Archives March 2016

When DFS Replication goes wrong…And how to fix it

A while back a client of ours had some issues with DFS replication between 2 nodes. One of the members reported a backlog of over 1 million files!
Upon further investigation, I found the DFS database on that node got corrupted which caused it start the initial sync again.

We let the process run it’s course over a couple of days but noticed the progress was incredibly slow. We were averaging about 3000 files / hour. After some quick math, it’d take about 16 days before the sync completed. And that’s not taking into account anyone working on the file servers.

That is when I stumbled upon this very detailed blog post by Ned Pyle. There he explains in great detail how the process can go faster, using a DFS database clone export and import.

DFS state of affairs

One thing to pay attention to, you can’t import a DFS database on a node that already has a pre-existing database. In order to make this strategy work, we had to make sure all traces of the existing DFS database were gone.

This isn’t as simple as just removing the member and adding it again. When you delete a member from a replication group, that member isn’t actually deleted from the database. The member is marked with a 30-day tombstone flag. If you change any files on that member and then re-add it, the tombstone flag is removed and the files on that member are used and replicated to the other members. You can imagine this can get really ugly if you decide to delete files on that “removed member”. The key takeaway here is to make sure you have a backup before you make any changes!

We decided the easiest and safest way to go ahead was to delete all replication groups and recreate them. Simply removing the replication group isn’t enough. You also have to make sure there are no remnants of the database in the “System Volume Information” folder. The easiest way to do this is by running these commands

This will move the contents of the folder to a DFSR_backup folder on the same volume. Note: make sure you delete the replication groups before running these commands. If you don’t do this, DFS will just recreate the database on that member.

Checking the nodes are in sync

First, we had to make sure that any files that had changed on the remote node were copied to the node on the main site.
Sounds like a job for robocopy! I found out that the database got corrupted on the 12th of December, so we only had to check the files modified after that date.
The command looks like this


This command will compare all files newer than the 11th of December and copy them over. The /XF parameter excludes the thumbs.db file from being copied in order to speed up the process. Our client works with a lot of images so there are a lot of thumbs.db files.

Moving on

To finish setting up your DFS-R, you can follow the steps outlined in the blog post I linked at the top of this page.


Setting up IPSec VPN between Fortigate and Axsguard

If you’ve ever had the “pleasure” of building an IPSec tunnel between 2 endpoints from different vendors, you’ll know how smooth that usually goes. Today I was building a tunnel between a Fortigate 70D and an Axsguard Gatekeeper, as you can guess, things didn’t go as planned.

Fortigate

Let’s start by creating the tunnel on the Fortigate. Create a new tunnel and select the Custom VPN Tunnel template.

FG-tunnel1

 

Next, fill in all the phase 1 settings. In this example, I’m using 3DES and SHA1. While 3DES is still considered as secure, I would recommend against using it in production, mainly because of the speed. If you want to use the public IP address as the local ID, leave the field empty. Fortigate will automatically send its public IP as the local ID. Keep this in mind when you’re behind a NAT device.

FG-phase1

In the phase 2 settings, you can specify what addresses should be configured on the tunnel. You can choose between a subnet, IP range or a single IP address.

FG-phase2

 

You will still need to configure a route and firewall rules for VPN traffic.

Axsguard

The same principles apply to the configuration of the Axsguard.  One thing to pay attention to is the key lifetime, Fortinet uses seconds to express the lifetime on its devices. Axsguard, on the other hand, uses minutes for the lifetime.

Let’s go ahead and create a new tunnel on the Axsguard. Fill in the local parameters. If you can’t find the settings that correspond to the settings on the Fortigate, you can add them in the IPSec -IKE, and IPSec – ESP menus. Make sure to set the settings exactly the same as on the Fortigate.

Axsguard local parameters

 

Same goes for the remote parameters.

Axsguard remote parameters

 

The Axsguard will automatically create the required firewall rules to allow traffic to pass through the tunnel.