Original URL: http://www.theregister.co.uk/2011/06/14/sysadmin_it_disasters/

A sysadmin's top ten tales of woe

The IT troubles I have seen

By Trevor Pott

Posted in Enterprise Tech, 14th June 2011 15:30 GMT

Mission Critical Get enough people of any profession in one room and the conversation drifts inexorably towards horror stories. Everyone loves a good “…and then it all went horribly sideways” yarn, and we all have more than one.

The IT profession is flush with tales of woe. There are no upper boundaries on ignorance or inability.

From common facepalms through to the failure of the backup plan’s backup plan, here are the top ten disaster recovery failures I have seen.

10. Raid 0 isn’t Raid

About once a quarter someone walks into my office and says: “You know how to do data recovery, right?”

Inevitably they carry an external USB Raid 0 hard drive upon which rested all the critical data for the entire company.

While I can probably get those images off that SD card you formatted, Raid 0 with a disaster recovery plan of “I heard Trevor can do data recovery” is doomed to failure.

9. Call a locksmith

Losing one’s keys is a normal part of life. You keep a spare set at work or with a trusted friend. When dealing with mission-critical computing, however, plans need to be more robust.

My favourite equivalent of losing the keys is firing the sysadmin before realising that only he has the passwords to vital pieces of equipment whose manufacturer has gone out of business.

Disaster recovery plans that rely on “the manufacturer will help us reset the password” are iffy at best.

8. My backup is paper

Dead tree backups lose their charm when a corrupted financials database is combined with reliance on a data storage medium requiring a meat-based search engine.

Always be prepared for the auditors. They strike without warning and they have no mercy.

7. You have to be there

Not everybody’s definition of “mission critical” is 24/7/365. For small organisations , a cold spare requiring an on-site visit to power up may be adequate.

The plan, however, should take into consideration that the individual responsible for switching on the backup must be capable of making it through the snowstorm that took out the power lines.

6. The cleaner unplugged it

Pay attention to log files. More than once I have seen perfectly planned and executed offsite failovers felled because nobody realised the cleaner at the backup site was liable to unplug the servers, for example to charge an iPod. This is not an urban legend.

5. Tapes and Murphy's Law

The more important the data, the more likely it is to go missing. The older the data, the more likely it is that at least one copy is corrupt.

Inevitably, some bit of data will be missing from both the primary and the backup live servers. It happens to everyone and it is why we have tape.

Tapes are attached to a backup program of some kind, which keeps a catalogue of tapes and the files they contain. Life becomes interesting when the file that’s missing belongs to someone making an order of magnitude more money than you, and the file that’s corrupted is the backup catalogue.

Thirty-two hours into rebuilding the catalogue one tape at a time, you discover that one of the tapes is unreadable. Murphy’s Law, of course, stipulates that it is the tape with the necessary information.

The lesson is simple: test your backups – and the catalogues too.

4. Master and commander

Databases are the lifeblood of many applications, which in turn keep companies alive. Redundancy is key, and so we turn to database synchronisation.

Some aspects of database synchronisation are old hat by now: the primary can sync live to the secondary and life is good so long as both are up. The primary server fails and the backup server absorbs the load exactly as planned: so far, so good.

Where it all goes horribly wrong is when the primary is returned to service without being informed that it is no longer the primary database. After being brought online it instantly overwrites all the data on the backup server with stale information.

This niggle in the recovery process really should have been practiced more.

3. Death by patch

In an ideal world, your primary and backup servers are identical systems supplemented by an identical test system. This exists so you can experiment with new configurations, settings and patches.

A critical lesson that others have learned so you don’t have to is never, ever patch the primary and the backup clusters at the same time.

One beautiful illustration of this comes in the form of an unanticipated incompatibility between a software patch and a very specific combination of hardware present in both the primary and backup systems.

The testing system – identical except for a motherboard one revision newer – did not exhibit the issue. Patch released via automated patch software, the primary and backup servers were felled simultaneously.

2. Untried and untested

An oilfield company is doing some deep field drilling. There are several constraints regarding the amount of equipment it can bring.

The drilling requires real-time analysis of sensor results and the decision is made to farm that out over communications links to a more established camp nearby.

Data connectivity being so critical, there were three redundant links: a satellite hook-up, a (very flaky) 3G repeater and a small prototype UAV comms blimp which served as a WiMax bridge between the drilling team and the camp.

Predictably, the satellite connection failed, and the 3G repeater never really worked at all. The drilling team was forced to use the largely untested UAV, which unfortunately began to stray out of range.

The on-site tech tried to connect to the blimp, only to discover that the firewall configuration prevented access from the network interface facing the drilling site.

The connection was so flaky that the team couldn't bounce a connection off a server located on the other side of the network. Thus the UAV drifted entirely out of range and half a province away before it was recovered. The drilling operation was a bust.

Moral: cloud computing absolutely requires multiple tested redundant network links.

1. The power cascade

Two companies merge and are in the process of consolidating their two data centres. About 80 per cent of the way through the power-up of the new systems, there is a loud snap and all electrical power is dead.

The electrician’s post mortem is succinct: the electrical panels were from the 1940s. To get 30-Amp lines for the UPSes, a previous electrician had simply "bridged" two 15-Amp breakers.

When enough systems were powered up, the total cumulative load on the panels blew the panels without tripping more than a handful of frankenbreakers.

When the first panel blew, affected systems switched to backup power supplies, blowing the second panel, until all seven panels in the building were wrecked. Thanks to 70 years of evolutionary wiring, five of those panels were located in parts of the building not leased by either company.

The disaster recovery plan was focused entirely on layers of backup power provisioning: mains, UPSes and a generator. Offsite backups weren’t a consideration.

With the distribution panels fried, generator power couldn't get to the UPSes and sysadmins had only enough time to shut down the systems cleanly before battery power failed. The downtime cost the company more than it would have spent on building an offsite secondary data centre.

It all goes to show…

…that knowledge can be acquired from an adequate collection of textbooks, but true experience requires walking the minefield.

Please share your IT horror stories either in the comments section or by clicking the “mail the author” link above. I’ll collect the best and publish them as a warning to all: here be monsters. ®