I recently worked with Ray Palumbo at Camelback. He was experiencing problems with his differential backup. Every time the backup executed, throughput on the server got terrible. On busy days, this caused super long calls and the sales points would go off-line. To prevent this from happening, Ray was forced to suspend the differential backups. This meant he was relying solely on his nightly full backups that occur at 2:00 AM. Naturally, Ray found this to be an uncomfortable situation.
Another interesting symptom of the problem was that the first differential backup of the day took 3 to 4 minutes and was ~ 8GB in size! A Differential backup is supposed to backup what has changed in a database since the last full backup - so I was expecting something that took only seconds to complete and was much less than 10 megabytes (since not much changes in the database between 3:00am and 8:00am). As the day progresses, the size of the differential grows - but even the largest I have seen have been < 100 MB, typically.
So - first things first - even if the differential backup took 3-4 minutes, why was it bumping all the sales points off? Well, it turned out that Ray's LDF file was on the same drive as the destination of the backups. That drive happened to be a standard IDE drive, and throughput was not stellar. What I learned here is that even though the SiriusSQL database was using the Simple Recovery model (meaning the LDF file never really grows), the LDF file gets used anyway during the time that inserts, updates and deletes happen. The transactions get committed immediately (that is why the file doesn't grow), but the file does get used - for every transaction from every sales point. Add an 8 GB backup to that same drive, and it was enough to cause problems.
So, to solve this issue, Ray moved the LDF file onto his speedy SCSI mirrored data drive. We left the backups pointed to the slower IDE drive.
Hopefully the sales points getting knocked off was solved - but still - the 8 GB file was a nagging problem. The "Ah-Ha" moment occurred when we looked at the maintenance plan. The maintenance plan did the integrity check a 1am, the backup at 2:am and the reorganize indexes at 3am. Since the differential only backs up what changes since the last full backup - the 8 GB of changes must be coming from the reorganize indexes part of the maintenance plan!
So - the solution was simply to reverse the order of the backup and the reorganize indexes. Now the plan does the backup as the last step at 3am. We tested this by performing a full backup, and then doing a differential backup a few minutes later. The differential backup finished in .51 seconds (half a second) and was about 8 megabytes. Now THAT'S what I'm talkin' about.
So the big two lessons here: 1. Put your backups on a different drive than any of your DB files if possible, and 2. Make sure your Full backup is the last operation in your maintenance plan.
Ray has happily bumped up the frequency of his differentials to 30 minutes, and Camelback's sales points can stay online. WaHoo!
Thanks to Ray and Camelback for helping to figure this one out.
- Sean
Friday, March 2, 2007
Monday, February 12, 2007
Vista
I took the plunge on Friday evening. I pulled out my active hard drive, and installed my backup drive, and installed Vista Ultimate on my Dell Inspiron 9400.
My take: It is great. I like the changes - and I like Office 2007. There are some caveats and hurdles to discuss - but overall, on a powerful enough machine, I like it. I really like the "Aero" interface. Though I feel it steals its look from Mac OS X, that is OK with me. I like Mac OS X better than XP anyway.
Number one pain: UAC. The UAC supposedly prevents malicious software from doing damage by ensuring all the users activity is done under a more security restrictive environment. Though this is good, trying to do any software installation and configuring your system is a dreadful pain. Luckily, you can disable this feature from the User Accounts control panel.
So, thus far I have installed:
I have a few more things to get working - like a full install of Dev Studio 2005, and either VMWare or Virtual PC - but so far so good. We'll see how this week goes ...
My take: It is great. I like the changes - and I like Office 2007. There are some caveats and hurdles to discuss - but overall, on a powerful enough machine, I like it. I really like the "Aero" interface. Though I feel it steals its look from Mac OS X, that is OK with me. I like Mac OS X better than XP anyway.
Number one pain: UAC. The UAC supposedly prevents malicious software from doing damage by ensuring all the users activity is done under a more security restrictive environment. Though this is good, trying to do any software installation and configuring your system is a dreadful pain. Luckily, you can disable this feature from the User Accounts control panel.
So, thus far I have installed:
- The core of our company's software installed and running (Not ECommerce, yet)
- Office 2007
- SQL Server 2005 Dev edition with SP 2 and Reporting Services. This required Visual Studio 2005 SP 1. Also to get RS to install you need a complete install of IIS 7.0 - select all options, not just the defaults, or it thinks IIS isn't installed
- Visual FoxPro 8 development environment. Though Microsoft says they will only support VFP 9, VFP 8 seems fine. I have successfully compiled and run a VFP DLL.
- FireFox 2
- GAIM 2.06 beta.
I have a few more things to get working - like a full install of Dev Studio 2005, and either VMWare or Virtual PC - but so far so good. We'll see how this week goes ...
Wednesday, January 10, 2007
VNC is not a security risk.
I have heard about companies removing VNC from their corporate computers because of security risk. I feel like this is akin to removing your liver because you might get liver cancer. While it is possible that VNC could be used to do damage to your corporate network, it is only possible if you install it incorrectly. I hope to dispel the fear of having VNC installed, and to show you how to make it safe.
VNC is a necessary tool for our company to support our clients. It allows us to see your computer screen at the same time as you see it. We can use it for support, training and, with particularly tough support issues, we can bring in developer help - all of us sharing the same screen. Pictures, in this case, are worth way more than 1000 words.
VNC started out as an open source project from AT&T bell labs, and has since sprouted several flavors as different groups have "forked" the project. The big three right now are Real VNC, Tight VNC and UltraVNC. Of the three, I believe that UltraVNC has a couple of key features that really set it apart as the best choice: Integrated NT security, and File Transfers.
So, what are the security risks? Almost none, if you set it up right. The big security issue I have heard about is "The password is easy to break". Most VNC flavors only have a single password - not a user name / password combination. UltraVNC allows you to use Windows Security with user names and passwords instead of the simple password.
The big point here is: The difficulty of cracking passwords is moot.
You can only try to break a password if VNC Server is running on the client computer. VNC server can be installed two ways - "Application Mode" and "As a Service". We recommend installing VNC in "Application Mode". This means, the only time remote control can happen is when you actually run the VNC application. When you install it as a service, VNC is always running in the background - and is therefore susceptible to hacking. Also, since we ask you to use the "Add New Client" function in VNC server - we never need to know your password in the first place. So, when you do your install, VNC Server makes you choose a password the first time you run it. Choose a strong password. Crazy strong. No one needs to know it anyway. If you need to change it, you always can by resetting it from the VNC Server application.
So - Install VNC in "Application Mode" with a Crazy Strong password. Run it when you need support from us and close it when we are done helping you. The security risks are then reduced to almost zero.
VNC is a necessary tool for our company to support our clients. It allows us to see your computer screen at the same time as you see it. We can use it for support, training and, with particularly tough support issues, we can bring in developer help - all of us sharing the same screen. Pictures, in this case, are worth way more than 1000 words.
VNC started out as an open source project from AT&T bell labs, and has since sprouted several flavors as different groups have "forked" the project. The big three right now are Real VNC, Tight VNC and UltraVNC. Of the three, I believe that UltraVNC has a couple of key features that really set it apart as the best choice: Integrated NT security, and File Transfers.
So, what are the security risks? Almost none, if you set it up right. The big security issue I have heard about is "The password is easy to break". Most VNC flavors only have a single password - not a user name / password combination. UltraVNC allows you to use Windows Security with user names and passwords instead of the simple password.
The big point here is: The difficulty of cracking passwords is moot.
You can only try to break a password if VNC Server is running on the client computer. VNC server can be installed two ways - "Application Mode" and "As a Service". We recommend installing VNC in "Application Mode". This means, the only time remote control can happen is when you actually run the VNC application. When you install it as a service, VNC is always running in the background - and is therefore susceptible to hacking. Also, since we ask you to use the "Add New Client" function in VNC server - we never need to know your password in the first place. So, when you do your install, VNC Server makes you choose a password the first time you run it. Choose a strong password. Crazy strong. No one needs to know it anyway. If you need to change it, you always can by resetting it from the VNC Server application.
So - Install VNC in "Application Mode" with a Crazy Strong password. Run it when you need support from us and close it when we are done helping you. The security risks are then reduced to almost zero.
Subscribe to:
Posts (Atom)