Hey guys,
I am seeking a bit of advice as it specifically relates to SEP NTP and production Windows servers (mostly virtual). The main reason for this post results from an issue experienced early this week when we had 3 domain controllers that all became unresponsive to anything AD related.
For about the past year we have had 12.1.2015.2015 installed on our domain controllers, all running full server protection, AV, PTP and NTP. From what we can tell, everything has been fine as we have not noticed any trouble related to functionality. While the specific date of installation is unclear, I know it was not this past weekend, 12.1.4013.4013 was installed on all 3 affected servers.
Things were funtional and still nothing seemed out of the ordinary until Monday morning when a majority of domain services went offline. Locally, ping times were high and even dropping, AD logons were excessively long and for about 6 hours, AD was essentially not working and applications were failing as a result of this.
In the end, we had to remove the NTP feature of SEP to get our AD services back online. While I can understand best practices and the recommendation for high availability machines to not run NTP and to use basic protection (AV only), but that doesn't explain why things have been running without issue for over a year.
Essentially, my thoughts are that maybe the FW is messed up in 12.1.4 and is part of what is fixed in the teefer driver re-writes in 12.1.4.1, even if it is not directly documented. If it is something that was not so random, I would understand that the best practice should be followed, but the fact that the behavior was random and that all three servers were running 12.1.4013.4013 indicates to me that potentially something else broke or failed to create the event.
In fact I have witnessed similar randomness on other non-DC systems that are running 12.1.4013.4013, where performance is just horrible until the FW is stopped. However, unlike the case with the DCs, the issue will typically just go away and resolve itself. Therefore, further making me think there is an inherent issue with the firewall in this version of SEP. However, before making any real accusations, I wanted to ask if anyone else has seen similar behavior resulting from NTP in 12.1.4. Not all systems are affected and the systems that are seem to be completely random. I might have 8 application servers all doing the same thing and only one will go crazy, before randomly fixing itself.
I am probably searching for something that cannot be explained, but I still wanted to bring it to the community to see if in fact I am the only person seeing this issue.