Recursos para Profesionales de TI >
Página principal de foros
>
Antigen
>
Antigen 9.1 (SP1) Hotfix Rollup 5 on a cluster - installation issue
Antigen 9.1 (SP1) Hotfix Rollup 5 on a cluster - installation issue
- Hi there!
Last weekend I upgraded Antigen on our Exchange 2003 Cluster (active/passive). I then applied Hotfix Rollup 5, and installed it according to the instructions on http://support.microsoft.com/kb/957075/en-us. Before installing I renamed the physical disk resources for our Exchange drives (one of which hosts the Antigen db as well) to include the drive letter (e.g. "mail_DBsSG2 disk O:") which is required according to the KB article, for the new Antigen resource for the EVS to be successfully created. I then installed the hotfix on both nodes, and then on the Active node, ran antutil /disable, which seemed to take the EVS offline successfully, and then antutil /enable. The EVS did not come online again by itself, and the new Antigen cluster resource was not created. I ended up having to manually start it up again. I then tried to run the /disable /enable again, having even tried rebooting - still no go. Antigen seems to be working fine - should I be worried?
Secondly - I was under the impression that SP1 would enable the anti-spam stuff? When I launch Antigen Admin I can see the anti-spam option in the sidebar for a second, then it disappears - does one need an additional license for the anti-spam components? The Intelligent Message Filtering doesn't work on a cluster, so I was hoping to use antigen for anti-spam.
thanks
Ray
RayDiack- CambiadoMike ShenMSFTmiércoles, 06 de mayo de 2009 9:38Antigen hotfix installation issue (From:Anti-virus/Anti-spam)
Respuestas
- Hi Ray,
Yes. Basically Microsoft sell 2 flavours of Antigen. Antigen - which just contains the minimum scan engines, and the messaging security suite which contains all of the available scan engines.
Regarding the hot-fix. I have been thinking about this further and I would like you to try something. Can you first ensure that Antigen is disconnected from exchange using the "Antutil /disable" on both the active and passive node(s). When this is completed, on the Active node, bring the EVS online. Next, on the active node again, run "antutil /enable" while the EVS is online. This should create the cluster resource. Finally reintegrate Antigen fully on all nodes using the "antutil /enable". If you are unsure if Antigen is enable or disabled, you can check by running "antutil /status". After you have done this, check if the cluster resource has been created. If it has, then check that the possible owners for this resource are correct.
I hope this helps,
Alex- Marcado como respuestaRaymond Diack lunes, 25 de mayo de 2009 20:32
Todas las respuestas
- Hi Raymond,
As you cannot see the cluster resource following the Antutil /Diable/enable, I would strongly recommend raising a support case with the Microsoft Antigen support team. This resource should appear following the installation of the RU5 hotfix and the antutil /disable, Antutil /enable. If the case is related to the hot-fix rather than an error during the installation, then this call (i believe) would be non chargeable.
In answer to your second query, the Anti Spam scan engine, Spamcure, is only available if you are using the Messaging Security Suite, which is basically Antigen 9 with extra scan engines inc the Anti Spam engine.
I hope this helps,
Alex - Hi Alex
Thanks very much for your reply. So regarding Spamcure - if we just bought licensing for Antigen, then we aren't entitled to it?
Regarding the hotfix issue, I will try give MS a call - but in the past when I've phoned to request hotfixes (before they all became downloadable) they always told me that if there were problems with the hotfix i was requesting, I'd need to log a proper (chargeble) call? Or perhaps that was just if the hotfix didn't solve the problem...?
thanks
Ray
RayDiack - Hi Ray,
Yes. Basically Microsoft sell 2 flavours of Antigen. Antigen - which just contains the minimum scan engines, and the messaging security suite which contains all of the available scan engines.
Regarding the hot-fix. I have been thinking about this further and I would like you to try something. Can you first ensure that Antigen is disconnected from exchange using the "Antutil /disable" on both the active and passive node(s). When this is completed, on the Active node, bring the EVS online. Next, on the active node again, run "antutil /enable" while the EVS is online. This should create the cluster resource. Finally reintegrate Antigen fully on all nodes using the "antutil /enable". If you are unsure if Antigen is enable or disabled, you can check by running "antutil /status". After you have done this, check if the cluster resource has been created. If it has, then check that the possible owners for this resource are correct.
I hope this helps,
Alex- Marcado como respuestaRaymond Diack lunes, 25 de mayo de 2009 20:32
Hi Alex
You rock - thanks man, following your instructions re. running antutil /disable on all nodes, starting the EVS, then running antutil /enable created the new Antigen cluster resource and it seems to be 100% now. Perhaps KB957075 should be updated to reflect this behaviour?
regards
RaymondHi Alex
Not sure if this is related, but we seem to now be getting these errors in the System log:-
Event Type: Error
Event Source: ClusSvc
Event Category: Checkpoint Mgr
Event ID: 1121
Date: 2009/05/25
Time: 10:49:43 PM
User: N/A
Computer: CLUS01
Description:
The crypto checkpoint for cluster resource 'SMTP Virtual Server Instance 1 (MAILSRV)' could not be restored to the container name 'C44FBC30-1445-11d3-8CAA-00104B9C5823'. The resource may not function correctly.Event Type: Error
Event Source: ClusSvc
Event Category: Checkpoint Mgr
Event ID: 1121
Date: 2009/05/25
Time: 10:49:36 PM
User: N/A
Computer: CLUS01
Description:
The crypto checkpoint for cluster resource 'Exchange Information Store Instance (MAILSRV)' could not be restored to the container name 'C44FBC30-1445-11d3-8CAA-00104B9C5823'. The resource may not function correctly.
Any ideas? The cluster seems to be behaving itself fine - Exchange is running fine, and failover is working 100%.
thanks
Ray
RayDiack- Hi Ray,
This looks to be a new error and I believe its probably related to the permissions for the folder that holds the Crypto Checkpoints.
Please can you check the permissions on the following folder and ensure that the local administrators group has full control and inherite permissions set:-
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Please let me know if this resolves your issue or not.
Alex
- Hi Alex
Thanks for your reply. The permissions on our 4 servers on the MachineKeys folder u mentioned are:-
Administrators - Full Control - This folder only - Not inherited
Everyone - Write - This folder only - Not inherited
Are you sure the MachineKeys folder should be inheriting permissions from its parent, and that all files in the folder should be receiving inherited permissions? If I enable inheritance and apply the permissions to all files in the folder, they will get:-
Administrators - Full Control
Everyone - Read and Execute
Power Users - Modify
SYSTEM - Full Control
Users - Read and Execute
I'm just a bit weary that making a permissions change might break something...?
thanks
Ray
RayDiack - Hi Ray,
Sorry I explained this badly. Basically we need all files present and that will be created in this folder, to inherit the "Administrators Local Group"-Full Control permissions so that would mean enabling the "Replace permissions entries on all child objects with entries shown here" option at the folder (MachineKeys) level
Sorry for the confusion
Alex - Alex, thanks for clarifying. I've allowed inheritance and propagated settings to the files in the MachineKeys folder. I've just done this on one of our 4 cluster nodes - will test failover this weekend and see if the errors are gone, before doing this for all.
thanks,
Ray
RayDiack - Hi Alex
Sorry it's taken so long to test this - been so busy. I set the permissions on the MachineKeys folder on both of the 2 nodes in our 4-node cluster that have Exchange installed, and propagated settings to the files in the folder. I checked all the files in the folder to verify that they have the parents permissions set - with Administrators - Full Control. If I then fail Exchange over to the other server, the permissions on the files get reset to Administrator - Read and System - Full Control, and the two errors keep appearing in the System event log about the crypto checkpoint - for both the Exchange SMTP virtual server and the Information store.
Everything seems to be working fine though, so maybe I should just ignore this?
thanks,
Ray
RayDiack
