none
Sudden loss of connectivity in our SBS 2011 domain in our company!!!

    Întrebare

  • Hi

     

    In our company we are having one windows sbs 2011 domain controller and around 50 pcs with windows xp professional sp3 and some laptops with windows 7 professional sp2; Antivirus is symantec endpoint protection loaded in separate pc made server and all are configured ;working perfectly until today afternoon.

     

    All of a sudden lot of calls started coming to IT ROOM complaining about the lost of connection between dc and the clients.We checked the pc's in our IT ROOM for myself and colleague starting to troubleshoot from our pc's since we also lost the connectivity.

    * ping not working from any pc to dc

    * ping not working with default gateway from the pc's lost connection

    *layer 2 connectivity is ensured OK by connecting my pc through live bootcd and ping works with dc,gateway ;I opted for live boot cd since I rebooted my pc and the dc couple of times ;no effect

    *default gateway which is our ADSL ROUTER LAN IP is pinging from the DC and internet is working

    *DC'S antivirus symantec endpoint protection is stand alone not in sync with the symantec server... and also a client pc which is loaded with kaspersky antivirus also having the same problem....so  symantec endpoint protection server possibility can be isolated.

    * Restarted the DC  and chose last known good configuration also ; same symptom

    * found one windows server 2003 loaded as a member server in the domain still working; pinging with the dc;able to access the folders in DC ; afraid to restart and check since on windows xp pc after restarting ; lost the connectivity

    N.B: all the clients are getting IP from dhcp in DC

    When pinging request timed out is the result and the gpresult of the client pc's give generic failure

     

    Please suggest any solutions; now going to check again in our office in a couple of hours after the supper


    Thanks & Regards S.Swaminathan Live & let others live!!!
    • Editat de TECHSHAN 28 decembrie 2011 17:50
    28 decembrie 2011 17:47

Răspunsuri

  • Hi Susan,Jkazama & Larry

     

    Thank you very much for your support !

     

     

    We solved the problem by disabling the startup scripts from sbs 2011 and resetting ip and winsock catalog through netsh in the client pc's

     


    Thanks & Regards S.Swaminathan Live & let others live!!!
    • Editat de TECHSHAN 29 decembrie 2011 12:16
    • Marcat ca răspuns de TECHSHAN 29 decembrie 2011 19:31
    29 decembrie 2011 12:16
  • If its only a question of problem with resetting ip stack/winsock then you can turn off all workstations ,but, 1.Then carry out the test,if issue does reoccur then simply disable the policies.Since all other workstations were turned off so the policy would never hit those and you should not be required to reset anything on them.Of course this would have to be attempted in off production hours ,but, you need to carry out diagnosis for which enabling policy again is required.
    • Marcat ca răspuns de TECHSHAN 3 februarie 2012 16:29
    3 ianuarie 2012 04:12

Toate mesajele

  • What's going on in the event logs on the server?
    Make sure you haven't lost power to your switch/issues with network
    cabling etc.
     
    Can the server get to the internet?
     
    28 decembrie 2011 21:17
  • I suggest you download and run the SBS BPA and fix anything it finds.

    www.sbsbpa.com

    assuming the SBS itself has internet access.  If it does not you may just have a bad nic.

    Have you run the 'fix my nework' wizard?


    Larry Struckmeyer[SBS-MVP]
    28 decembrie 2011 21:19
  • Hi Thank you for your prompt reply and as I said already there is no problem in the internet access from the server itself But we didnot do the SBS BPA sorry we didn't think about that.Now we are doing the system state restore taken before after confirming that the clients joined to our domain only having this problem.Standalone pc's don't have any problem at all

     

    Any suggestions please?

     

    N.B: THE SYSTEM RESTORE PROCESS IS ON THE WAY.I WILL UPDATE SOON

     


    Thanks & Regards S.Swaminathan Live & let others live!!!
    28 decembrie 2011 22:12
  • Hi

    The system state restored completed successfully but same symptom

     

    Please help me to solve this issue!


    Thanks & Regards S.Swaminathan Live & let others live!!!
    28 decembrie 2011 22:35
  • Forget system state here.  If you made no changes to the server that's
    not the answer.
     
    Let's check basics.  Is the switch working?
     
    Do an ipconfig/all from the server and then on a workstation.
     
    28 decembrie 2011 22:48
  • Hi

     

    I think you didn't go through my issue. I am repeating again there is no layer 2 i.e switch problems in the domain and did the ipconfig  from the server and the workstations

     

    Plesae go through fully my post

     

     


    Thanks & Regards S.Swaminathan Live & let others live!!!
    28 decembrie 2011 22:58
  • I'm going through your posts and not seeing why you are doing a system
    restore when your symptoms are not to that point yet.
     
    Event logs - anything in there?
    Ipconfig /all from the server and workstation - what's the output?
     
    You say that you can't ping your default gateway - that points to
    something external to the server.
     
    Also can you disable symantec endpoint to test?
     
    28 decembrie 2011 23:05
  • Agree with Susan....we need more info.Certainly an ipconfig /all from one effected client and server.

    Also what happens if you boot client in safe mode with networking,do you still face the same issue?

    Also can you post the o/p of "arp -a" from client and server?

    29 decembrie 2011 00:00
  • Hi

    Totally ,I isolated the DC and one client pc by connecting to a 4 ports switch ,inspite the symptom is still the same.DC can ping the gateway and browse the internet but the client pc even though getting the ip through DHCP from the DC not able to access the server ,ping the gateway ,browse the internet.

     

    Did ipconfig, nslookup,arp -a in the DC as well as in the client pc ,everything seems to be in normal state; no abnormal activity found

     

    Atlast in short, what is in our troubleshooting process, in the event viewer  is at 4.001 pm today afternoon , one security policy has been pushed by SBS 2011 which we found the logs in the two member servers(WINDOWS SERVER 2003) ,fortunately not affected by this security policy.

    Any hopeful suggestions to rectify the problem as there is only one day full to solve this issue.

     

    Any help is greatly appreciated!


    Thanks & Regards S.Swaminathan Live & let others live!!!
    • Editat de TECHSHAN 29 decembrie 2011 00:32
    29 decembrie 2011 00:31
  • Disable antivirus.  Truly start there.
     
    Next what exact security policy can you be a lot more specific about
    exact error messages you are seeing?
     
    Can you post - not just say it's normal - but post up an ipconfig /all
    from the server and a workstation please?
     
    Last but not least is there any additional network topology not
    described here  - a software firewall perhaps?
     
    29 decembrie 2011 00:36
  • Hi

    There is no specific about the security policy mentioned in the event log viewer of the servers which I stated before.

    But what we understood from it is that it has been pushed by the sbs 2011 at 4.001 pm exactly after which the next log in that servers are related to "domain controller cannot be found...."

    We do have Microsoft ISA FIREWALL in one of the above said member servers for the clients to access the internet through it

     

    Anyway tomorrow I will update the latest....Meantime you can advise to do the check things to be done in the scenario explained

     

    I have to check the client pc in the safe mode with networking tomorrow and update you

     N.B: If you tell us how to rollback the security policy update from the SBS 2011 , it will solve the issue I hope!

     

     


    Thanks & Regards S.Swaminathan Live & let others live!!!
    • Editat de TECHSHAN 29 decembrie 2011 00:53
    29 decembrie 2011 00:51
  • Can you reboot the ISA firewall box please?
     
    Can you post an ipconfig /all from the server and from the workstation?
     
    Can you post up the exact item from the event viewer please?
     
    I apologize for pushing for this, but without the exact events and
    messages, you are possibly leaving out critical information.
     
    29 decembrie 2011 00:54
  • Hi Susan! Great suggestion for using safemode with networking .It is working through that mode from the client pc .I haven't restarted the MICROSOFT FIREWALL until now. Now how to make to work by starting  from the normal mode ? What are the steps to further take to bring back the network to normal? Please guide and help me!
    Thanks & Regards S.Swaminathan Live & let others live!!!
    • Editat de TECHSHAN 29 decembrie 2011 07:27
    29 decembrie 2011 07:27
  • J said that not me.  Can you disable the antivirus on the clients because that's one thing that doesn't fully start in safe mode.
    29 decembrie 2011 07:55
  • blockquote>J said that not me.  Can you disable the antivirus on the clients because that's one thing that doesn't fully start in safe mode.


    Hi Susan & Jkazama Sorry Susan for that mistype.Thanks Jkazama for your valuable suggestion Now what is the status is when we start the client in normal mode, internet is not working ;ping is not working with the deafult gateway and server; but when I telnet into server it is working on ports 110;25 But I didnot disable the antivirus in client pc ; let me try and update you

    N.B: what I doubt is something related to running startup scripts from the domain controller pushed to clients startup; if you help me to  figure out that our problem is solved

     

     


    Thanks & Regards S.Swaminathan Live & let others live!!!

     

     

    • Editat de TECHSHAN 29 decembrie 2011 09:42
    29 decembrie 2011 09:38
  • Hi Susan,Jkazama & Larry

     

    Thank you very much for your support !

     

     

    We solved the problem by disabling the startup scripts from sbs 2011 and resetting ip and winsock catalog through netsh in the client pc's

     


    Thanks & Regards S.Swaminathan Live & let others live!!!
    • Editat de TECHSHAN 29 decembrie 2011 12:16
    • Marcat ca răspuns de TECHSHAN 29 decembrie 2011 19:31
    29 decembrie 2011 12:16
  • SO you reset ip/winsock on all clients?And which startup script?
    29 decembrie 2011 13:22
  • There's no default startup script in SBS 2011.
    29 decembrie 2011 15:33
  • Hi

    This is the place where we disabled the policies Sorry not the scripts as in the gpedit Management console


    Thanks & Regards S.Swaminathan Live & let others live!!!
    29 decembrie 2011 20:04
  • Yes we reset all the clients ip/winsock
    Thanks & Regards S.Swaminathan Live & let others live!!!
    29 decembrie 2011 20:13
  • That's just the normal win7 firewall policy and just ensures that the workstations have the proper domain firewall policy.

    29 decembrie 2011 20:23
  • Are you certain that this isn't being caused by something in your ISA firewall policy?  As the symptoms are not aligning with what you had to do to fix this.

    29 decembrie 2011 20:24
  • Hi

     

    In the figure which I posted previously , under the left pane of SBS COMPUTERS highlighted which has subsections for Windows7, Vista, windows xp & client  policies ; all are disabled and after that only the client pc's having proper connectivity in the network.

    To make sure, we re enabled the same policies.The client pc's took a long time during the running startup scripts interval during the windows xp startup and the problem reappeared .

    So the policies mentioned are again disabled and run the ip/winsock  reset again and checked ; found working.

    I am sure that there is no relation between ISA and this problem because it has been switched off and later switched on and tested in multiple possibilities.

    Shall I continue with the disabled state of those mentioned policies ? which is our temporary solution to run without problem

     

    Any suggestions please!


    Thanks & Regards S.Swaminathan Live & let others live!!!
    29 decembrie 2011 20:51
  • Hi,

    Which scripts did you disable? Are these machine or user based scripts located in SYSVOL that were placed there by the crew that set up the server?

    Something must have been changed as the default GPOs do _not_ cause this kind of behaviour.


    Philip Elder SBS MVP Blog: http://blog.mpecsinc.ca
    29 decembrie 2011 21:03
  • Those firewall policies work in every sbs 2003, 2008 and 2011 I've ever touched.  There's some other issue at play here not identified because those are default firewall policies that just work.

    Can you post up an ipconfig from the server and the workstation, and compare the IP addresses in those to what the group policy has the policies set for.

    Something else is going on in this network.

    29 decembrie 2011 21:03
  • Hi

     

    I disabled only the policies; no scripts disabled since there are no scripts for the clients;only the section SBS COMPUTERS in the left pane  as  mentioned in the figure posted previously.


    Thanks & Regards

     S.Swaminathan

    Live & let others live!!!

    • Editat de TECHSHAN 29 decembrie 2011 21:19
    29 decembrie 2011 21:12
  • Hi

     

    Yesterday when I was going through the log.txt created by netsh ip reset ,I found the below text

     

    RESET IP LOG.TXT  RESET IP LOG.TXT RESET IP LOG.TXT RESET IP LOG.TXT RESET IP LOG.TXTRESET IP LOG.TXT  posted below where I found some bad teefer

    reset   SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation
                old REG_MULTI_SZ =
                    SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain
                    SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

    reset   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{0A63F86A-A13E-4288-8FDE-79EE7D6A7191}\NameServerList
                old REG_MULTI_SZ =
                    <empty>

    added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{0A63F86A-A13E-4288-8FDE-79EE7D6A7191}\NetbiosOptions
    reset   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{28F3AAE3-05C2-4598-8921-9E7E78ECAF7C}\NameServerList
                old REG_MULTI_SZ =
                    <empty>

    added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{28F3AAE3-05C2-4598-8921-9E7E78ECAF7C}\NetbiosOptions
    added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{A58677AE-4ECA-40C5-9CDA-049DEE3A6E75}\NetbiosOptions
    reset   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{AB5336C2-2C53-414C-9A25-782E6515653F}\NameServerList
                old REG_MULTI_SZ =
                    192.168.0.60

    reset   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{AB5336C2-2C53-414C-9A25-782E6515653F}\NetbiosOptions
                old REG_DWORD = 1

    added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{CDC8321A-448E-4A0E-8EAB-1F9125559C2B}\NetbiosOptions
    deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0A63F86A-A13E-4288-8FDE-79EE7D6A7191}\NameServer
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{28F3AAE3-05C2-4598-8921-9E7E78ECAF7C}\NameServer
    added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA2643BC-DDCC-46B9-93F5-21D7F64EC884}\DisableDynamicUpdate
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA2643BC-DDCC-46B9-93F5-21D7F64EC884}\IpAutoconfigurationAddress
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA2643BC-DDCC-46B9-93F5-21D7F64EC884}\IpAutoconfigurationMask
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA2643BC-DDCC-46B9-93F5-21D7F64EC884}\IpAutoconfigurationSeed
    reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA2643BC-DDCC-46B9-93F5-21D7F64EC884}\RawIpAllowedProtocols
                old REG_MULTI_SZ =
                    0

    reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA2643BC-DDCC-46B9-93F5-21D7F64EC884}\TcpAllowedPorts
                old REG_MULTI_SZ =
                    0

    reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA2643BC-DDCC-46B9-93F5-21D7F64EC884}\UdpAllowedPorts
                old REG_MULTI_SZ =
                    0

    reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\DefaultGateway
                old REG_MULTI_SZ =
                    192.168.0.5

    reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\DefaultGatewayMetric
                old REG_MULTI_SZ =
                    0

    added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\DisableDynamicUpdate
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationAddress
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationMask
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationSeed
    reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\NameServer
                old REG_SZ = 192.168.0.60,212.72.1.186

    reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\RawIpAllowedProtocols
                old REG_MULTI_SZ =
                    0

    reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\TcpAllowedPorts
                old REG_MULTI_SZ =
                    0

    reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\UdpAllowedPorts
                old REG_MULTI_SZ =
                    0

    added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4803F80-4C38-4A61-9B89-F21F4CD5DABB}\DisableDynamicUpdate
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4803F80-4C38-4A61-9B89-F21F4CD5DABB}\IpAutoconfigurationAddress
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4803F80-4C38-4A61-9B89-F21F4CD5DABB}\IpAutoconfigurationMask
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4803F80-4C38-4A61-9B89-F21F4CD5DABB}\IpAutoconfigurationSeed
    reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4803F80-4C38-4A61-9B89-F21F4CD5DABB}\RawIpAllowedProtocols
                old REG_MULTI_SZ =
                    0

    reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4803F80-4C38-4A61-9B89-F21F4CD5DABB}\TcpAllowedPorts
                old REG_MULTI_SZ =
                    0

    reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4803F80-4C38-4A61-9B89-F21F4CD5DABB}\UdpAllowedPorts
                old REG_MULTI_SZ =
                    0

    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableIcmpRedirect
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Tcp1323Opts
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpWindowSize
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
    reset   Linkage\UpperBind for ROOT\NET\0000.  bad value was:
                REG_MULTI_SZ =
                    Teefer2

    reset   Linkage\UpperBind for USB\VID_12D1&PID_140C&MI_01\6&1586A1FD&0&0001.  bad value was:
                REG_MULTI_SZ =
                    Teefer2

    reset   Linkage\UpperBind for PCI\VEN_8086&DEV_1094&SUBSYS_00018086&REV_01\4&1E46F438&0&40F0.  bad value was:
                REG_MULTI_SZ =
                    Teefer2

    reset   Linkage\UpperBind for ROOT\MS_NDISWANIP\0000.  bad value was:
                REG_MULTI_SZ =
                    Teefer2

    <completed>

    deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationAddress
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationMask
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationSeed
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableIcmpRedirect
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
    reset   Linkage\UpperBind for ROOT\NET\0000.  bad value was:
                REG_MULTI_SZ =
                    Teefer2

    reset   Linkage\UpperBind for USB\VID_12D1&PID_140C&MI_01\6&1586A1FD&0&0001.  bad value was:
                REG_MULTI_SZ =
                    Teefer2

    reset   Linkage\UpperBind for PCI\VEN_8086&DEV_1094&SUBSYS_00018086&REV_01\4&1E46F438&0&40F0.  bad value was:
                REG_MULTI_SZ =
                    Teefer2

    reset   Linkage\UpperBind for ROOT\MS_NDISWANIP\0000.  bad value was:
                REG_MULTI_SZ =
                    Teefer2

    <completed>

    deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
    reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\DefaultGateway
                old REG_MULTI_SZ =
                    192.168.0.5

    reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\DefaultGatewayMetric
                old REG_MULTI_SZ =
                    0

    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationAddress
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationMask
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationSeed
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableIcmpRedirect
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
    reset   Linkage\UpperBind for ROOT\NET\0000.  bad value was:
                REG_MULTI_SZ =
                    Teefer2

    reset   Linkage\UpperBind for USB\VID_12D1&PID_140C&MI_01\6&1586A1FD&0&0001.  bad value was:
                REG_MULTI_SZ =
                    Teefer2

    reset   Linkage\UpperBind for PCI\VEN_8086&DEV_1094&SUBSYS_00018086&REV_01\4&1E46F438&0&40F0.  bad value was:
                REG_MULTI_SZ =
                    Teefer2

    reset   Linkage\UpperBind for ROOT\MS_NDISWANIP\0000.  bad value was:
                REG_MULTI_SZ =
                    Teefer2

    <completed>

     

    Is Bad teefer causing this issue?


    Thanks & Regards S.Swaminathan Live & let others live!!!
    1 ianuarie 2012 07:16
  • Search the net for the followin:  "REG_MULTI_SZ =teefer2"

    Would appear to be a virus/trojen.


    Larry Struckmeyer[SBS-MVP]
    1 ianuarie 2012 13:49
  • Hi

     

    Teefer2 is not a virus or trojan .

     

    As Symantec employee explains at http://www.symantec.com/connect/forums/teefer2-miniport

    I understood that :

    The Teefer driver is responsible for capturing all network traffic entering or leaving a particular interface ( via the associated miniport driver ), so that the packets may be passed to the personal firewall component of the SEP 11.0 client for analysis

     

    Right now our domain is running under temporary solution by disabling the policies I have already mentioned in this post; I need a permanent solution which anybody in MICROSOFT FORUM will provide!

     


    Thanks & Regards S.Swaminathan Live & let others live!!!
    2 ianuarie 2012 06:36
  • Hi,

    Please do _not_ run an A/V product on the server that has any sort of firewall component built-in. This is a recipe for disaster.

    We had _lots_ of grief with the SEP A/V client and firewall component when we installed on SBS 08 so we stopped. Planning and deploying the firewall policies on a server was difficult enough for the newly minted Windows Firewall with Advanced Security without throwing in the additional complications that the SEP Firewall Policies had.

     


    Philip Elder SBS MVP Blog: http://blog.mpecsinc.ca
    2 ianuarie 2012 06:43
  • Hi Philip

     

    What is your opionion on this issue which I am facing right now in the domain temporarily solved.............

     

    But in our case the setup is running without any problem for the past 6 months in the existing scenario where in our sbs 2011 dc , symantec endpoint protection is loaded in self managed method; not managed by the symantec endpoint server in our office.

     

    How to troubleshoot this issue because I cannot disturb the running environment by renabling the policies without knowing the method how to revert back to normal after renabling the default policies which was normally running for the past 6 months.

    If I apply the policies again in the dc and if it is not working means,I have to do the reset procedure of ip & winsock for all the clients approximately 50-60 numbers.

    Please help me to bring back my network in order!


    Thanks & Regards S.Swaminathan Live & let others live!!!
    2 ianuarie 2012 07:22
  • You can check following KB for AV recommendations:

    http://support.microsoft.com/kb/822158

     

    However I would suggest,First and foremost disable [prefrabely remove AV].

    I have checked these policies on a test machine and predominantely its all firewall settings that is being pushed on client.

    Either there has been customization in the policies or it is not hitting/getting processed on the client correctly.

    Enable the policy again and then run following on the client:

    rsop.msc [check for erros and a bang on user/comp config]

    gpmc /z

     

    Also track any erros in group policy processing:

    http://social.technet.microsoft.com/Forums/en/winserverGP/thread/a9b36648-aa9f-4ff7-b23f-c1123b7984e9

     

    Again as Philip has also said ,its most likely an issue with the AV which is causing interruption in normal flow of settings and their application.best option would be to remove it and test.


    • Editat de Jkazama 2 ianuarie 2012 07:34
    2 ianuarie 2012 07:26
  • seems simple to me. Run SEP in managed mode (the way it was designed) and either properly configure SEP Firewall Exceptions or revert to using the Windows Firewall.

    If you don't want to manage it, why did you istall it?

    2 ianuarie 2012 07:29
  • seems simple to me. Run SEP in managed mode (the way it was designed) and either properly configure SEP Firewall Exceptions or revert to using the Windows Firewall.

    If you don't want to manage it, why did you istall it?


    Hi SuperGumby

     

    Can you suggest me the way to renable the policies disabled ? Why this problem reappearing when I enabled one time and checked the client pc's?

     


    Thanks & Regards S.Swaminathan Live & let others live!!!
    2 ianuarie 2012 09:09
  • You can check following KB for AV recommendations:

    http://support.microsoft.com/kb/822158

     

    However I would suggest,First and foremost disable [prefrabely remove AV].

    I have checked these policies on a test machine and predominantely its all firewall settings that is being pushed on client.

    Either there has been customization in the policies or it is not hitting/getting processed on the client correctly.

    Enable the policy again and then run following on the client:

    rsop.msc [check for erros and a bang on user/comp config]

    gpmc /z

     

    Also track any erros in group policy processing:

    http://social.technet.microsoft.com/Forums/en/winserverGP/thread/a9b36648-aa9f-4ff7-b23f-c1123b7984e9

     

    Again as Philip has also said ,its most likely an issue with the AV which is causing interruption in normal flow of settings and their application.best option would be to remove it and test.



    Hi Jkazama

     

    Thank you for your suggestion and I will check it


    Thanks & Regards S.Swaminathan Live & let others live!!!
    2 ianuarie 2012 09:10
  • Hi 

     

    If I enable the policy again in the DC  and the same problem re appears in the clients, how to recover from that condition without disturbing client pc's ? Because once this problem of connectivity appears, I have to go each client pc and reset the ip & winsock catalog,before doing the resetting , I have to disable the policies in the DC mentioned in my problem.Also in pc's behind the ISA I have to repair the ISA client program.

    So please advise me how to safely re-enable and if not working means how to proceed next!

     

     


    Thanks & Regards S.Swaminathan Live & let others live!!!
    • Editat de TECHSHAN 2 ianuarie 2012 14:40
    2 ianuarie 2012 14:38
  • If you have access to a vanila SBS 2011 install export the GPOs and import into your problematic server. Or do a side-by-side comparison of the settings between the two to see what was changed.

    Remove the SEP client from SBS 2011. A reboot may be required and further clean-up may be required using Symantec's clean-up utility.

    Use the native Windows firewall for your needs. It is controlled by the GPOs in question with SEP possibly conflicting with the Windows firewall. Is it off?

     


    Philip Elder SBS MVP Blog: http://blog.mpecsinc.ca
    2 ianuarie 2012 22:11
  • If its only a question of problem with resetting ip stack/winsock then you can turn off all workstations ,but, 1.Then carry out the test,if issue does reoccur then simply disable the policies.Since all other workstations were turned off so the policy would never hit those and you should not be required to reset anything on them.Of course this would have to be attempted in off production hours ,but, you need to carry out diagnosis for which enabling policy again is required.
    • Marcat ca răspuns de TECHSHAN 3 februarie 2012 16:29
    3 ianuarie 2012 04:12
  • Hi Philips & Jkazama

     

    Thanks for your valuable suggestions and I will do the steps you advised me in the off production hours and update you

     

     


    Thanks & Regards S.Swaminathan Live & let others live!!!
    3 ianuarie 2012 04:52
  • Hi

    It is found that the windows firewall is on in the SBS 2011 and when I checked inside the control panel> firewall settings , I found that "These settings are being managed by vendor application Symantec Endpoint Protection.

     

    I found this when according to Philip's comment , I was checking the firewall status"

    Use the native Windows firewall for your needs. It is controlled by the GPOs in question with SEP possibly conflicting with the Windows firewall. Is it off?"


    Thanks & Regards S.Swaminathan Live & let others live!!!
    3 ianuarie 2012 08:31
  • What's the present status?

    What happens if you stop the profile for windows firewall on both client[windows 7] and server?

    netsh advfirewallset allprofiles state off

    4 ianuarie 2012 06:43
  • Hi Jkazama

     

    In one windows 7 client pc , first I executed netsh advfirewall allprofiles state on instead of off , I got the result as OK

    Then I gave the same command with off switch; the result is OK for that also

     

    What does this mean?


    Thanks & Regards S.Swaminathan Live & let others live!!!
    • Editat de TECHSHAN 4 ianuarie 2012 08:26
    4 ianuarie 2012 08:25
  • This means that firewall is turned off and on depending on what you typed,o/p is always OK.

    You need to disable[off] the firewall and then reapply the GPO and test [as I explained in my earlier posts].


    • Editat de Jkazama 4 ianuarie 2012 09:06
    4 ianuarie 2012 09:04
  • Hi Jkazama,Susan & all

     

    Now I am remember the suggestion made by Susan previously

     

    *          Those firewall policies work in every sbs 2003, 2008 and 2011 I've ever touched.  There's some other issue at play here not identified because those are default firewall policies that just work.

    Can you post up an ipconfig from the server and the workstation, and compare the IP addresses in those to what the group policy has the policies set for.

    Something else is going on in this network.

     

    Susan one question:- What do the disabling of this mentioned policies in this issue have effect on this problem ( I mean the network starts working normally)& why when the policy enabled default at the time of troubleshooting two weeks before had the same problem( I mean the network came to halt)?

     

     

    Still the network is running under the disabled policy state.We don't have the off production hours that is the reason.

    Yesterday one of our laptop domain user who is not in station in the office came yesterday & when he tried to connect to the domain as usual , the same symptom of his laptop startup beame very slow during the running startup scripts of his login in domain; once he logged in, the same symptom of Request timed out occurred when I tried to ping any host in the network.

    Since I had the doubt with Symantec Endpoint Protection, I used cleanwipe utility by symantec for removing it.During the removal process of it, many stages go in sequence.Out of that in the duration where teefer2.sys is removed, suddenly I noticed the connectivity came between the laptop and the dc, which gave me some hints about the cause.

    Then it started working without Antivirus, when I tried to install again the connectivity lost; I did the reset of ip & winsock it turned on

    Any idea?

     


    Thanks & Regards S.Swaminathan Live & let others live!!!
    • Editat de TECHSHAN 10 ianuarie 2012 19:32
    10 ianuarie 2012 19:30
  • If its only a question of problem with resetting ip stack/winsock then you can turn off all workstations ,but, 1.Then carry out the test,if issue does reoccur then simply disable the policies.Since all other workstations were turned off so the policy would never hit those and you should not be required to reset anything on them.Of course this would have to be attempted in off production hours ,but, you need to carry out diagnosis for which enabling policy again is required.

     

     

    Hi Jkazama, Susan Bradley,Supergumby,LPhilip Elder, Larry Struckmeyer & others!

     

    Atlast a month long crisis was solved out following the Jkazama steps of enabling the disabled policies during the off production hours by separating the server from the rest of the network and applying the Jkazama solution and tested.

     

    Found working fine and so we brought back the server in the working environment and everything works fine .

     

    Thanks for all of your technical support

     

     


    Thanks & Regards S.Swaminathan Live & let others live!!!
    3 februarie 2012 16:13
  • If its only a question of problem with resetting ip stack/winsock then you can turn off all workstations ,but, 1.Then carry out the test,if issue does reoccur then simply disable the policies.Since all other workstations were turned off so the policy would never hit those and you should not be required to reset anything on them.Of course this would have to be attempted in off production hours ,but, you need to carry out diagnosis for which enabling policy again is required.

     

     

    Hi Jkazama, Susan Bradley,Supergumby,LPhilip Elder, Larry Struckmeyer & others!

     

    Atlast a month long crisis was solved out following the Jkazama steps of enabling the disabled policies during the off production hours of yesterday's holiday by separating the server from the rest of the network and applying the Jkazama solution and tested.

     

    Found working fine and so we brought back the server in the working environment and everything works fine .

     

    Thanks for all of your technical support

     

     


    Thanks & Regards S.Swaminathan Live & let others live!!!


    Thanks & Regards S.Swaminathan Live & let others live!!!

    • Editat de TECHSHAN 3 februarie 2012 16:17
    3 februarie 2012 16:15