Tuesday, August 21, 2018

SQL Server, 16 GB Ram where did my memory go?

Good day All,

Welcome back!!!
I was pulled for a incident on  Server running SQL 2008,Windows 2008 Virtual Machine and having 16 GB memory was reporting 97% usage.

So first thing i did was reached out to SQL team to confirm what is the max memory set for the SQL and they confirmed that its was only 4 GB.
Well i pulled up Process explorer and started to look at the commit memory and on doing a rough calculations it was rounding off to like 12 GB and close to 4 GB of ram i couldn't count it for .

It was strange right, so i pulled out RAMMAP and when checked i could see that AWE was holding close to 4 GB of memory, that kind of struck why would this been doing.

Not sure if everyone is aware AWE,SQL 2008 has lot of issues so i kind of started to lean on SQL Server ...

As this was VM i started to looked around if VMTools was running fine and was there any alerts on the VM and didn't see much in there..
So when i checked the ESXi host i found that for some reason this host was max outing memory ,then i realized may be AWE as part of ballooning is holding the memory..

Quickly forced few VM's out of the host and in next 5- 10 mints i saw the memory 4 GB AWE was holding dropped down to in KB's and issue got resolved.

Hopefully this helps someone!!!
Until next one you all have good day!!!!!!!!!!!!

Who has logged into a Server

Good day All,
Welcome back!!!
Its been quite sometime i know so many things happened and lost track a bit because of the busy schedule.
Couple of interesting topic i worked on and want to share to all of us. So to start with i was asked as part of some investigation to  identify if during a particular time any user with an specific ID did a RDP Session to a Server and if so what ID they logged with it  what is the Server they trying to connect at that time.

I was knowing that we would need Security log to start with and hopefully its not over written and if RDP session is successful the logon type it will generate a event in Security log is LOGON Type 10.

So basically we are looking for 2 event ID's 4624 and 4648, below is the out of the 2..

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          6/14/2018 10:29:37 AM MST
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Server name
Description:
An account was successfully logged on.

Subject:
                Security ID:                         SYSTEM
                Account Name:                 Computer account$
                Account Domain:                             domain name
                Logon ID:                             0x3E7 

Logon Type:                                       10
Impersonation Level:                     Impersonation
New Logon:

                Security ID:                         domain\user id
                Account Name:                 UserID
                Account Domain:                             Domain Name
                Logon ID:                             0x72EADD999
                Logon GUID:                      {60d466ce-e71e-0080-95ca-d00b008dbba6}

Process Information:
                Process ID:                          0x3468
                Process Name:                  C:\Windows\System32\winlogon.exe

Network Information:
                Workstation Name:        Host name
                Source Network Address:            Source IP it connecting from.
               Source Port:                       0

Detailed Authentication Information:

                Logon Process:                  User32
                Authentication Package:               Negotiate
                Transited Services:          -
               Package Name (NTLM only):       -
                Key Length:                        0

Below alert just confirms the successful logon and the ID he used when he initiated a RDP session

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          6/14/2018 10:31:03 AM
Event ID:      4648
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Host name
Description:
A logon was attempted using explicit credentials.

Subject:
                Security ID:                         domain\ID
                Account Name:                 ID
                Account Domain:                             domain name
                Logon ID:                             0x72EADD999
                Logon GUID:                      {60d466ce-e71e-0080-95ca-d00b008dbba6}

Account Whose Credentials Were Used:
                Account Name:                 ID used to RDP
                Account Domain:                             host name
                Logon GUID:                      {00000000-0000-0000-0000-000000000000}

Target Server:
                Target Server Name:     destination Computer
                Additional Information: destination computer

Process Information:
                Process ID:                          0x338
                Process Name:                  C:\Windows\System32\lsass.exe

this was easy so hopefully this helps someone!!!!!!!!!!!!!!!!
Until next one you all have a good day!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!