Busy week
Filed Under (Uncategorized) by Dave Mast on February-16-2007

There’s been a lot going on this week, and things aren’t winding down anytime soon…I’m just gonna throw out some random thoughts here.

It’s official:  We are going to move our primary internet connection over to Time-Warner cable.  6Mb/512Kb for $140/month and a $300 setup fee…I’m still trying to figure out how the price dropped so much.  This is going to be a huge improvement over the WiFi that we’ve been on since December.  We will probably keep the WiFi around for a backup, though.  DSL isn’t available in our location yet, so right now it’s our only option without spending a ton of money.  That extra outbound bandwidth is going to be huge.

Also, we’ve made a decision on our VPN:  SSL-Explorer is what we will be offering to our users.  I received an overwhelming “YES” vote from our staff when I put a poll out on whether or not they would use a VPN to access their computer and files remotely.  We’re going to start with a license for 10 concurrent users (you can have as many users in the database as you want, but only 10 can be connected at once), and we’ll see how that goes.  That’s like 1/3 of our staff, so we ought to be good for awhile.  You never know though.

On Tuesday night, we removed domain controller status from our file server, and now we only have one DC, and that’s all that machine does.  Seems simple enough, yes?  Well, I came in Wednesday to find that our Exchange servers had stopped talking to each other, and though I could reach our file server just fine, I wasn’t able to make any connections at all FROM the file server.  I did some digging and eventually realized that I never changed the DNS server entries for the former domain controller; it was still looking at itself for DNS records (doh!).  After making the DNS changes ans doing some work in ESM, our file server was talking to the primary DC again, and our Exchange servers are playing nice again as well.  The moral of this story?  Make sure you test your systems THOROUGHLY after a big change like this.

I came into the office this morning to the sound of multiple people calling my name…never good when that’s happening.  It seems that no one was able to authenticate to the first Exchange server.  A look at the machine’s event log revealed that it lost contact with our one-and-only domain controller shortly after midnight.  I tried remoting into the DC and got no response.  Not good.  I went to the server rack and pointed the KVM at the seemingly dead server.  The mouse seemed to work, but as soon as I clicked on an item on the desktop, the whole machine froze instantly.  Oh no, I thought, we make this domain controller the only one on the network, and it craps out in 36 hours!  Reluctantly, I hit the reset button to see if the system will boot up, and I then see the culprit:  It turns out that a drive on the server’s RAID5 array failed and brought the system to a halt.  Luckily, I’ve got 9 drives sitting on the shelf for a Ghetto-Tastic** project, so I remove the failed drive and put a fresh one in its place.  The server boots up, and after a minute or so, the array begins to rebuild using the new drive.  Whew!  Within a few minutes, the domain controller is back up, our servers are talking again, and our users can log in! 

Some observations from this:

  1. I’m extremely glad that we decided to RAID this server last year.  Had this been a single-drive server at the time of failure, we would have been extremely hosed, and I would most-likely still be at work. :-) 
  2. We need to get a hot spare drive for our domain controller.  According to the docs for the RAID controller, a hot spare would have prevented the system from locking up.  I’m no expert on how RAID setups are supposed to work, so I’m going to read more about this.  I already ordered 2 drives for this system; one to replace the failed unit, and another to plug in as a hot spare.  I’m considering getting hot spare drives for our other servers as well.
  3. I miss having 2 domain controllers already.  Yes, it was a security risk serving files and mail off of our secondary DC, but if that machine still had DC status, we wouldn’t have missed a beat this morning.  I’m going to start planning for a 1U server to put in our IDF on the other corner of the building so we can avoid a repeat performance.

This has been a very eventful week.  There’s been some good learning experiences too.  I wish they hadn’t come at the expense of our uptime, but sometimes that’s the way it goes.

**Ghetto-Tastic - ©2006 Jason Powell

   Read More


Comments
Andrew Mitry on February 16th, 2007 at 7:39 am #

What lead you to choose the enterprise edition of SSL-Explorer versus the community edition?

Dave Mast on February 16th, 2007 at 9:05 am #

The biggest items for me were the extra security features, as well as the ability to authenticate via RADIUS and support RPC/HTTPS. Syncing the user database via LDAP and being able to map drive letters to the user’s PC was also a plus.

Am I shooting over the top a little? We’ve made the decision, but I haven’t shelled out any cash yet. I can still be talked down. :-)

Jason Powell on February 16th, 2007 at 8:50 pm #

You don’t need a server for your 2nd DC … they need little horsepower so any old PC sitting around would make a fine 2nd DC. In our case we have 1 DC on an older Optiplex and a 2nd inside a VM.

I look forward to hearing about your ghetto experiment :-)

Andrew Mitry on February 19th, 2007 at 4:21 pm #

I am guessing you are connecting issued laptops and not home machines via SSL-Explorer, correct? Right now we use SSL-Explorer to allow staff and volunteers to remote desktop and access file shares via the web interface from personal machines. If we issue them a laptop, we use the Cisco VPN client for full connectivity. In the absence of something like the Cisco VPN client the additional features of the enterprise edition make sense.

Dave Mast on February 19th, 2007 at 5:00 pm #

Actually most of the benefit would go towards the home user. We don’t have that many issued laptops in curculation.

I wasn’t planning on using the VPN server that is included in pfSense (the firewall we’re using), but with what you’re saying, it’s making more sense to do so. (Sometimes my logic works a little slow).

Like I said, we haven’t placed an actual order yet, so I’m going to make some time to sit and think about this.

I sure appreciate your input on this, Andrew.

Andrew Mitry on February 19th, 2007 at 9:58 pm #

I would caution against mapping drive letters and allowing Outlook Access on machines out of your control, I think there is too high a probability to be compromised by viruses or spyware. Allowing access through remote desktop and web based file shares puts in a nice layer of security.

I may be overdoing it, but I have seen way too many home computers loaded with all sorts of junk on them.

Dave Mast on February 19th, 2007 at 11:25 pm #

I would agree with you, I really don’t want to manage people’s home computers. Not for free, anyway. :-)

I would still like to do RPC/HTTP on our managed laptops so they don’t have to VPN in just to do mail. Are there vulnerability issues with OWA even through SSL simply because you’re using a browser? I’ve never really thought about OWA from that angle.

Andrew Mitry on February 20th, 2007 at 4:20 pm #

My understanding is that RPC/HTTPS connect outlook directly via SSL to Exchange, it does not use OWA, I could see this as a risk on unmanaged machines but should be fine on managed laptops.

Accessing Standard OWA via https on unmanaged machines should be secure enough (if there is such a thing).

BTW, we do have the community edition of SSL-Explorer authenticating against Active Directory without any problems.

Post a comment
Name: 
Email: 
URL: 
Comments: 

FireStats iconPowered by FireStats