Saturday, November 11, 2006

Windows Mobile Network Analyzer

Troubleshooting network is not that easy on a Windows Mobile using built-in functionality. But with a new powertoy from Microsoft it's possible to perform two very basic network troubleshooting commands: PING and IPCONFIG!

Furthermore you can save a capture file (.cap) and use an external network analyzer tool so see what packets were received etc.

Check it out: Windows Mobile Network Analyzer PowerToy

Tuesday, November 07, 2006

Download your virtual machines!

Microsoft really did a nice thing the other day, this is so kewl...

Microsoft released a few VHD files (Virtual Hard Discs) with some of their top products pre-installed! This means you can test the products and get some hands-on experience - no time wasted on installing etc.

All you need is the free Virtual Server 2005 software and then you can download the VHD files from here - fantastic!

These days VHD files are available for:
Exchange Server 2007
SQL Server 2005
Windows Server 2003 R2
ISA Server 2006

Taking a look at MS products was never this easy before... Enjoy!

Thursday, November 02, 2006

Exchange 2003 in real trouble


Just wanted to share an experience I had the other day at a customer's network (a small company with around 15 guys in the sales department and a few more in administration etc.).

The local IT responsible called me and asked me if I had an idea why their Internet connection was extremely slow that Monday - it had been so since around 10:40 the same morning... Hmm, I had no idea to begin with, so we had to do some troubleshooting over the phone.

First we did some ICMP echo requests against some remote servers and I could only agree, things didn't look good - so the question was: Is this because of the ISP or some local problem?

Well, the ISP had no problems in the area they said (but it seems they never have any problems - officially). So I set up some monitoring in their Sonicwall firewall and we quickly spotted heavy action from their Exchange 2003 server. He tried to restart the server and after half an hour it actually restarted - it was under heavy load! After the reboot the network performance went bad again, so I asked him to go into Exchange System Manager (ESM) and take a look at the queues...

The queue situation turned out to be pretty ugly and it looked like the server was an open relay, hit by some SPAM/hacker attack or whatever - even though I was pretty sure everything was setup correctly and in a secure manner when I installed the server. So I grabbed my jacket and went to the customer's location.

When I arrived I could see almost 1000 queues left in retry state, each with a single message of around 1 MB. The server was responding extremely slowly and every mouse click was like an eternity. When I took a closer look at the emails it seemed as though they were all sent from an internal user, let's call him Mr. Spammer! I feared some malware had entered his computer - even though I knew he was not a local admin, they had antivirus & -spyware running, XP built-in firewall activated etc.

I went to the users seat an unplugged his computer, looked in his Event Log, running processes/services and Outlook sent items - and there it was... At 10.40 this guy actually produced an email for a high number of external receivers, probably above one thousand... That should be OK, but the thing is, he attached a 1 MB picture - this changed the story completely. Exchange simply couldn't handle that amount of traffic.

So now I was sure this was not an attack or anything - I was pretty relieved I can tell you - it was now "just" a local user who acted like a SPAMMER... An internal attack you could say. Well, I never saw that one coming!

Now I had one problem - the queues didn't go away. Restart of SMTP service didn't work, the "Default SMTP Virtual Server" queue (and pickup) directory was empty so I was left with the manual approach of deleting every item in each queue.... Or using the AQADMCLI tool.

This tool is an admins friend in situations like mine. I downloaded the tool from another server, placed it on a floppy, copied to the (offline) Exchange server and executed the file. This gives you a Command Prompt, and all I had to do was to type:

setserver SERVERNAME
delmsg flags=all

This displayed a lot of entries about queues being flushed - or messages being deleted - and then all I had to do was to type in quit. Problem solved!

So todays blog is just a small tribute to AQADMCLI and it's authors - I hope this info will come in handy someday in your admin-life :)

You can read more about the tool here.