The directory service is missing mandatory configuration

/3 Comments/in /by

The operation failed because: Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDnsZones,DC=domain-name,DC=com to Active Directory Domain Controller \\DC.domain-name.com.
“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”

Scenario:

When trying to demote one of Windows 2008 Domain Controllers, you get the above error message.

Resolution:

Copy the script below into a file and call it Script.vbs.

const ADS_NAME_INITTYPE_GC = 3
const ADS_NAME_TYPE_1779 = 1
const ADS_NAME_TYPE_CANONICAL = 2

set inArgs = WScript.Arguments

if (inArgs.Count = 1) then
' Assume the command line argument is the NDNC (in DN form) to use.
NdncDN = inArgs(0)
Else
Wscript.StdOut.Write "usage: cscript fixfsmo.vbs NdncDN"
End if

if (NdncDN <> "") then

' Convert the DN form of the NDNC into DNS dotted form.
Set objTranslator = CreateObject("NameTranslate")
objTranslator.Init ADS_NAME_INITTYPE_GC, ""
objTranslator.Set ADS_NAME_TYPE_1779, NdncDN
strDomainDNS = objTranslator.Get(ADS_NAME_TYPE_CANONICAL)
strDomainDNS = Left(strDomainDNS, len(strDomainDNS)-1)

Wscript.Echo "DNS name: " & strDomainDNS

' Find a domain controller that hosts this NDNC and that is online.
set objRootDSE = GetObject("LDAP://" & strDomainDNS & "/RootDSE")
strDnsHostName = objRootDSE.Get("dnsHostName")
strDsServiceName = objRootDSE.Get("dsServiceName")
Wscript.Echo "Using DC " & strDnsHostName

' Get the current infrastructure fsmo.
strInfraDN = "CN=Infrastructure," & NdncDN
set objInfra = GetObject("LDAP://" & strInfraDN)
Wscript.Echo "infra fsmo is " & objInfra.fsmoroleowner

' If the current fsmo holder is deleted, set the fsmo holder to this domain controller.

if (InStr(objInfra.fsmoroleowner, "\0ADEL:") > 0) then

' Set the fsmo holder to this domain controller.
objInfra.Put "fSMORoleOwner", strDsServiceName
objInfra.SetInfo

' Read the fsmo holder back.
set objInfra = GetObject("LDAP://" & strInfraDN)
Wscript.Echo "infra fsmo changed to:" & objInfra.fsmoroleowner

End if
End if

 

Now go to command line on that DC and run the script by typing the following:

cscript Script.vbs DC=ForestDNSZones,DC=contoso,DC=com

Where:
DC=costoso is the Windows Domain. My Windows Domain was called Domain1.com so I replaced costoso with Domain1. So the command for me was:

cscript Script.vbs DC=ForestDNSZones,DC=Domain1,DC=com

Now try the dcpromo again.

If that doesn’t work go to command line and type:

DCPromo out fails with: The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles. | zero hour sleep 

dsquery * CN=Infrastructure,DC=ForestDnsZones,DC=domain,DC=int -attr fSMORoleOwner

and see if the result show an old DC you had and had demoted previously but still have traces in domain.  Use edsiedit to clean up remove that DC.  
the following article might help you

http://www.zerohoursleep.com/2011/07/dcpromo-out-fails-with-the-directory-service-is-missing-mandatory-configuration-information-and-is-unable-to-determine-the-ownership-of-floating-single-master-operation-roles/

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

BurFlags – D4

/in /by

Reinitializing/Forcing File Replication Service FRS using Registry key BurFlags D4:

Have you been in the situation where you’re unable to replicate AD changes made across 2003 Domain Controllers? I have been there several times, and the last time was when I was attempting to transfer the Global Catalog role for an Exchange Server migration, however any AD changes I had made never replicated across DCs. Also had failing SYSVOL replication problems. The only thing that worked for me was when I did an Authoritative FRS restore by changing the BurFlags registry key to D4 and then restarting the File Replication service – that was done on the DC that had replication and SYSLOG issues.

BurFlags registry key contains REG_DWORD values, and is located in the following location in the registry:
“HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\ Backup/Restore\Process at Startup”

The most common values for the BurFlags registry key are:

D2: also known as a non-authoritative mode restore.
D4: also known as an authoritative mode restore.

Changing the BurFlags key to D4 will reinitialize replication.

For more instructions, please refer to the following Knowledgebase article:

http://support.microsoft.com/kb/290762

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

Registry Caution: Do not use registry editor to edit the registry directly unless you have no alternative and directed by Microsoft. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows. We recommend you have a full backup of the system before making changes to registry. Do it at your risk. bostonIT doesn’t assume any unintended consequences.

Cisco ASA rommon – Error 15: File not found unable to boot an image

/in /by

Cisco ASA rommon – Error 15: File not found unable to boot an image:

The above error could be occurring on startup because the ASA didn’t have a boot file image, loaded with the wrong boot image or configured to boot from unavailable source. It might also be a hardware issue with the ASA like a bad flash which means you would have to take it with Cisco or a hardware support provider!

The following instructions will walk you through how to configure the ASA in rommon to boot from a TFTP server, load it to normal mode, copy boot image file from TFTP to ASA again, and then re-load it to boot normally.

– We will assign the ASA Ethernet 0/0 IP 10.1.1.200.
– The name of the Cisco ASA Image file that will be uploaded to the ASA through TFTP is asa-k9.bin.
– Connect the ASA ethernet 0/0 and your computer ethernet to the same network switch.
– Download and install a free TFTP server on your computer and put the asa image asa-k9.bin on the root directory of the tftp server. TFTP server is a very simple software that you can google and download one. www.solarwinds.com has one for instance.
– The ASA and computer are connected to the same network. We are going to use Ethernet0/0 of the asa. The IP Address of TFTP Server (your machine) will be 10.1.1.100 (So you need to manually assign your machine the IP Address 10.1.1.100 and Subnet Mask 255.255.255.0 – No need to assign a gateway or a DNS)

Connect your computer through console to ASA, while the firewall is booting and once you are prompted to “Use BREAK or ESC to interrupt boot”, hit escape and that takes you to rommon: (rommon is like Safe Mode in Windows). Start typing the following:

rommon #0> PORT=ETHERNET0/0
Ethernet0/0
Link is UP MAC Address: 0005-9858-df5g-e21d
rommon #1> ADDRESS=10.1.1.200
rommon #2> SERVER=10.1.1.100
rommon #3> GATEWAY=10.1.1.100
rommon #4> IMAGE=asa-k9.bin
rommon #5> tftp

Booting starts automatically…

Go into enable mode with blank password
ciscoasa# en
hit enter

Go to the Config Mode
ciscoasa# Conf t
hit enter

You might want to format the flash here. Formatting the flash will erase everything on it including OS images and config files which means you will need to load IOS (as explained below). And after you boot normally, you will need to manually reconfigure the asa unless you have a backup configuration to work with.
ciscoasa(config)# format flash
ciscoasa(config)# wr mem

Assign an IP Address to the firewall, default route and copy image file from TFTP:
ciscoasa(config)# interface ethernet 0/0
ciscoasa(config-if)# ip address 10.1.1.200 255.255.0.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# exit
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.200
ciscoasa(config)# copy tftp: flash:
.
.
.
ciscoasa# write mem

Find out the config register of the ASA, change it to 0x1 to make sure it boots up from flash not TFTP and change boot file name to match the one uploaded to ASA.

ciscoasa# show version
 Look toward the end of “show version” and you should see something similar to:
Configuration register is 0x2014

Change Config-Register to 0x1
ciscoasa#Conf t
ciscoasa#(config)> config-register 0x1

ciscoasa#(config)>boot system flash:/asa-k9.bin (if you have different .bin image name, update it here)

Save and reboot.
ciscoasa#Wr mem
ciscoasa#Reload

This will restart the ASA.

If you find this article helpful, please send me a note to Mike@bostonIT.com so I can keep on adding more hands-on knowledgebase articles.

Windows server 2008 crashes at startup – c00002e2

/in , /by

STOP: c00002e2 Directory Services could not start because of the following error: a device attached to the system is not functioning.

Applies to: Windows Server 2008, Windows Server 2008 R2 with Exchange 2007 installed on single node.

You might face this issue while you are running your daily work, first you will panic and think that there is a huge problem and your domain controller is failing, not to mention the heat you will face if that domain controller machine is hosting your exchange 2007 too, which is typically the scenario I have seen in small business environment.

Cause: 

This problem occurs because one or more of the following conditions are true:

– The NTFS file system permissions on the root of the drive are too restrictive.

– The NTFS file system permissions on the NTDS folder are too restrictive.

– The drive letter of the volume that contains the Active Directory database has changed.

– The Active Directory database (Ntds.dit) is corrupted.

– The NTDS folder is compressed.

Troubleshooting steps:

  1. Boot into Directory Services Restore Mode (F8). You might need to do it twice if you have an error on your HDD.
  2. Run CHKDSK in read only mode to verify that there are no errors on your hard drive. If the system prompts you that there was an error on the hard disk, then feel safe to run /R command CHKDSK /R will not ruin your hard disk data, so don’t believe all the myths said.
    1. Boot again into Directory Services Restore Mode (F8).
    2. Go to command prompt (administrative privileges) and run the following command:
    3. NTDSUTIL
    4. activate instance NTDS
    5. files info

You will see an error similar to the following:

“Error: Could not initialize the Jet engine: Jet Error -501. Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113”

Event log: 

  • Error 1003: Active Directory Domain Services could not be initialized. The directory service cannot recover from this error. Restore the local directory service from backup media. Error value: -501 JET_errLogFileCorrupt, Log file is corrupt
  • Error 465: NTDS (2156) Corruption was detected during soft recovery in logfile C:\Windows\NTDS\edb.log. The failing checksum record is located at position END. Data not matching the log-file fill pattern first appeared in sector 6697 (0x00001A29). This logfile has been damaged and is unusable.
  • Error 454: NTDS (2256) Database recovery/restore failed with unexpected error -501.

Solution: 

The solution of this error is very simple and will be done in one step:

Go to C:\Windows\NTDS folder and rename all *.log files to .old and restart system.

Example, edb.log should be renamed to edb.log.old

This will solve the issue and your active directory domain services will be started again.

It might be wise in this phase to consider replacing your HDD and checking your GPO policies, if you see any more file corruption.

If you find this article helpful, please send us a note to WDallal@bostonIT.com so we can keep on adding quality hands-on articles.

Recover Deleted Items Outlook 2010

/in /by

Recover Deleted Items is not available/missing – Outlook 2010 – Exchange and Office 365

Scenario:

When you right-click on Deleted Items in Outlook 2010, you don’t see an option to Recover Deleted Items (the way it used to be with Office 2003/2007).

Resolutions:

To get to “Recover Deleted Items”, please click on the Folder tab on the Outlook tool bar (You should see 5 tabs; File, Home, Send/Receive, Folder and View). When you click on the Folder tab you should see a button called Recover Deleted Items.

You can also get to “Recover Deleted Items” by going to OWA or Microsoft Online Portal, right click on Deleted Items folder in the Folder list, Recover Deleted Items will be one of the options there.

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding more hands-on knowledgebase articles.

Windows Updates Fail – Error 80070216

/in /by

Windows 7 – Windows Update keeps failing with Error 80070216

Scenario:

When trying to install Windows updates on a Windows 7, it keeps failing with the error above.

Resolutions:

Machine is infected with a rootkit or a virus. Download and run Kaspersky TDSSKiller, then download and run Combofix (you can google them). These two tools will clean-up your machine. Windows Update should work after that.

If you find this article helpful, please send me a note to Mike@bostonIT.com and so I can keep on adding more hands-on knowledgebase articles.

Anyconnect Memory Locks up and Cert8

/in , /by

AnyConnect Locks up on Linux before it finally connects because of high memory usage that could go up to 100%. Machine would need to be rebooted to recover. Kubuntu, Ubuntu and Linux.

Scenario:

When using the Linux Cisco AnyConnect client x64 (like Kubuntu), memory usage gradually starts going up until it’s all used up. Anyconnect won’t connect.

I ran the VPN client within gdb to try and get a sense of what it was doing when trying to allocate so much memory.

Thread 3 of the process below is the only active thread and you can see that it is performing certificate related activities. Below are more related logs that I have collected

 

(gdb) thread 3
[Switching to thread 3 (Thread 0x7ffff28b3700 (LWP 3656))]
#0 0x00007ffff49f8180 in PR_Free () from /usr/lib/x86_64-linux-gnu/libnspr4.so
(gdb) bt
#0 0x00007ffff49f8180 in PR_Free () from /usr/lib/x86_64-linux-gnu/libnspr4.so
#1 0x00007ffff35bab1a in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#2 0x00007ffff35bcb15 in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#3 0x00007ffff35be6eb in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#4 0x00007ffff35c3880 in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#5 0x00007ffff35c413b in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#6 0x00007ffff35c41e7 in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#7 0x00007ffff35bf262 in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#8 0x00007ffff35bf751 in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#9 0x00007ffff3a9c8e2 in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so
#10 0x00007ffff3a87e75 in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so
#11 0x00007ffff3a8c78c in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so
#12 0x00007ffff52b0d60 in ?? () from /usr/lib/x86_64-linux-gnu/libnss3.so
#13 0x00007ffff52aa4d2 in ?? () from /usr/lib/x86_64-linux-gnu/libnss3.so
#14 0x00007ffff5272091 in CERT_GetCertNicknames () from /usr/lib/x86_64-linux-gnu/libnss3.so
#15 0x00007ffff5272149 in CERT_FindUserCertsByUsage () from /usr/lib/x86_64-linux-gnu/libnss3.so
#16 0x00007ffff7844cc5 in CNSSCertStore::Enumerate(eCertType,
std::list<CCertificate*, std::allocator<CCertificate*> >&) () from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#17 0x00007ffff7818474 in CCollectiveCertStore::Enumerate(eCertType,
std::list<CCertificate*, std::allocator<CCertificate*> >&) () from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#18 0x00007ffff781363c in CCertStore::GetCertificates(CERT_ENTRY*,
CCertNameList*, std::list<CCertificate*, std::allocator<CCertificate*>
>&) ()
from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#19 0x00007ffff7818575 in
CCollectiveCertStore::GetCertificates(CERT_ENTRY*, CCertNameList*, std::list<CCertificate*, std::allocator<CCertificate*> >&) ()
from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#20 0x00007ffff780fb1c in
CCertHelper::GetClientCertificates(CERT_ENTRY*, CCertNameList*, std::list<CCertificate*, std::allocator<CCertificate*> >&, unsigned int) ()
from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#21 0x00007ffff7abb5d9 in ApiCert::getCertList(CERT_ENTRY*, CCertNameList*, std::string const&, ConnectProtocolType) () from /opt/cisco/anyconnect/lib/libvpnapi.so
#22 0x00007ffff7abbcb5 in ApiCert::getCertList(CERT_ENTRY*, std::string const&, ConnectProtocolType) () from /opt/cisco/anyconnect/lib/libvpnapi.so
#23 0x00007ffff7ace406 in ConnectMgr::resetCertRegistration(std::string) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#24 0x00007ffff7ae565b in ConnectMgr::setConnectionData(std::string
const&) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#25 0x00007ffff7aed002 in ConnectMgr::initiateConnect(std::string
const&, bool) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#26 0x00007ffff7af3c1a in ConnectMgr::run() () from /opt/cisco/anyconnect/lib/libvpnapi.so
#27 0x00007ffff7ac608a in ApiThread::threadProcedure(void*) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#28 0x00007ffff6753e9a in start_thread (arg=0x7ffff28b3700) at
pthread_create.c:308
#29 0x00007ffff5c6eccd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112

SYSLOG logs:

std::list<CCertificate*, std::allocator<CCertificate*> >&) () from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#18 0x00007ffff781363c in CCertStore::GetCertificates(CERT_ENTRY*,
CCertNameList*, std::list<CCertificate*, std::allocator<CCertificate*>
>&) ()
from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#19 0x00007ffff7818575 in
CCollectiveCertStore::GetCertificates(CERT_ENTRY*, CCertNameList*, std::list<CCertificate*, std::allocator<CCertificate*> >&) ()
from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#20 0x00007ffff780fb1c in
CCertHelper::GetClientCertificates(CERT_ENTRY*, CCertNameList*, std::list<CCertificate*, std::allocator<CCertificate*> >&, unsigned int) ()
from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#21 0x00007ffff7abb5d9 in ApiCert::getCertList(CERT_ENTRY*, CCertNameList*, std::string const&, ConnectProtocolType) () from /opt/cisco/anyconnect/lib/libvpnapi.so
#22 0x00007ffff7abbcb5 in ApiCert::getCertList(CERT_ENTRY*, std::string const&, ConnectProtocolType) () from /opt/cisco/anyconnect/lib/libvpnapi.so
#23 0x00007ffff7ace406 in ConnectMgr::resetCertRegistration(std::string) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#24 0x00007ffff7ae565b in ConnectMgr::setConnectionData(std::string
const&) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#25 0x00007ffff7aed002 in ConnectMgr::initiateConnect(std::string
const&, bool) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#26 0x00007ffff7af3c1a in ConnectMgr::run() () from /opt/cisco/anyconnect/lib/libvpnapi.so
#27 0x00007ffff7ac608a in ApiThread::threadProcedure(void*) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#28 0x00007ffff6753e9a in start_thread (arg=0x7ffff28b3700) at
pthread_create.c:308
#29 0x00007ffff5c6eccd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112

The relevant portion of the syslog follows. Note that the kernel experiences a page allocation failure shortly after the VPN connection is initiated.

Oct 31 15:08:01 Kubuntu acvpncli[1509]: Initializing vpnapi version
3.1.04072 ().
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: loadProfiles File:
../../vpn/Api/ProfileMgr.cpp Line: 100 No profile is available.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: getCurrentState
File: ../../vpn/Api/ClientIfcBase.cpp Line: 2058 API service not ready Oct 31 15:08:01 Kubuntu acvpncli[1509]: Current Preference Settings:
ServiceDisable: false CertificateStoreOverride: false CertificateStore:
All ShowPreConnectMessage: false AutoConnectOnStart: false
MinimizeOnConnect: true LocalLanAccess: true AutoReconnect: true
AutoUpdate: true ProxySettings: Native AllowLocalProxyConnections: true
PPPExclusion: Disable PPPExclusionServerIP: EnableScripting: false
TerminateScriptOnNextEvent: false AuthenticationTimeout: 12
IPProtocolSupport: IPv4,IPv6 AllowManualHostInput: true
BlockUntrustedServers: false PublicProxyServerAddress:
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function:
OnNegotiateMessageTypesComplete File: ../../vpn/Api/ApiIpc.cpp Line: 726 Master Agent Connection started.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: VPN state: Disconnected Network state: Network Accessible Network control state: Network Access:
Available Network type: Undefined
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function:
setConnectRequestComplete File: ../../vpn/Api/ConnectMgr.cpp Line: 9133 Connect request complete. Proceeding to cleanup.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function:
activateConnectEvent File: ../../vpn/Api/ConnectMgr.cpp Line: 1352 NULL object. Cannot establish a connection at this time.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Message type information sent to the user: Ready to connect.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: attach File:
../../vpn/Api/ClientIfcBase.cpp Line: 629 Client successfully attached.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: WMHintCB File:
../../vpn/Api/ClientIfc.cpp Line: 146 User did not implement WMHintCB.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: WMHintCB File:
../../vpn/Api/ClientIfc.cpp Line: 146 User did not implement WMHintCB.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: An SSL VPN connection to MyVPN.Server.com has been requested by the user.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function:
getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 793 No profile available for host MyVPN.Server.com.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: getHostInitSettings
File: ../../vpn/Api/ProfileMgr.cpp Line: 873 Profile () not found. Using default settings.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function:
deliverWebLaunchHostCB File: ../../vpn/Api/ClientIfc.cpp Line: 152 User did not implement deliverWebLaunchHostCB.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: loadProfiles File:
../../vpn/Api/ProfileMgr.cpp Line: 100 No profile is available.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function:
getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 793 No profile available for host MyVPN.Server.com.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Using default preferences.
Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function:
getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 793 No profile available for host MyVPN.Server.com.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: getHostInitSettings
File: ../../vpn/Api/ProfileMgr.cpp Line: 873 Profile () not found. Using default settings.
Oct 31 15:08:03 Kubuntu kernel: [395314.511185] kworker/u:2: page allocation failure: order:1, mode:0x4020

 

Resolution:

After troubleshooting, it turned out that Firefox cert8.db might have been corrupted (Anyconnect relies on some components of Firefox especially certs), In the case above, anyconnect is just not liking something about that file on this particular machine, or the issue might be an undocumented bug in Anyconnect on Kubuntu or Linux in general

Renaming the following two files allowed me to correct the issue (make sure you close Firefox first)

/home/Kubuntu/.mozilla/firefox/8n6w3k0u.default/cert8.db

/home/Kubuntu/.mozilla/firefox/8n6w3k0u.default/key3.db

After you rename the two files, start Firefox once and it will auto-recreate them.

Note: those files are profile specific, i.e. if you login to the machine with a different user and start Anyconnect, you might not face the same issue.

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

Cisco RV082 NAT Example

/in /by

Cisco RV082 One To One NAT – Access Rules Example

Example:
Public IP Address: 75.75.75.75
Private IP Address: 192.168.1.10

In this example we will NAT 192.168.1.10 to 75.75.75.75 and open up TCP Port 23 (Telnet) to the inside host from outside.

– Login to the Cisco RV 082 through the browser
– On the left click on Setup then One-To-One NAT
– Click Enable One-To-One NAT. In the Private Range Begin: fill in192.168.1.10. In the Public Range Begin type 75.75.75.75. In theRange Length type 1. Click Add to List. Click Save.

Click on Firewall on the left.. Click Access Rules. Click Add.
For Action click Allow
For Service choose TELNET TCP 23-23
For Log: choose the option you want
For Source: choose the outside interface of the Router. In my case it isWAN 1
For Source IP: Choose ANY (if you would like it to be available to anyone on the Internet
For Destination: Choose the Inside IP address of the NAT 192.168.1.10 (NOT The Public IP Address)
Click Save

Now create a new rule to deny any other access to the NAT’d host:
Click on Firewall on the left.. Click Access Rules. Click Add.
For Action click Deny
For Service choose Any
For Log: choose the option you want
For Source: choose the outside interface of the Router. In my case it isWAN 1
For Source IP: Choose ANY (if you would like it to be available to anyone on the Internet
For Destination: Choose the Inside IP address of the NAT 192.168.1.10 (NOT The Public IP Address)
Click Save

If you find this article helpful, please send me a note to Mike@bostonIT.com so I can keep on adding more hands-on knowledgebase articles.

Backup Exec fails to backup Exchange server with VSS error

/in /by

Windows Server 2008 R2 – Backup Exec 2010 / 12.5 – AOFO: Initialization failure on: “\\SERVER01\Microsoft Information Store\Information Store”. Advanced Open File Option used: Microsoft Volume Shadow Copy Service (VSS). V-79-10000-11226 – VSS Snapshot error. The Microsoft Volume Shadow Copy Service (VSS) snapshot provider selected returned: “Unexpected provider error”. Ensure that all provider services are enabled and can be started. Check the Windows Event Viewer for details.

Scenario:

Windows Server 2008 R2 – Symantec Backup Exec fails backing up Exchange Server. The following error is recorded in Windows System Log:

Log Name: Application
Source: VSS
Date: 8/15/2013 6:34:55 PM
Event ID: 8193
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Server01.Domain.local
Description:
Volume Shadow Copy Service error: Unexpected error calling routine Cannot find
anymore diff area candidates for volume \\?\Volume{f6cd5a9b-04cf-11e1-b482-5cf3fc2b627f}\ [0].
hr = 0x8000ffff, Catastrophic failure.

Operation:
Automatically choosing a diff-area volume
Processing EndPrepareSnapshots

Context:

Volume Name: \\?\Volume{f6cd5a9b-04cf-11e1-b482-5cf3fc2b627f}\
Execution Context: System Provider
Event Xml:
Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”
System
Provider Name=”VSS”
EventID Qualifiers=”0″8193
2
0
Keywords0x80000000000000 Keywords
TimeCreated SystemTime=”2013-08-15T22:34:55.000000000Z”
EventRecordID316735 /EventRecordID
Channel Application Channel
Computer Server01.Domain.local/Computer
EventData
Cannot find anymore diff area candidates for
0x8000ffff, Catastrophic failure

Operation:
Automatically choosing a diff-area volume
Processing EndPrepareSnapshots

Context:
Volume Name: \\?\Volume{f6cd5a9b-04cf-11e1-b482-5cf3fc2b627f}\
Execution Context: System Provider
2D20436F64653A20535052414C
4C4F4330303030313137342D2043616C6C3A20535052414C4C4F4330
303030303739302D205049443A202030303031343838342D205449443A20203
0303030393234302D20434D443A2020433A5C57696E646F77735C5379737
4656D33325C737663686F73742E657865202D6B2073777072762D20557365723A204E616D653
A204E5420415554484F524954595C53595354454D2C205349443A532D312D352D313820 Binary
EventData
Event

Resolution:

Took me a while to figure it out. The error was happening to me because the Shadow Copy setting for C:\ was set low for VSS to operate. Increasing that disk space fixed it! Right click on C: drive, Properties, Shadow Copies, Highlight C:\ (Even though shadow copy might be disabled),click Settings –> Under Maximum size, change it to a bigger size., I set it to 300G to test it and that worked for me.

If Exchange Stores are located on a different drive, adjust that drive shadow copy setting.

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

Cisco AnyConnect VPN Client, Debian 5.0.3 and Firefox

/in /by

After you connect to VPN using Cisco Anyconnect on Debian 5.0.3, you are able to ping, traceroute and browse the Internet using Google Chrome but Mozilla Firefox, FTP, Dig, Telnet and Thunderbird won’t work

Resolution:

I had to troubleshoot this issue for a customer. During that I ran Wireshark, tcpdump and Microsoft Network Monitor traces on Debian, Ubuntu and Microsoft Windows hosts and came up with the conclusion and proposed solutions. At the end it was shown that IPv6 didn’t seem to be compatible with Cisco Anyconnect on Debian 5.0.3. The solution was to make the host machine totally rely on IPv4 for DNS resolution – in another word disable IPv6.

Before you disable IPv6 in Debian and to confirm the above finding, try to disable IPv6 in Firefox only and test. Here how you can do it:

Open Firefox and in the address bar type about:config, then confirm warning message, go to the line network.dns.disableIPv6 and change to true.

If that makes Firefox work, then go ahead and disable it in the operating system so other programs such as Thunderbird, telnet and FTP work. You can Google how to disable IPv6 in Debian and that should fix it for you. I didn’t want to write about that because you couldfind 100s of links about how to disable IPv6 in Linux/Debian.

One other method that worked for me while testing (but might not work for everybody) is to change MTU packet size of Ethernet 0 to 1200 from 1499. MTU 1200 is recommended by Cisco. Also IPv6 minimum MTU requirement is 1280 so by setting it to 1200, that might stop the use of IPv6

sudo /sbin/ifconfig eth0 mtu 1200

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.