Solved

Server 2003 R2 slow file browsing, lots of EFS errors

Posted on 2009-05-08
10
748 Views
Last Modified: 2012-05-06
A month ago my server started having lots of Event ID: 6032  Source EFS errors. They flood the System log then stop for a little while.

The issue we noticed is that while those erros are happening the file browsing to the shares on the server is slow.

We only have 1 person that encrypts their files and they are running Vista using NTLMV2
There were no windows updates installed just before we started getting these errors, and no other changes have been made that I can think of.

I did upgrade the system memory from 2Gb to 3 GB because it was running at 1.7GB most of the time. It helped a little bit but those errors are still comming in everyday,

This server is also the main DC for the company.

Any help is appreciated.
0
Comment
Question by:pboustani
  • 5
  • 5
10 Comments
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Is it possible, that a service (like backup or whatever) tries to access the files, or just other users?

This may fails as only the user, who encrypted the files can decrypt them (besides the recovery agent).
0
 

Author Comment

by:pboustani
Comment Utility
The backup runs after 6PM the errors are happening during the day, way before the backup.

The files that this one user encrypts have been like this for months with no problems. The backup never had any problem backing up the data. It is still working now.
What ever generates these EFS errors causes the server to slow down.

I cant think of anything that might have changed recently

Any other possible solutions for the event ID above?

Thanks
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Timed out certificates?

Can you see additional errors on the server?
Backup is not the only application, which accesses files (virus scanners, index service etc.).
Does this happen all the time, also the affected user is logged off?
0
 

Author Comment

by:pboustani
Comment Utility
The only other errors on the are
MrxSmb - Event ID 8003
The master browser has received a server announcement from the computer SERVER2 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{73EA1AB4-6F45-4924-9865-D71E5AC842AF}. The master browser is stopping or an election is being forced.

DNS - Event ID 4015
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

The efs errors did not occur over the weekend, only weekdays and there is no virus scan running . It is possible they occur only when the user is reading the files. I will keep an eye on it today when they connect.

0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Master browser messages seem to be normal. If the master browser service is not forces to be hosted on one single machine (i.e. a server), it can flow from one machine to another. If the actual hosting machine is logged off, the master browser needs to switch to another machine. This is a general lack of windows NetBIOS.  

Second error you should keep an eye on, if this is a temproraly error due to reebotts or whatever. Should not come up regularly. Have a look here for some reasons:
http://www.eventid.net/display.asp?eventid=4015&eventno=333&source=DNS&phase=1

EFS errors: This would point me realy to a timed out certificate on the machine / user, which encrypted the files. Check the certificates for this machine / user, if they are valid. Ask your user, if he has problems accessing the files. Note, that you will run into some trouble, if a certificate times out, which is used to encrypt files. Only the recovery agent can then decrypt the files.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:pboustani
Comment Utility
She never had any problem accessing her files. But there was one occasion when all her files seemed to be corrupt. Office, Acrobat and other programs could not open them, they kept saying Encoding error, and would not display properly.
I got this problem fixed by attaching all her documents into a new email in outlook and then close the email window without sending the 200MB attachment :). This seemed to have rescanned all the headers and I was able to open her files again.

Right now I am decrypting her files to see if the errors will stop. I never liked the MS Encryption thing. I am going to use a different encryption software which works much faster.
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Yerk, this sounds like a certificate is renewed with a new key and the old certificate may be still part of Outlook and still valid?

You should decrypt all the documents as fast as you can to have an unencrypted copy.

MS works fine so far, but you have to take care of the key infrastructure. If a certificate invalidates, you may loose your date. This is common to all cert based encryption methods. The other method is just to use passwords or other keys, but maybe less safe. The default settings for certificates in MS may be very short (1-2 years) so you have to make sure, the time is long enough or you have an automatic renewal procedure (policies).  

The encryption / decryption performance depends from the key-length, so if the encryption / decryption is slow, it may have something to do with the used algorithm. If you have faster solution, you can use it of course but they maybe less save. So it depends a little bit from your security needs, what is usefull or not.
0
 

Author Comment

by:pboustani
Comment Utility
There are few certificates under Trusted people on the 2003 server, most are administrators and probably not used to encrypt the files. The one user that does encrypt the files has a certificate there as well the date is valid and it says
"This CA Root certificate is not trusted. Install it in the Trusted Root Certification Store"
Could that be the problem I am having.

To install it do I just need to copy the certificate to the above mentioned store? See image

Thanks

certificate.gif
0
 
LVL 35

Accepted Solution

by:
Bembi earned 500 total points
Comment Utility
Usually, you find the users or computers certificates unter personal.

Each certificate relies on a root certificate. You have to trust the root certificate. Have a look unter Certification path to find out, who has issued this certificate. The most common public issuers are within the trusted certificated folder by default.

The certificate you have found there may be a certificate, which the user has got via a signed or encrypted email. The message above means, that the issuer is not within the list of trusted root certificates or trusted issuers. As you can not see there, if the certificate is issued for encryption, I can not say if this is the certificate, which was used. Therefore I can not tell you, if moving this certificate will solve something. If you do not know the issuer, I don't think so, if you know it, it may be.

You may try to update first your root certificates:
http://www.microsoft.com/downloads/details.aspx?FamilyID=f814ec0e-ee7e-435e-99f8-20b44d4531b0&DisplayLang=en
0
 

Author Comment

by:pboustani
Comment Utility
I have successfully decrypted all the files and the efs errors have stopped.

The path under each users is just the users own name no other root certificate exists.

I did try moving them to Trusted root certificate folder but that did not stop the errors. It did take off that message that said
"This CA Root certificate is not trusted. Install it in the Trusted Root Certification Store"
but the errors still continued.


Anyways decrypting the files got rid of the errors and I dont have too much time to spend on this.

Thanks for you help, you get the points anyways.

Cheers.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now