Re: Ongoing DNS Issue? or something worse?
- From: "Henry Craven {SBS-MVP}" <sme@xxxxxxxxxxxxxx>
- Date: Sat, 19 May 2007 05:45:52 +1000
Doesn't look good.
First up I'd be running AV, Spyware ( and yes I saw that you have trend and ran it ) and RootKits scans across the network.
I'd also be running a packet sniffer to get an idea of what traffic is being generated.
---------
Henry Craven {SBS-MVP}
"Ferrell Ramey" <FerrellRamey@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:903D3344-C66C-4952-8F87-C416FA6E3589@xxxxxxxxxxxxxxxx
I have an issue kind of like another post, but it wasn't similar enough to
continue the thread.
So you don't have to read the whole thing. I've got a user (I think) that
has an issue with connecting to the SBS server correctly. Everyone on the
network starts having issues when a particular user logs in (not the PC
itself, if someone else on this PC logs in; things seem to be ok).
I don't have enough data to confirm that this is a user issue, but I've seen
with my own eyes the user try to logon at another workstation while I was
working on hers and she had problems again.
On to the problem: the user seems to be able to login and get to the files
on the server etc, but when I try to setup outlook for her; her name will not
resolve when I just use the name of the server "SBSERVER", if I put
SBSERVER.domainname.local, it resolves in a split second and things seem to
continue without issue.
Why all of a sudden do I have to enter the entire server name and the
domain.local?
This seems to be causing issues with everyone's performance. Up until two
thursday's ago, this was the fastest network that I managed.
As a coincidence; on that Thursday their firewall (Sonicwall TZ170) lost its
mind and started in a loop of rebooting (even if I only had my laptop plugged
into it). It would run just long enough to log into the interface, but then
would do a hard reset (all of the lights would blink at once) and I'd loose
connection to it. I did a "factory" reset thinking I could get it back; but
not. I happened to have one sitting in my car for another client and put it
in it's place.
I've seen in some of the event logs on the workstation that there was an
attempted downgrade attack on the server (something relate to SPENGO). I've
got it in my notes at the client (sorry, I don't have the exact error).
Initially I thought it was the user's PC and tried everything including a
system restore from the day before. The user had only had the PC for a
couple of days (it is a new Dell 5100 series). I installed two of these a
couple of days before all of this happened.
I thought that maybe I accidentally named one of the two PC's to the same
name as one of the other PC's on the network. So I disjoined the domain,
renamed the PC and rejoined the domain and still had the problem. Other's
started complaining about performance issues and getting into the Quickbooks
program which is running on the server too (I know!).
So I started to look at maybe the NIC was bad on the server, it is a Dell
Poweredge 2800 server and has a second NIC. I switched everything over to
the new NIC and viola!, (that was Friday), but come Monday everything went
in the toilet again, same issues from everyone.
I could start PC's and they would hang at the loading network settings for
ever, if I unplugged them from the network; they would run quick as usual,
but of course could not access anything on the server, I plug the PC back
into the network and it would come to a crawl (this is on multiple PC, not
just the one I was having the initial issue with.
So, I shut the server down and disabled the "primary" NIC. Again,
everything seemed to start going well for a while.
I replaced the switch with a brand new 48 port Dell GB managed switch;
thinking it might be the switch, that had no effect. I found a wire that
seemed to be pinched at the user's desk, I replaced it, no effect.
I have spent countless hours on this, and just yesterday discovered the
issue with having to add the domain.local to outlook to get it to work. By
the way, that is what all of this started with on that Thursday, the user
complained that she couldn't get into outlook. I was actually at the client
for something else.
When I was initially troubleshooting this and rebooting the server; another
user asked me if I could do something on her PC. It was having the same
issue, if it was plugged into the network it would take forever to even do
something like open the control panel.
I reconnected "Sharman's" old PC and the problems started with it also. The
name of her old PC was SHARMAN, the new one is SHARMANPC.
Yes, I have scanned for a virus etc. I am running the latest copy of Trend
Micro Client/Messaging Server for SMB.
I am running SBS2003 with all SP's up to date. I am not running SBS2003-R2.
I found some articles regarding some updates that might have been ran on the
server, I removed the one that I could find that looked like it might be
related.
I do get this event when I reboot the server:
------------------------------
Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 12
Date: 5/17/2007
Time: 4:38:02 PM
User: N/A
Computer: SBSERVER
Description:
Time Provider NtpClient: This machine is configured to use the domain
hierarchy to determine its time source, but it is the PDC emulator for the
domain at the root of the forest, so there is no machine above it in the
domain hierarchy to use as a time source. It is recommended that you either
configure a reliable time service in the root domain, or manually configure
the PDC to synchronize with an external time source. Otherwise, this machine
will function as the authoritative time source in the domain hierarchy. If
an external time source is not configured or used for this computer, you may
choose to disable the NtpClient.
I was getting these events.
--------------------------
Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 29
Date: 5/10/2007
Time: 12:15:00 PM
User: N/A
Computer: SBSERVER
Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. No
attempt to contact a source will be made for 15 minutes. NtpClient has no
source of accurate time.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------------
Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 47
Date: 5/10/2007
Time: 12:15:00 PM
User: N/A
Computer: SBSERVER
Description:
Time Provider NtpClient: No valid response has been received from manually
configured peer time.windows.com,0x1 after 8 attempts to contact it. This
peer will be discarded as a time source and NtpClient will attempt to
discover a new peer with this DNS name.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------------
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5723
Date: 5/1/2007
Time: 3:28:48 PM
User: N/A
Computer: SBSERVER
Description:
The session setup from computer 'DEANNAPC' failed because the security
database does not contain a trust account 'DEANNAPC$' referenced by the
specified computer.
USER ACTION
If this is the first occurrence of this event for the specified computer and
account, this may be a transient issue that doesn't require any action at
this time. Otherwise, the following steps may be taken to resolve this
problem:
If 'DEANNAPC$' is a legitimate machine account for the computer 'DEANNAPC',
then 'DEANNAPC' should be rejoined to the domain.
If 'DEANNAPC$' is a legitimate interdomain trust account, then the trust
should be recreated.
Otherwise, assuming that 'DEANNAPC$' is not a legitimate account, the
following action should be taken on 'DEANNAPC':
If 'DEANNAPC' is a Domain Controller, then the trust associated with
'DEANNAPC$' should be deleted.
If 'DEANNAPC' is not a Domain Controller, it should be disjoined from the
domain.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 8b 01 00 c0 ‹..À
----------------
Event Type: Warning
Event Source: MSDTC
Event Category: SVC
Event ID: 53258
Date: 5/9/2007
Time: 3:15:04 AM
User: N/A
Computer: SBSERVER
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC
will continue to function and will use the existing security settings. Error
Specifics: %1
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------------
Event Type: Warning
Event Source: MSDTC
Event Category: SVC
Event ID: 53258
Date: 5/9/2007
Time: 3:15:04 AM
User: N/A
Computer: SBSERVER
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC
will continue to function and will use the existing security settings. Error
Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9280, Pid: 992
No Callstack,
CmdLine: C:\WINDOWS\system32\msdtc.exe
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00 07 80 ...€
----------------
This is the PC that started it, I think this is the first event I saw in
regards.
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5723
Date: 5/11/2007
Time: 4:46:32 PM
User: N/A
Computer: SBSERVER
Description:
The session setup from computer 'SHARMAN' failed because the security
database does not contain a trust account 'SHARMAN$' referenced by the
specified computer.
USER ACTION
If this is the first occurrence of this event for the specified computer and
account, this may be a transient issue that doesn't require any action at
this time. Otherwise, the following steps may be taken to resolve this
problem:
If 'SHARMAN$' is a legitimate machine account for the computer 'SHARMAN',
then 'SHARMAN' should be rejoined to the domain.
If 'SHARMAN$' is a legitimate interdomain trust account, then the trust
should be recreated.
Otherwise, assuming that 'SHARMAN$' is not a legitimate account, the
following action should be taken on 'SHARMAN':
If 'SHARMAN' is a Domain Controller, then the trust associated with
'SHARMAN$' should be deleted.
If 'SHARMAN' is not a Domain Controller, it should be disjoined from the
domain.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 8b 01 00 c0 ‹..À
----------------
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5805
Date: 5/11/2007
Time: 4:49:47 PM
User: N/A
Computer: SBSERVER
Description:
The session setup from the computer SHARMAN failed to authenticate. The
following error occurred:
Access is denied.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0 "..À
----------------
Started getting events 5775, 5774
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5775
Date: 5/11/2007
Time: 7:41:58 PM
User: N/A
Computer: SBSERVER
Description:
The dynamic deletion of the DNS record 'WesternValve.local. 600 IN A
192.168.1.2' failed on the following DNS server:
DNS server IP address: <UNAVAILABLE>
Returned Response Code (RCODE): 0
Returned Status Code: 0
USER ACTION
To prevent remote computers from connecting unnecessarily to the domain
controller, delete the record manually or troubleshoot the failure to
dynamically delete the record. To learn more about debugging DNS, see Help
and Support Center.
ADDITIONAL DATA
Error Value: A socket operation was attempted to an unreachable host.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 ..
----------------
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date: 5/11/2007
Time: 7:41:58 PM
User: N/A
Computer: SBSERVER
Description:
The dynamic registration of the DNS record '_ldap._tcp.WesternValve.local.
600 IN SRV 0 100 389 sbserver.WesternValve.local.' failed on the following
DNS server:
DNS server IP address: <UNAVAILABLE>
Returned Response Code (RCODE): 0
Returned Status Code: 0
For computers and users to locate this domain controller, this record must
be registered in DNS.
USER ACTION
Determine what might have caused this failure, resolve the problem, and
initiate registration of the DNS records by the domain controller. To
determine what might have caused this failure, run DCDiag.exe. You can find
this program on the Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and
Support Center. To initiate registration of the DNS records by this domain
controller, run 'nltest.exe /dsregdns' from the command prompt on the domain
controller or restart Net Logon service. Nltest.exe is available in the
Microsoft Windows Server Resource Kit CD.
Or, you can manually add this record to DNS, but it is not recommended.
ADDITIONAL DATA
Error Value: A socket operation was attempted to an unreachable host.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 ..
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------------
No other events except a "perflib" issue that logs every time I reboot, it
works itself out just a few minutes later.
No errors are listed in the "DNS Server" event log, "Directory Service",
"Security" .
One of the events (I think SPENGO also said something about Kerberos.
And one last thing is that the "network printer" started taking 4-5 minutes
to print vs. 10-15 seconds before all of this.
I tried to provide as much detail as possible here, sorry about the length.
Ferrell
Any ideas would be helpful.
.
- References:
- Ongoing DNS Issue? or something worse?
- From: Ferrell Ramey
- Ongoing DNS Issue? or something worse?
- Prev by Date: Re: POP3 Connector - How to restrict from downloading mutiple accounts at a time
- Next by Date: Re: export details to excel ?
- Previous by thread: Ongoing DNS Issue? or something worse?
- Next by thread: SBS and SBS R2
- Index(es):
Relevant Pages
|
