpenVPN because (1) it's based on extremely well-tested code, (2) 
it's light-weight, and (3) it's free.

  The main UI is extremely limited.  Basically an on/off indication.
That can be disconcerting to users.  OTOH, the log is quite detailed and useful.

  It provides no PKI management infrastructure of its own.  We use OpenSSL.  
I'm told Windows Certificate Services also work.

  OpenVPN has nothing in the way of sophisticated management facilities.  Just 
text config files and text log files.  We only have one site/policy/config, so 
it's no problem for us, but in a larger environment with many differing 
policies that could get burdensome.

> Thoughts?  Anyone using clientless VPN with a PIX?

  "clientless" VPNs just mean they dynamically install/run the client via a 
Java applet/ActiveX control.

  Deciding whether or not this is a good idea is left as an exercise to the 
reader, but I note that allowing such things in general is a common security 
problem.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Favorite VPN solution?

[Ben Scott]

On Tue, Jan 29, 2013 at 7:46 AM, Tom Miller  wrote:
> The clients work fine, but I’m wondering if there are other solutions out
> there.

  We're using OpenVPN because (1) it's based on extremely well-tested
code, (2) it's light-weight, and (3) it's free.

  The main UI is extremely limited.  Basically an on/off indication.
That can be disconcerting to users.  OTOH, the log is quite detailed
and useful.

  It provides no PKI management infrastructure of its own.  We use
OpenSSL.  I'm told Windows Certificate Services also work.

  OpenVPN has nothing in the way of sophisticated management
facilities.  Just text config files and text log files.  We only have
one site/policy/config, so it's no problem for us, but in a larger
environment with many differing policies that could get burdensome.

> Thoughts?  Anyone using clientless VPN with a PIX?

  "clientless" VPNs just mean they dynamically install/run the client
via a Java applet/ActiveX control.

  Deciding whether or not this is a good idea is left as an exercise
to the reader, but I note that allowing such things in general is a
common security problem.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DC eventid 1168, bizarre behavior

[Elijah Buck]

They can't talk to DC20 because it is blocked by the firewall. DC20 is at
our disaster recovery site. The Linux servers at the CAL site can only talk
to domain controllers in the CAL and CORP sites, because of the firewall
access rules.

Samba is configured with 'security = ADS', but kerberos is not configured
on those servers (I actually don't have admin access to the Linux servers,
and we haven't tracked down why the kerberos keytab isn't being setup).
However, with a /etc/krb5.conf on another server (without samba) configured
to use DC11 as the admin and kdc servers, I can get a kerberos ticket even
now. Also, as I said, LDAP binds still work.

We have a case open with Microsoft now, but with a 24 hour response time
:(.

I plan on setting up a new 2008R2 DC and putting it in the CAL site, to
hopefully avoid CORP DCs from being used by servers in CAL. I don't think
upgrading DC10 and DC11 to 2008R2 is in the cards right now.

Elijah

On Tue, Jan 29, 2013 at 10:51 AM, Christopher Bodnar <
christopher_bod...@glic.com> wrote:

> Interesting. When you say that the Linux (samba) servers can't talk to
> DC20, what are you seeing? Authentication failures? How is Samba
> configured? NTLM, or Kerberos ?
>
> Any thoughts of upgrading the 2008 DCs to 2008 R2? See if the issue
> persists?
>  *Christopher Bodnar*
> Enterprise Architect I, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services  Tel 610-807-6459
> 3900 Burgess Place, Bethlehem, PA 18017
> christopher_bod...@glic.com
>
>
> *
> The Guardian Life Insurance Company of America*
> *
> **www.guardianlife.com* 
>
>
>
>
>
>
> From:Elijah Buck 
> To:"NT System Admin Issues"  >
> Date:01/29/2013 10:30 AM
> Subject:Re: DC eventid 1168, bizarre behavior
> --
>
>
>
> A reboot does fix the issue. We've rebooted three times this month to fix
> the issue. Oddly, the errors do go back to 12/20/12, but we apparently
> didn't notice the problem in December.
>
> It has never happened on DC20 (our only 2008R2 DC). The Linux servers are
> in the CAL site and can talk to the RODC in the CAL site, all four DCs in
> CORP, but cannot talk to DC20.
>
> We aren't running a daily DCDIAG, but running DCDIAG on DC11 and DC20 both
> report all tests passed.
>
> Here is the frequency of error 1168 on DC11. The error seems to occur
> every time an ADSI edit read fails.
>
>   1   12/20/2012
>   1   12/21/2012
>   1   12/22/2012
>   1   12/23/2012
>   1   12/24/2012
>   1   12/25/2012
>   1   12/26/2012
>   1   12/27/2012
>   5   12/28/2012
>  28   12/29/2012
>   5   12/30/2012
>  17   12/31/2012
>   1   1/1/2013
>  13   1/2/2013
>   9   1/3/2013
>  12   1/4/2013
>  13   1/5/2013
>   1   1/6/2013
>   4   1/7/2013
>   2   1/8/2013
>  17   1/9/2013
>  65   1/10/2013
>  26   1/11/2013
>   1   1/12/2013
>   1   1/13/2013
>   1   1/14/2013
>  17   1/16/2013
>  10   1/17/2013
>   8   1/19/2013
>   1   1/20/2013
>   1   1/21/2013
>   2   1/23/2013
>   1   1/24/2013
>  13   1/25/2013
>   1   1/26/2013
>   1   1/27/2013
>   3   1/28/2013
>   1   1/29/2013
>
> Replication seems OK:
> C:\>repadmin /showrepl |findstr Last
> Last attempt @ 2013-01-29 10:26:08 was successful.
> Last attempt @ 2013-01-29 10:26:18 was successful.
> Last attempt @ 2013-01-29 10:26:39 was successful.
> Last attempt @ 2013-01-29 09:52:31 was successful.
> Last attempt @ 2013-01-29 09:52:31 was successful.
> Last attempt @ 2013-01-29 10:22:31 was successful.
> Last attempt @ 2013-01-29 09:52:31 was successful.
> Last attempt @ 2013-01-29 09:52:31 was successful.
> Last attempt @ 2013-01-29 10:22:31 was successful.
> Last attempt @ 2013-01-29 09:52:31 was successful.
> Last attempt @ 2013-01-29 09:52:32 was successful.
> Last attempt @ 2013-01-29 10:22:31 was successful.
> Last attempt @ 2013-01-29 09:52:32 was successful.
> Last attempt @ 2013-01-29 09:52:32 was successful.
> Last attempt @ 2013-01-29 10:22:31 was successful.
>
> On Tue, Jan 29, 2013 at 9:23 AM, Christopher Bodnar <*
> christopher_bod...@glic.com* > wrote:
> Never happened on DC20 ? When this happens, does a reboot resolve the
> issue?
>
> What has been the frequency? any chance you run a daily DCDIAG report?
> What does your replication health look like on a daily basis?
>
>
>
>   *Christopher Bodnar*
> Enterprise Architect I, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services  Tel *610-807-6459* <610-807-6459>
> 3900 Burgess Place, Bethlehem, PA 18017
> christopher_bod...@glic.com
>  *
>
> The Guardian Life Insurance Company of America**
> **
> **www.guardianlife.com* 
>
>
>
>
>
> From:Elijah Buck <*elijah.

Re: DC eventid 1168, bizarre behavior

[Christopher Bodnar]

Interesting. When you say that the Linux (samba) servers can't talk to 
DC20, what are you seeing? Authentication failures? How is Samba 
configured? NTLM, or Kerberos ? 

Any thoughts of upgrading the 2008 DCs to 2008 R2? See if the issue 
persists? 

Christopher Bodnar 
Enterprise Architect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 




The Guardian Life Insurance Company of America

www.guardianlife.com 







From:   Elijah Buck 
To: "NT System Admin Issues" 
Date:   01/29/2013 10:30 AM
Subject:Re: DC eventid 1168, bizarre behavior



A reboot does fix the issue. We've rebooted three times this month to fix 
the issue. Oddly, the errors do go back to 12/20/12, but we apparently 
didn't notice the problem in December.

It has never happened on DC20 (our only 2008R2 DC). The Linux servers are 
in the CAL site and can talk to the RODC in the CAL site, all four DCs in 
CORP, but cannot talk to DC20.

We aren't running a daily DCDIAG, but running DCDIAG on DC11 and DC20 both 
report all tests passed.

Here is the frequency of error 1168 on DC11. The error seems to occur 
every time an ADSI edit read fails.

  1   12/20/2012
  1   12/21/2012
  1   12/22/2012
  1   12/23/2012
  1   12/24/2012
  1   12/25/2012
  1   12/26/2012
  1   12/27/2012
  5   12/28/2012
 28   12/29/2012
  5   12/30/2012
 17   12/31/2012
  1   1/1/2013
 13   1/2/2013
  9   1/3/2013
 12   1/4/2013
 13   1/5/2013
  1   1/6/2013
  4   1/7/2013
  2   1/8/2013
 17   1/9/2013
 65   1/10/2013
 26   1/11/2013
  1   1/12/2013
  1   1/13/2013
  1   1/14/2013
 17   1/16/2013
 10   1/17/2013
  8   1/19/2013
  1   1/20/2013
  1   1/21/2013
  2   1/23/2013
  1   1/24/2013
 13   1/25/2013
  1   1/26/2013
  1   1/27/2013
  3   1/28/2013
  1   1/29/2013

Replication seems OK:
C:\>repadmin /showrepl |findstr Last
Last attempt @ 2013-01-29 10:26:08 was successful.
Last attempt @ 2013-01-29 10:26:18 was successful.
Last attempt @ 2013-01-29 10:26:39 was successful.
Last attempt @ 2013-01-29 09:52:31 was successful.
Last attempt @ 2013-01-29 09:52:31 was successful.
Last attempt @ 2013-01-29 10:22:31 was successful.
Last attempt @ 2013-01-29 09:52:31 was successful.
Last attempt @ 2013-01-29 09:52:31 was successful.
Last attempt @ 2013-01-29 10:22:31 was successful.
Last attempt @ 2013-01-29 09:52:31 was successful.
Last attempt @ 2013-01-29 09:52:32 was successful.
Last attempt @ 2013-01-29 10:22:31 was successful.
Last attempt @ 2013-01-29 09:52:32 was successful.
Last attempt @ 2013-01-29 09:52:32 was successful.
Last attempt @ 2013-01-29 10:22:31 was successful.

On Tue, Jan 29, 2013 at 9:23 AM, Christopher Bodnar <
christopher_bod...@glic.com> wrote:
Never happened on DC20 ? When this happens, does a reboot resolve the 
issue? 

What has been the frequency? any chance you run a daily DCDIAG report? 
What does your replication health look like on a daily basis? 




Christopher Bodnar 
Enterprise Architect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459  
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 



The Guardian Life Insurance Company of America

www.guardianlife.com 






From:Elijah Buck  
To:"NT System Admin Issues"  
Date:01/28/2013 05:05 PM 
Subject:DC eventid 1168, bizarre behavior 



Hello,

I've been battling an odd issue with our domain controllers, and am
completely stumped. This seems to have been precipitated by adding a
Read Only Domain Controller and adding a number of Linux samba
servers. The symptoms of the issue follows:

On DC11 (2008 sp2 ReadWrite DC, 2GB ram, virtual machine on ESXi 5.0u2):

0.) cpu usage is low, typically under 5%. Memory is 800M cached. 118M 
free.

1.) In the Directory Service event log the following two errors are 
logged:
*Event ID 1168 - Internal error: An Active Directory Domain Services
error has occured.
Additional data: Error value (decimal): 1450, Error Value (hex): 5aa,
Internal ID: 124048b
*Event ID 1168 - Internal error: An Active Directory Domain Services
error has occured.
Additional data: Error value (decimal): 1450, Error Value (hex): 5aa,
Internal ID: 1240627

2.) This has happened three times on DC11, and once on DC10 (also 2008
sp2). The time that it affected both DC11 and DC10, manually pushing
passwords-to-be-cached to the RODC failed.

3.) Trying to read the properties of an object with ADSI edit
(connected to DC11) returns:
Windows could not load the values for all the attributes. Operation
failed. Error Code:
0x2121. The search failed to retrieve attributes from the datab

Re: Favorite VPN solution?

[Steve Ens]

Awesome.  Thanks!


On Tue, Jan 29, 2013 at 9:24 AM, Glen Johnson  wrote:

>  Both 7 and 8 work.
>
> I used the MS doc here.
>
> http://technet.microsoft.com/en-us/library/hh831658.aspx
>
> With a bit of changes.
>
> We still run both UAG-DirectAccess 2010 and the new 2012.
>
> We need to make sure the user is on our local lan, change security group
> memberships, reboot a couple times to get the new group policies and they
> are good.
>
> ** **
>
> *From:* Steve Ens [mailto:stevey...@gmail.com]
> *Sent:* Tuesday, January 29, 2013 10:12 AM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Favorite VPN solution?
>
> ** **
>
> Hey Glen,
>
> Do the client need to be Windows 8 or will this work with 7?  Which tech
> doc did you follow to set it up?
> Thanks
>
> Steve
>
> ** **
>
> On Tue, Jan 29, 2013 at 7:06 AM, Glen Johnson  wrote:**
> **
>
> We’re using ms direct access.
>
> Setting it up on server 2012 was super simple.
>
> Working great so far, knocking on wood.
>
>  
>
> *From:* Tom Miller [mailto:tmil...@sfgtrust.com]
> *Sent:* Tuesday, January 29, 2013 7:47 AM
> *To:* NT System Admin Issues
> *Subject:* Favorite VPN solution?
>
>  
>
> Hi Folks,
>
>  
>
> I currently use the Cisco VPN client or the Shrew Soft VPN Manager client
> for our staff.  We have many remote staff and we issue them laptops.  The
> clients connect to an ASA here. 
>
>  
>
> The clients work fine, but I’m wondering if there are other solutions out
> there.  Long term this company may move to XenApp (used it extensively in
> my last job), but not anytime soon.  
>
>  
>
> Thoughts?  Anyone using clientless VPN with a PIX?  
>
>  
>
> Thanks,
>
> Tom
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Favorite VPN solution?

[Glen Johnson]

Actually if you aren't migrating, the setup is pretty simple with 2012.
You have to have the internal certificate authority if you need win 7 client 
support.
If only win 8, then the da server can use its' own self signed cert.

From: Steve Ens [mailto:stevey...@gmail.com]
Sent: Tuesday, January 29, 2013 10:12 AM
To: NT System Admin Issues
Subject: Re: Favorite VPN solution?

Hey Glen,
Do the client need to be Windows 8 or will this work with 7?  Which tech doc 
did you follow to set it up?
Thanks
Steve

On Tue, Jan 29, 2013 at 7:06 AM, Glen Johnson 
mailto:gjohn...@vhcc.edu>> wrote:
We're using ms direct access.
Setting it up on server 2012 was super simple.
Working great so far, knocking on wood.

From: Tom Miller [mailto:tmil...@sfgtrust.com]
Sent: Tuesday, January 29, 2013 7:47 AM
To: NT System Admin Issues
Subject: Favorite VPN solution?

Hi Folks,

I currently use the Cisco VPN client or the Shrew Soft VPN Manager client for 
our staff.  We have many remote staff and we issue them laptops.  The clients 
connect to an ASA here.

The clients work fine, but I'm wondering if there are other solutions out 
there.  Long term this company may move to XenApp (used it extensively in my 
last job), but not anytime soon.

Thoughts?  Anyone using clientless VPN with a PIX?

Thanks,
Tom

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DC eventid 1168, bizarre behavior

[Elijah Buck]

A reboot does fix the issue. We've rebooted three times this month to fix
the issue. Oddly, the errors do go back to 12/20/12, but we apparently
didn't notice the problem in December.

It has never happened on DC20 (our only 2008R2 DC). The Linux servers are
in the CAL site and can talk to the RODC in the CAL site, all four DCs in
CORP, but cannot talk to DC20.

We aren't running a daily DCDIAG, but running DCDIAG on DC11 and DC20 both
report all tests passed.

Here is the frequency of error 1168 on DC11. The error seems to occur every
time an ADSI edit read fails.

  1   12/20/2012
  1   12/21/2012
  1   12/22/2012
  1   12/23/2012
  1   12/24/2012
  1   12/25/2012
  1   12/26/2012
  1   12/27/2012
  5   12/28/2012
 28   12/29/2012
  5   12/30/2012
 17   12/31/2012
  1   1/1/2013
 13   1/2/2013
  9   1/3/2013
 12   1/4/2013
 13   1/5/2013
  1   1/6/2013
  4   1/7/2013
  2   1/8/2013
 17   1/9/2013
 65   1/10/2013
 26   1/11/2013
  1   1/12/2013
  1   1/13/2013
  1   1/14/2013
 17   1/16/2013
 10   1/17/2013
  8   1/19/2013
  1   1/20/2013
  1   1/21/2013
  2   1/23/2013
  1   1/24/2013
 13   1/25/2013
  1   1/26/2013
  1   1/27/2013
  3   1/28/2013
  1   1/29/2013

Replication seems OK:
C:\>repadmin /showrepl |findstr Last
Last attempt @ 2013-01-29 10:26:08 was successful.
Last attempt @ 2013-01-29 10:26:18 was successful.
Last attempt @ 2013-01-29 10:26:39 was successful.
Last attempt @ 2013-01-29 09:52:31 was successful.
Last attempt @ 2013-01-29 09:52:31 was successful.
Last attempt @ 2013-01-29 10:22:31 was successful.
Last attempt @ 2013-01-29 09:52:31 was successful.
Last attempt @ 2013-01-29 09:52:31 was successful.
Last attempt @ 2013-01-29 10:22:31 was successful.
Last attempt @ 2013-01-29 09:52:31 was successful.
Last attempt @ 2013-01-29 09:52:32 was successful.
Last attempt @ 2013-01-29 10:22:31 was successful.
Last attempt @ 2013-01-29 09:52:32 was successful.
Last attempt @ 2013-01-29 09:52:32 was successful.
Last attempt @ 2013-01-29 10:22:31 was successful.

On Tue, Jan 29, 2013 at 9:23 AM, Christopher Bodnar <
christopher_bod...@glic.com> wrote:

> Never happened on DC20 ? When this happens, does a reboot resolve the
> issue?
>
> What has been the frequency? any chance you run a daily DCDIAG report?
> What does your replication health look like on a daily basis?
>
>
>
>
>  *Christopher Bodnar*
> Enterprise Architect I, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services  Tel 610-807-6459
> 3900 Burgess Place, Bethlehem, PA 18017
> christopher_bod...@glic.com
>
>
> *
> The Guardian Life Insurance Company of America*
> *
> **www.guardianlife.com* 
>
>
>
>
>
>
> From:Elijah Buck 
> To:"NT System Admin Issues"  >
> Date:01/28/2013 05:05 PM
> Subject:DC eventid 1168, bizarre behavior
> --
>
>
>
> Hello,
>
> I've been battling an odd issue with our domain controllers, and am
> completely stumped. This seems to have been precipitated by adding a
> Read Only Domain Controller and adding a number of Linux samba
> servers. The symptoms of the issue follows:
>
> On DC11 (2008 sp2 ReadWrite DC, 2GB ram, virtual machine on ESXi 5.0u2):
>
> 0.) cpu usage is low, typically under 5%. Memory is 800M cached. 118M free.
>
> 1.) In the Directory Service event log the following two errors are logged:
> *Event ID 1168 - Internal error: An Active Directory Domain Services
> error has occured.
> Additional data: Error value (decimal): 1450, Error Value (hex): 5aa,
> Internal ID: 124048b
> *Event ID 1168 - Internal error: An Active Directory Domain Services
> error has occured.
> Additional data: Error value (decimal): 1450, Error Value (hex): 5aa,
> Internal ID: 1240627
>
> 2.) This has happened three times on DC11, and once on DC10 (also 2008
> sp2). The time that it affected both DC11 and DC10, manually pushing
> passwords-to-be-cached to the RODC failed.
>
> 3.) Trying to read the properties of an object with ADSI edit
> (connected to DC11) returns:
> Windows could not load the values for all the attributes. Operation
> failed. Error Code:
> 0x2121. The search failed to retrieve attributes from the database.
> 2121: SvcErr: DSID-0312048E, problem 5012 (DIR_ERROR), data 1450.
>
> 4.) Attempting to run Windows Update gives Error 0x800705AA, which I
> believe is ERROR_NO_SYSTEM_RESOURCE.
>
> 5.) Running 'runas /user:me cmd' fails with "5: Access is denied"
>
> 6.) The server appears to continue to service auth requests, and LDAP
> binds still work. However, we seem to encounter intermittent issues
> with the samba servers during this time.
>
> Site topology:
>  CORP:
>  DC4, DC5 (server 2003, auto-site coverage disabled by 

RE: Favorite VPN solution?

[Glen Johnson]

Both 7 and 8 work.
I used the MS doc here.
http://technet.microsoft.com/en-us/library/hh831658.aspx
With a bit of changes.
We still run both UAG-DirectAccess 2010 and the new 2012.
We need to make sure the user is on our local lan, change security group 
memberships, reboot a couple times to get the new group policies and they are 
good.

From: Steve Ens [mailto:stevey...@gmail.com]
Sent: Tuesday, January 29, 2013 10:12 AM
To: NT System Admin Issues
Subject: Re: Favorite VPN solution?

Hey Glen,
Do the client need to be Windows 8 or will this work with 7?  Which tech doc 
did you follow to set it up?
Thanks
Steve

On Tue, Jan 29, 2013 at 7:06 AM, Glen Johnson 
mailto:gjohn...@vhcc.edu>> wrote:
We're using ms direct access.
Setting it up on server 2012 was super simple.
Working great so far, knocking on wood.

From: Tom Miller [mailto:tmil...@sfgtrust.com]
Sent: Tuesday, January 29, 2013 7:47 AM
To: NT System Admin Issues
Subject: Favorite VPN solution?

Hi Folks,

I currently use the Cisco VPN client or the Shrew Soft VPN Manager client for 
our staff.  We have many remote staff and we issue them laptops.  The clients 
connect to an ASA here.

The clients work fine, but I'm wondering if there are other solutions out 
there.  Long term this company may move to XenApp (used it extensively in my 
last job), but not anytime soon.

Thoughts?  Anyone using clientless VPN with a PIX?

Thanks,
Tom

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Favorite VPN solution?

[Steve Ens]

Hey Glen,
Do the client need to be Windows 8 or will this work with 7?  Which tech
doc did you follow to set it up?
Thanks
Steve


On Tue, Jan 29, 2013 at 7:06 AM, Glen Johnson  wrote:

>  We’re using ms direct access.
>
> Setting it up on server 2012 was super simple.
>
> Working great so far, knocking on wood.
>
> ** **
>
> *From:* Tom Miller [mailto:tmil...@sfgtrust.com]
> *Sent:* Tuesday, January 29, 2013 7:47 AM
> *To:* NT System Admin Issues
> *Subject:* Favorite VPN solution?
>
> ** **
>
> Hi Folks,
>
> ** **
>
> I currently use the Cisco VPN client or the Shrew Soft VPN Manager client
> for our staff.  We have many remote staff and we issue them laptops.  The
> clients connect to an ASA here. 
>
> ** **
>
> The clients work fine, but I’m wondering if there are other solutions out
> there.  Long term this company may move to XenApp (used it extensively in
> my last job), but not anytime soon.  
>
> ** **
>
> Thoughts?  Anyone using clientless VPN with a PIX?  
>
> ** **
>
> Thanks,
>
> Tom
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DC eventid 1168, bizarre behavior

[Christopher Bodnar]

Never happened on DC20 ? When this happens, does a reboot resolve the 
issue? 

What has been the frequency? any chance you run a daily DCDIAG report? 
What does your replication health look like on a daily basis?





Christopher Bodnar 
Enterprise Architect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 




The Guardian Life Insurance Company of America

www.guardianlife.com 







From:   Elijah Buck 
To: "NT System Admin Issues" 
Date:   01/28/2013 05:05 PM
Subject:DC eventid 1168, bizarre behavior



Hello,

I've been battling an odd issue with our domain controllers, and am
completely stumped. This seems to have been precipitated by adding a
Read Only Domain Controller and adding a number of Linux samba
servers. The symptoms of the issue follows:

On DC11 (2008 sp2 ReadWrite DC, 2GB ram, virtual machine on ESXi 5.0u2):

0.) cpu usage is low, typically under 5%. Memory is 800M cached. 118M 
free.

1.) In the Directory Service event log the following two errors are 
logged:
*Event ID 1168 - Internal error: An Active Directory Domain Services
error has occured.
Additional data: Error value (decimal): 1450, Error Value (hex): 5aa,
Internal ID: 124048b
*Event ID 1168 - Internal error: An Active Directory Domain Services
error has occured.
Additional data: Error value (decimal): 1450, Error Value (hex): 5aa,
Internal ID: 1240627

2.) This has happened three times on DC11, and once on DC10 (also 2008
sp2). The time that it affected both DC11 and DC10, manually pushing
passwords-to-be-cached to the RODC failed.

3.) Trying to read the properties of an object with ADSI edit
(connected to DC11) returns:
Windows could not load the values for all the attributes. Operation
failed. Error Code:
0x2121. The search failed to retrieve attributes from the database.
2121: SvcErr: DSID-0312048E, problem 5012 (DIR_ERROR), data 1450.

4.) Attempting to run Windows Update gives Error 0x800705AA, which I
believe is ERROR_NO_SYSTEM_RESOURCE.

5.) Running 'runas /user:me cmd' fails with "5: Access is denied"

6.) The server appears to continue to service auth requests, and LDAP
binds still work. However, we seem to encounter intermittent issues
with the samba servers during this time.

Site topology:
  CORP:
  DC4, DC5 (server 2003, auto-site coverage disabled by registry)
  DC10, DC11 (server 2008 sp2)

  CAL: connected to CORP
  RODC1 (server 2008 R2, read only domain controller)

  NY: connected to CORP and DRSITE
  NYDC4 (server 2003)

  DRSITE: connected to CORP and NY
  DC3 (server 2003)
  DC20 (server 2008 R2)

DC4 is the Schema Master. All other roles are on DC5.

repadmin /showrepl and dcdiag don't show any errors.

Two additional bits of information. (1) For some reasons, IIS is
installed on the DC10 and DC11 domain controllers. (2) a similar thing
recently happened with our Exchange 2010 server (2008 R2). The same
error with 'runas' failing occured, IIS app pools couldn't restart,
and the windows process activation service couldn't be restarted (also
with error 5 access denied).

I am planning on setting up a new RWDC, physically in CORP but in the
CAL AD site, and seeing if the issue follows the new server or stays
with DC11.

Any help would be appreciated.

Thanks,
Elijah

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Favorite VPN solution?

[Glen Johnson]

Not applicable here, sorry I can't help out with that scenario.


From: Liam Freeman [mailto:liam.free...@infrasys.co.uk]
Sent: Tuesday, January 29, 2013 8:20 AM
To: NT System Admin Issues
Subject: RE: Favorite VPN solution?

Has anyone managed to get this working in a multi - domain environment (ie via 
forest trusts ) as MS say it can do with 2012?

From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: 29 January 2013 13:07
To: NT System Admin Issues
Subject: RE: Favorite VPN solution?

We're using ms direct access.
Setting it up on server 2012 was super simple.
Working great so far, knocking on wood.

From: Tom Miller [mailto:tmil...@sfgtrust.com]
Sent: Tuesday, January 29, 2013 7:47 AM
To: NT System Admin Issues
Subject: Favorite VPN solution?

Hi Folks,

I currently use the Cisco VPN client or the Shrew Soft VPN Manager client for 
our staff.  We have many remote staff and we issue them laptops.  The clients 
connect to an ASA here.

The clients work fine, but I'm wondering if there are other solutions out 
there.  Long term this company may move to XenApp (used it extensively in my 
last job), but not anytime soon.

Thoughts?  Anyone using clientless VPN with a PIX?

Thanks,
Tom

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



CONFIDENTIAL
This email and any files transmitted with it may be legally privileged and are 
confidential.
This email should not be disclosed to anyone other than the addressee nor 
copied in any way.
This email and its attachments may be subject to copyright protection and you 
should not retransmit or reproduce these without the consent of the author.
If received in error please advise the sender and delete the email.
Any representations or commitments expressed in this email are subject to 
contract.

DISCLAIMER
Whilst we take reasonable precautions to minimise risk, you must carry out your 
own virus checks before opening attachments or reading e-mails and we do not 
accept liability for any damage or loss in this respect.
Non-business related content is not authorised by us and we shall not be liable 
for it.
We are also not responsible for changes made or occurring after this message 
was sent.
Information about the Company and its services is available from 
http://www.infrasys.co.uk

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Favorite VPN solution?

[Liam Freeman]

Has anyone managed to get this working in a multi - domain environment (ie via 
forest trusts ) as MS say it can do with 2012?

From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: 29 January 2013 13:07
To: NT System Admin Issues
Subject: RE: Favorite VPN solution?

We're using ms direct access.
Setting it up on server 2012 was super simple.
Working great so far, knocking on wood.

From: Tom Miller [mailto:tmil...@sfgtrust.com]
Sent: Tuesday, January 29, 2013 7:47 AM
To: NT System Admin Issues
Subject: Favorite VPN solution?

Hi Folks,

I currently use the Cisco VPN client or the Shrew Soft VPN Manager client for 
our staff.  We have many remote staff and we issue them laptops.  The clients 
connect to an ASA here.

The clients work fine, but I'm wondering if there are other solutions out 
there.  Long term this company may move to XenApp (used it extensively in my 
last job), but not anytime soon.

Thoughts?  Anyone using clientless VPN with a PIX?

Thanks,
Tom

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



CONFIDENTIAL
This email and any files transmitted with it may be legally privileged and are 
confidential.
This email should not be disclosed to anyone other than the addressee nor 
copied in any way.
This email and its attachments may be subject to copyright protection and you 
should not retransmit or reproduce these without the consent of the author.
If received in error please advise the sender and delete the email.
Any representations or commitments expressed in this email are subject to 
contract.

DISCLAIMER
Whilst we take reasonable precautions to minimise risk, you must carry out your 
own virus checks before opening attachments or reading e-mails and we do not 
accept liability for any damage or loss in this respect.
Non-business related content is not authorised by us and we shall not be liable 
for it.
We are also not responsible for changes made or occurring after this message 
was sent.
Information about the Company and its services is available from 
http://www.infrasys.co.uk

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Favorite VPN solution?

[Glen Johnson]

We're using ms direct access.
Setting it up on server 2012 was super simple.
Working great so far, knocking on wood.

From: Tom Miller [mailto:tmil...@sfgtrust.com]
Sent: Tuesday, January 29, 2013 7:47 AM
To: NT System Admin Issues
Subject: Favorite VPN solution?

Hi Folks,

I currently use the Cisco VPN client or the Shrew Soft VPN Manager client for 
our staff.  We have many remote staff and we issue them laptops.  The clients 
connect to an ASA here.

The clients work fine, but I'm wondering if there are other solutions out 
there.  Long term this company may move to XenApp (used it extensively in my 
last job), but not anytime soon.

Thoughts?  Anyone using clientless VPN with a PIX?

Thanks,
Tom

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin