Solved

Server 2003 R2 slow file browsing, lots of EFS errors

Posted on 2009-05-08
10
749 Views
Last Modified: 2012-05-06
A month ago my server started having lots of Event ID: 6032  Source EFS errors. They flood the System log then stop for a little while.

The issue we noticed is that while those erros are happening the file browsing to the shares on the server is slow.

We only have 1 person that encrypts their files and they are running Vista using NTLMV2
There were no windows updates installed just before we started getting these errors, and no other changes have been made that I can think of.

I did upgrade the system memory from 2Gb to 3 GB because it was running at 1.7GB most of the time. It helped a little bit but those errors are still comming in everyday,

This server is also the main DC for the company.

Any help is appreciated.
0
Comment
Question by:pboustani
  • 5
  • 5
10 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 24341306
Is it possible, that a service (like backup or whatever) tries to access the files, or just other users?

This may fails as only the user, who encrypted the files can decrypt them (besides the recovery agent).
0
 

Author Comment

by:pboustani
ID: 24341326
The backup runs after 6PM the errors are happening during the day, way before the backup.

The files that this one user encrypts have been like this for months with no problems. The backup never had any problem backing up the data. It is still working now.
What ever generates these EFS errors causes the server to slow down.

I cant think of anything that might have changed recently

Any other possible solutions for the event ID above?

Thanks
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24341592
Timed out certificates?

Can you see additional errors on the server?
Backup is not the only application, which accesses files (virus scanners, index service etc.).
Does this happen all the time, also the affected user is logged off?
0
 

Author Comment

by:pboustani
ID: 24356040
The only other errors on the are
MrxSmb - Event ID 8003
The master browser has received a server announcement from the computer SERVER2 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{73EA1AB4-6F45-4924-9865-D71E5AC842AF}. The master browser is stopping or an election is being forced.

DNS - Event ID 4015
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

The efs errors did not occur over the weekend, only weekdays and there is no virus scan running . It is possible they occur only when the user is reading the files. I will keep an eye on it today when they connect.

0
 
LVL 35

Expert Comment

by:Bembi
ID: 24359304
Master browser messages seem to be normal. If the master browser service is not forces to be hosted on one single machine (i.e. a server), it can flow from one machine to another. If the actual hosting machine is logged off, the master browser needs to switch to another machine. This is a general lack of windows NetBIOS.  

Second error you should keep an eye on, if this is a temproraly error due to reebotts or whatever. Should not come up regularly. Have a look here for some reasons:
http://www.eventid.net/display.asp?eventid=4015&eventno=333&source=DNS&phase=1

EFS errors: This would point me realy to a timed out certificate on the machine / user, which encrypted the files. Check the certificates for this machine / user, if they are valid. Ask your user, if he has problems accessing the files. Note, that you will run into some trouble, if a certificate times out, which is used to encrypt files. Only the recovery agent can then decrypt the files.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:pboustani
ID: 24359452
She never had any problem accessing her files. But there was one occasion when all her files seemed to be corrupt. Office, Acrobat and other programs could not open them, they kept saying Encoding error, and would not display properly.
I got this problem fixed by attaching all her documents into a new email in outlook and then close the email window without sending the 200MB attachment :). This seemed to have rescanned all the headers and I was able to open her files again.

Right now I am decrypting her files to see if the errors will stop. I never liked the MS Encryption thing. I am going to use a different encryption software which works much faster.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24362801
Yerk, this sounds like a certificate is renewed with a new key and the old certificate may be still part of Outlook and still valid?

You should decrypt all the documents as fast as you can to have an unencrypted copy.

MS works fine so far, but you have to take care of the key infrastructure. If a certificate invalidates, you may loose your date. This is common to all cert based encryption methods. The other method is just to use passwords or other keys, but maybe less safe. The default settings for certificates in MS may be very short (1-2 years) so you have to make sure, the time is long enough or you have an automatic renewal procedure (policies).  

The encryption / decryption performance depends from the key-length, so if the encryption / decryption is slow, it may have something to do with the used algorithm. If you have faster solution, you can use it of course but they maybe less save. So it depends a little bit from your security needs, what is usefull or not.
0
 

Author Comment

by:pboustani
ID: 24368666
There are few certificates under Trusted people on the 2003 server, most are administrators and probably not used to encrypt the files. The one user that does encrypt the files has a certificate there as well the date is valid and it says
"This CA Root certificate is not trusted. Install it in the Trusted Root Certification Store"
Could that be the problem I am having.

To install it do I just need to copy the certificate to the above mentioned store? See image

Thanks

certificate.gif
0
 
LVL 35

Accepted Solution

by:
Bembi earned 500 total points
ID: 24380821
Usually, you find the users or computers certificates unter personal.

Each certificate relies on a root certificate. You have to trust the root certificate. Have a look unter Certification path to find out, who has issued this certificate. The most common public issuers are within the trusted certificated folder by default.

The certificate you have found there may be a certificate, which the user has got via a signed or encrypted email. The message above means, that the issuer is not within the list of trusted root certificates or trusted issuers. As you can not see there, if the certificate is issued for encryption, I can not say if this is the certificate, which was used. Therefore I can not tell you, if moving this certificate will solve something. If you do not know the issuer, I don't think so, if you know it, it may be.

You may try to update first your root certificates:
http://www.microsoft.com/downloads/details.aspx?FamilyID=f814ec0e-ee7e-435e-99f8-20b44d4531b0&DisplayLang=en
0
 

Author Comment

by:pboustani
ID: 24397050
I have successfully decrypted all the files and the efs errors have stopped.

The path under each users is just the users own name no other root certificate exists.

I did try moving them to Trusted root certificate folder but that did not stop the errors. It did take off that message that said
"This CA Root certificate is not trusted. Install it in the Trusted Root Certification Store"
but the errors still continued.


Anyways decrypting the files got rid of the errors and I dont have too much time to spend on this.

Thanks for you help, you get the points anyways.

Cheers.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now