Sudden loss of connectivity in our SBS 2011 domain in our company!!!

Întrebare

28 decembrie 2011 17:47

1
Hi

In our company we are having one windows sbs 2011 domain controller and around 50 pcs with windows xp professional sp3 and some laptops with windows 7 professional sp2; Antivirus is symantec endpoint protection loaded in separate pc made server and all are configured ;working perfectly until today afternoon.

All of a sudden lot of calls started coming to IT ROOM complaining about the lost of connection between dc and the clients.We checked the pc's in our IT ROOM for myself and colleague starting to troubleshoot from our pc's since we also lost the connectivity.

* ping not working from any pc to dc

* ping not working with default gateway from the pc's lost connection

*layer 2 connectivity is ensured OK by connecting my pc through live bootcd and ping works with dc,gateway ;I opted for live boot cd since I rebooted my pc and the dc couple of times ;no effect

*default gateway which is our ADSL ROUTER LAN IP is pinging from the DC and internet is working

*DC'S antivirus symantec endpoint protection is stand alone not in sync with the symantec server... and also a client pc which is loaded with kaspersky antivirus also having the same problem....so symantec endpoint protection server possibility can be isolated.

* Restarted the DC and chose last known good configuration also ; same symptom

* found one windows server 2003 loaded as a member server in the domain still working; pinging with the dc;able to access the folders in DC ; afraid to restart and check since on windows xp pc after restarting ; lost the connectivity

N.B: all the clients are getting IP from dhcp in DC

When pinging request timed out is the result and the gpresult of the client pc's give generic failure

Please suggest any solutions; now going to check again in our office in a couple of hours after the supper

Thanks & Regards S.Swaminathan Live & let others live!!!
- Editat de TECHSHAN 28 decembrie 2011 17:50
- Mesaj
- Citare

Toate mesajele

28 decembrie 2011 21:17

Moderator

0

What's going on in the event logs on the server?

Make sure you haven't lost power to your switch/issues with network

cabling etc.

Can the server get to the internet?
- Mesaj
- Citare
28 decembrie 2011 21:19

Moderator

0

I suggest you download and run the SBS BPA and fix anything it finds.

www.sbsbpa.com

assuming the SBS itself has internet access. If it does not you may just have a bad nic.

Have you run the 'fix my nework' wizard?
Larry Struckmeyer[SBS-MVP]
- Mesaj
- Citare
28 decembrie 2011 22:12

0

Hi Thank you for your prompt reply and as I said already there is no problem in the internet access from the server itself But we didnot do the SBS BPA sorry we didn't think about that.Now we are doing the system state restore taken before after confirming that the clients joined to our domain only having this problem.Standalone pc's don't have any problem at all

Any suggestions please?

N.B: THE SYSTEM RESTORE PROCESS IS ON THE WAY.I WILL UPDATE SOON

Thanks & Regards S.Swaminathan Live & let others live!!!
- Mesaj
- Citare
28 decembrie 2011 22:35

0

Hi

The system state restored completed successfully but same symptom

Please help me to solve this issue!
Thanks & Regards S.Swaminathan Live & let others live!!!
- Mesaj
- Citare
28 decembrie 2011 22:48

Moderator

0

Forget system state here. If you made no changes to the server that's

not the answer.

Let's check basics. Is the switch working?

Do an ipconfig/all from the server and then on a workstation.
- Mesaj
- Citare
28 decembrie 2011 22:58

0

Hi

I think you didn't go through my issue. I am repeating again there is no layer 2 i.e switch problems in the domain and did the ipconfig from the server and the workstations

Plesae go through fully my post

Thanks & Regards S.Swaminathan Live & let others live!!!
- Mesaj
- Citare
28 decembrie 2011 23:05

Moderator

0

I'm going through your posts and not seeing why you are doing a system

restore when your symptoms are not to that point yet.

Event logs - anything in there?

Ipconfig /all from the server and workstation - what's the output?

You say that you can't ping your default gateway - that points to

something external to the server.

Also can you disable symantec endpoint to test?
- Mesaj
- Citare
29 decembrie 2011 00:00

0

Agree with Susan....we need more info.Certainly an ipconfig /all from one effected client and server.

Also what happens if you boot client in safe mode with networking,do you still face the same issue?

Also can you post the o/p of "arp -a" from client and server?
- Mesaj
- Citare
29 decembrie 2011 00:31

0
Hi

Totally ,I isolated the DC and one client pc by connecting to a 4 ports switch ,inspite the symptom is still the same.DC can ping the gateway and browse the internet but the client pc even though getting the ip through DHCP from the DC not able to access the server ,ping the gateway ,browse the internet.

Did ipconfig, nslookup,arp -a in the DC as well as in the client pc ,everything seems to be in normal state; no abnormal activity found

Atlast in short, what is in our troubleshooting process, in the event viewer is at 4.001 pm today afternoon , one security policy has been pushed by SBS 2011 which we found the logs in the two member servers(WINDOWS SERVER 2003) ,fortunately not affected by this security policy.

Any hopeful suggestions to rectify the problem as there is only one day full to solve this issue.

Any help is greatly appreciated!

Thanks & Regards S.Swaminathan Live & let others live!!!
- Editat de TECHSHAN 29 decembrie 2011 00:32
- Mesaj
- Citare
29 decembrie 2011 00:36

Moderator

0

Disable antivirus. Truly start there.

Next what exact security policy can you be a lot more specific about

exact error messages you are seeing?

Can you post - not just say it's normal - but post up an ipconfig /all

from the server and a workstation please?

Last but not least is there any additional network topology not

described here - a software firewall perhaps?
- Mesaj
- Citare
29 decembrie 2011 00:51

0
Hi

There is no specific about the security policy mentioned in the event log viewer of the servers which I stated before.

But what we understood from it is that it has been pushed by the sbs 2011 at 4.001 pm exactly after which the next log in that servers are related to "domain controller cannot be found...."

We do have Microsoft ISA FIREWALL in one of the above said member servers for the clients to access the internet through it

Anyway tomorrow I will update the latest....Meantime you can advise to do the check things to be done in the scenario explained

I have to check the client pc in the safe mode with networking tomorrow and update you

N.B: If you tell us how to rollback the security policy update from the SBS 2011 , it will solve the issue I hope!

Thanks & Regards S.Swaminathan Live & let others live!!!
- Editat de TECHSHAN 29 decembrie 2011 00:53
- Mesaj
- Citare
29 decembrie 2011 00:54

Moderator

0

Can you reboot the ISA firewall box please?

Can you post an ipconfig /all from the server and from the workstation?

Can you post up the exact item from the event viewer please?

I apologize for pushing for this, but without the exact events and

messages, you are possibly leaving out critical information.
- Mesaj
- Citare
29 decembrie 2011 07:27

0
Hi Susan! Great suggestion for using safemode with networking .It is working through that mode from the client pc .I haven't restarted the MICROSOFT FIREWALL until now. Now how to make to work by starting from the normal mode ? What are the steps to further take to bring back the network to normal? Please guide and help me!
Thanks & Regards S.Swaminathan Live & let others live!!!
- Editat de TECHSHAN 29 decembrie 2011 07:27
- Mesaj
- Citare
29 decembrie 2011 07:55

Moderator

0

J said that not me. Can you disable the antivirus on the clients because that's one thing that doesn't fully start in safe mode.
- Mesaj
- Citare
29 decembrie 2011 09:38

0
blockquote>J said that not me. Can you disable the antivirus on the clients because that's one thing that doesn't fully start in safe mode.

Hi Susan & Jkazama Sorry Susan for that mistype.Thanks Jkazama for your valuable suggestion Now what is the status is when we start the client in normal mode, internet is not working ;ping is not working with the deafult gateway and server; but when I telnet into server it is working on ports 110;25 But I didnot disable the antivirus in client pc ; let me try and update you

N.B: what I doubt is something related to running startup scripts from the domain controller pushed to clients startup; if you help me to figure out that our problem is solved

Thanks & Regards S.Swaminathan Live & let others live!!!
- Editat de TECHSHAN 29 decembrie 2011 09:42
- Mesaj
- Citare
29 decembrie 2011 12:16

0
Hi Susan,Jkazama & Larry

Thank you very much for your support !

We solved the problem by disabling the startup scripts from sbs 2011 and resetting ip and winsock catalog through netsh in the client pc's

Thanks & Regards S.Swaminathan Live & let others live!!!
- Editat de TECHSHAN 29 decembrie 2011 12:16
- Marcat ca răspuns de TECHSHAN 29 decembrie 2011 19:31
- Mesaj
- Citare
29 decembrie 2011 13:22

0

SO you reset ip/winsock on all clients?And which startup script?
- Mesaj
- Citare
29 decembrie 2011 15:33

Moderator

0

There's no default startup script in SBS 2011.
- Mesaj
- Citare
29 decembrie 2011 20:04

0

Hi

This is the place where we disabled the policies Sorry not the scripts as in the gpedit Management console

Thanks & Regards S.Swaminathan Live & let others live!!!
- Mesaj
- Citare
29 decembrie 2011 20:13

0

Yes we reset all the clients ip/winsock
Thanks & Regards S.Swaminathan Live & let others live!!!
- Mesaj
- Citare
29 decembrie 2011 20:23

Moderator

0

That's just the normal win7 firewall policy and just ensures that the workstations have the proper domain firewall policy.
- Mesaj
- Citare
29 decembrie 2011 20:24

Moderator

0

Are you certain that this isn't being caused by something in your ISA firewall policy? As the symptoms are not aligning with what you had to do to fix this.
- Mesaj
- Citare
29 decembrie 2011 20:51

0

Hi

In the figure which I posted previously , under the left pane of SBS COMPUTERS highlighted which has subsections for Windows7, Vista, windows xp & client policies ; all are disabled and after that only the client pc's having proper connectivity in the network.

To make sure, we re enabled the same policies.The client pc's took a long time during the running startup scripts interval during the windows xp startup and the problem reappeared .

So the policies mentioned are again disabled and run the ip/winsock reset again and checked ; found working.

I am sure that there is no relation between ISA and this problem because it has been switched off and later switched on and tested in multiple possibilities.

Shall I continue with the disabled state of those mentioned policies ? which is our temporary solution to run without problem

Any suggestions please!
Thanks & Regards S.Swaminathan Live & let others live!!!
- Mesaj
- Citare
29 decembrie 2011 21:03

Moderator

0

Hi,

Which scripts did you disable? Are these machine or user based scripts located in SYSVOL that were placed there by the crew that set up the server?

Something must have been changed as the default GPOs do _not_ cause this kind of behaviour.
Philip Elder SBS MVP Blog: http://blog.mpecsinc.ca
- Mesaj
- Citare
29 decembrie 2011 21:03

Moderator

0

Those firewall policies work in every sbs 2003, 2008 and 2011 I've ever touched. There's some other issue at play here not identified because those are default firewall policies that just work.

Can you post up an ipconfig from the server and the workstation, and compare the IP addresses in those to what the group policy has the policies set for.

Something else is going on in this network.
- Mesaj
- Citare
29 decembrie 2011 21:12

0
Hi

I disabled only the policies; no scripts disabled since there are no scripts for the clients;only the section SBS COMPUTERS in the left pane as mentioned in the figure posted previously.

Thanks & Regards

S.Swaminathan

Live & let others live!!!
- Editat de TECHSHAN 29 decembrie 2011 21:13
- Editat de TECHSHAN 29 decembrie 2011 21:19
- Mesaj
- Citare
1 ianuarie 2012 07:16

0

Hi

Yesterday when I was going through the log.txt created by netsh ip reset ,I found the below text

RESET IP LOG.TXT  RESET IP LOG.TXT RESET IP LOG.TXT RESET IP LOG.TXT RESET IP LOG.TXTRESET IP LOG.TXT posted below where I found some bad teefer

reset   SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation
            old REG_MULTI_SZ =
                SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain
                SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

reset   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{0A63F86A-A13E-4288-8FDE-79EE7D6A7191}\NameServerList
            old REG_MULTI_SZ =
                <empty>

added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{0A63F86A-A13E-4288-8FDE-79EE7D6A7191}\NetbiosOptions
reset   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{28F3AAE3-05C2-4598-8921-9E7E78ECAF7C}\NameServerList
            old REG_MULTI_SZ =
                <empty>

added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{28F3AAE3-05C2-4598-8921-9E7E78ECAF7C}\NetbiosOptions
added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{A58677AE-4ECA-40C5-9CDA-049DEE3A6E75}\NetbiosOptions
reset   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{AB5336C2-2C53-414C-9A25-782E6515653F}\NameServerList
            old REG_MULTI_SZ =
                192.168.0.60

reset   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{AB5336C2-2C53-414C-9A25-782E6515653F}\NetbiosOptions
            old REG_DWORD = 1

added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{CDC8321A-448E-4A0E-8EAB-1F9125559C2B}\NetbiosOptions
deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0A63F86A-A13E-4288-8FDE-79EE7D6A7191}\NameServer
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{28F3AAE3-05C2-4598-8921-9E7E78ECAF7C}\NameServer
added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA2643BC-DDCC-46B9-93F5-21D7F64EC884}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA2643BC-DDCC-46B9-93F5-21D7F64EC884}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA2643BC-DDCC-46B9-93F5-21D7F64EC884}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA2643BC-DDCC-46B9-93F5-21D7F64EC884}\IpAutoconfigurationSeed
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA2643BC-DDCC-46B9-93F5-21D7F64EC884}\RawIpAllowedProtocols
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA2643BC-DDCC-46B9-93F5-21D7F64EC884}\TcpAllowedPorts
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA2643BC-DDCC-46B9-93F5-21D7F64EC884}\UdpAllowedPorts
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\DefaultGateway
            old REG_MULTI_SZ =
                192.168.0.5

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\DefaultGatewayMetric
            old REG_MULTI_SZ =
                0

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationSeed
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\NameServer
            old REG_SZ = 192.168.0.60,212.72.1.186

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\RawIpAllowedProtocols
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\TcpAllowedPorts
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\UdpAllowedPorts
            old REG_MULTI_SZ =
                0

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4803F80-4C38-4A61-9B89-F21F4CD5DABB}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4803F80-4C38-4A61-9B89-F21F4CD5DABB}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4803F80-4C38-4A61-9B89-F21F4CD5DABB}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4803F80-4C38-4A61-9B89-F21F4CD5DABB}\IpAutoconfigurationSeed
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4803F80-4C38-4A61-9B89-F21F4CD5DABB}\RawIpAllowedProtocols
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4803F80-4C38-4A61-9B89-F21F4CD5DABB}\TcpAllowedPorts
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4803F80-4C38-4A61-9B89-F21F4CD5DABB}\UdpAllowedPorts
            old REG_MULTI_SZ =
                0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableIcmpRedirect
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Tcp1323Opts
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpWindowSize
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
reset   Linkage\UpperBind for ROOT\NET\0000. bad value was:
            REG_MULTI_SZ =
                Teefer2

reset   Linkage\UpperBind for USB\VID_12D1&PID_140C&MI_01\6&1586A1FD&0&0001. bad value was:
            REG_MULTI_SZ =
                Teefer2

reset   Linkage\UpperBind for PCI\VEN_8086&DEV_1094&SUBSYS_00018086&REV_01\4&1E46F438&0&40F0. bad value was:
            REG_MULTI_SZ =
                Teefer2

reset   Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:
            REG_MULTI_SZ =
                Teefer2

<completed>

deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationSeed
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableIcmpRedirect
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
reset   Linkage\UpperBind for ROOT\NET\0000. bad value was:
            REG_MULTI_SZ =
                Teefer2

reset   Linkage\UpperBind for USB\VID_12D1&PID_140C&MI_01\6&1586A1FD&0&0001. bad value was:
            REG_MULTI_SZ =
                Teefer2

reset   Linkage\UpperBind for PCI\VEN_8086&DEV_1094&SUBSYS_00018086&REV_01\4&1E46F438&0&40F0. bad value was:
            REG_MULTI_SZ =
                Teefer2

reset   Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:
            REG_MULTI_SZ =
                Teefer2

<completed>

deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\DefaultGateway
            old REG_MULTI_SZ =
                192.168.0.5

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\DefaultGatewayMetric
            old REG_MULTI_SZ =
                0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AB5336C2-2C53-414C-9A25-782E6515653F}\IpAutoconfigurationSeed
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableIcmpRedirect
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
reset   Linkage\UpperBind for ROOT\NET\0000. bad value was:
            REG_MULTI_SZ =
                Teefer2

reset   Linkage\UpperBind for USB\VID_12D1&PID_140C&MI_01\6&1586A1FD&0&0001. bad value was:
            REG_MULTI_SZ =
                Teefer2

reset   Linkage\UpperBind for PCI\VEN_8086&DEV_1094&SUBSYS_00018086&REV_01\4&1E46F438&0&40F0. bad value was:
            REG_MULTI_SZ =
                Teefer2

reset   Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:
            REG_MULTI_SZ =
                Teefer2

<completed>

Is Bad teefer causing this issue?
Thanks & Regards S.Swaminathan Live & let others live!!!
- Mesaj
- Citare
1 ianuarie 2012 13:49

Moderator

0

Search the net for the followin: "REG_MULTI_SZ =teefer2"

Would appear to be a virus/trojen.
Larry Struckmeyer[SBS-MVP]
- Mesaj
- Citare
2 ianuarie 2012 06:36

0

Hi

Teefer2 is not a virus or trojan .

As Symantec employee explains at http://www.symantec.com/connect/forums/teefer2-miniport

I understood that :

The Teefer driver is responsible for capturing all network traffic entering or leaving a particular interface ( via the associated miniport driver ), so that the packets may be passed to the personal firewall component of the SEP 11.0 client for analysis

Right now our domain is running under temporary solution by disabling the policies I have already mentioned in this post; I need a permanent solution which anybody in MICROSOFT FORUM will provide!

Thanks & Regards S.Swaminathan Live & let others live!!!
- Mesaj
- Citare
2 ianuarie 2012 06:43

Moderator

0

Hi,

Please do _not_ run an A/V product on the server that has any sort of firewall component built-in. This is a recipe for disaster.

We had _lots_ of grief with the SEP A/V client and firewall component when we installed on SBS 08 so we stopped. Planning and deploying the firewall policies on a server was difficult enough for the newly minted Windows Firewall with Advanced Security without throwing in the additional complications that the SEP Firewall Policies had.

Philip Elder SBS MVP Blog: http://blog.mpecsinc.ca
- Mesaj
- Citare
2 ianuarie 2012 07:22

0

Hi Philip

What is your opionion on this issue which I am facing right now in the domain temporarily solved.............

But in our case the setup is running without any problem for the past 6 months in the existing scenario where in our sbs 2011 dc , symantec endpoint protection is loaded in self managed method; not managed by the symantec endpoint server in our office.

How to troubleshoot this issue because I cannot disturb the running environment by renabling the policies without knowing the method how to revert back to normal after renabling the default policies which was normally running for the past 6 months.

If I apply the policies again in the dc and if it is not working means,I have to do the reset procedure of ip & winsock for all the clients approximately 50-60 numbers.

Please help me to bring back my network in order!
Thanks & Regards S.Swaminathan Live & let others live!!!
- Mesaj
- Citare
2 ianuarie 2012 07:26

0
You can check following KB for AV recommendations:

http://support.microsoft.com/kb/822158

However I would suggest,First and foremost disable [prefrabely remove AV].

I have checked these policies on a test machine and predominantely its all firewall settings that is being pushed on client.

Either there has been customization in the policies or it is not hitting/getting processed on the client correctly.

Enable the policy again and then run following on the client:

rsop.msc [check for erros and a bang on user/comp config]

gpmc /z

Also track any erros in group policy processing:

http://social.technet.microsoft.com/Forums/en/winserverGP/thread/a9b36648-aa9f-4ff7-b23f-c1123b7984e9

Again as Philip has also said ,its most likely an issue with the AV which is causing interruption in normal flow of settings and their application.best option would be to remove it and test.
- Editat de Jkazama 2 ianuarie 2012 07:34
- Mesaj
- Citare
2 ianuarie 2012 07:29

0

seems simple to me. Run SEP in managed mode (the way it was designed) and either properly configure SEP Firewall Exceptions or revert to using the Windows Firewall.

If you don't want to manage it, why did you istall it?
- Mesaj
- Citare
2 ianuarie 2012 09:09

0

seems simple to me. Run SEP in managed mode (the way it was designed) and either properly configure SEP Firewall Exceptions or revert to using the Windows Firewall.

If you don't want to manage it, why did you istall it?

Hi SuperGumby

Can you suggest me the way to renable the policies disabled ? Why this problem reappearing when I enabled one time and checked the client pc's?

Thanks & Regards S.Swaminathan Live & let others live!!!
- Mesaj
- Citare
2 ianuarie 2012 09:10

0

You can check following KB for AV recommendations:

http://support.microsoft.com/kb/822158

However I would suggest,First and foremost disable [prefrabely remove AV].

I have checked these policies on a test machine and predominantely its all firewall settings that is being pushed on client.

Either there has been customization in the policies or it is not hitting/getting processed on the client correctly.

Enable the policy again and then run following on the client:

rsop.msc [check for erros and a bang on user/comp config]

gpmc /z

Also track any erros in group policy processing:

http://social.technet.microsoft.com/Forums/en/winserverGP/thread/a9b36648-aa9f-4ff7-b23f-c1123b7984e9

Again as Philip has also said ,its most likely an issue with the AV which is causing interruption in normal flow of settings and their application.best option would be to remove it and test.

Hi Jkazama

Thank you for your suggestion and I will check it
Thanks & Regards S.Swaminathan Live & let others live!!!
- Mesaj
- Citare
2 ianuarie 2012 14:38

0
Hi

If I enable the policy again in the DC and the same problem re appears in the clients, how to recover from that condition without disturbing client pc's ? Because once this problem of connectivity appears, I have to go each client pc and reset the ip & winsock catalog,before doing the resetting , I have to disable the policies in the DC mentioned in my problem.Also in pc's behind the ISA I have to repair the ISA client program.

So please advise me how to safely re-enable and if not working means how to proceed next!

Thanks & Regards S.Swaminathan Live & let others live!!!
- Editat de TECHSHAN 2 ianuarie 2012 14:40
- Mesaj
- Citare
2 ianuarie 2012 22:11

Moderator

0

If you have access to a vanila SBS 2011 install export the GPOs and import into your problematic server. Or do a side-by-side comparison of the settings between the two to see what was changed.

Remove the SEP client from SBS 2011. A reboot may be required and further clean-up may be required using Symantec's clean-up utility.

Use the native Windows firewall for your needs. It is controlled by the GPOs in question with SEP possibly conflicting with the Windows firewall. Is it off?

Philip Elder SBS MVP Blog: http://blog.mpecsinc.ca
- Mesaj
- Citare
3 ianuarie 2012 04:12

0
If its only a question of problem with resetting ip stack/winsock then you can turn off all workstations ,but, 1.Then carry out the test,if issue does reoccur then simply disable the policies.Since all other workstations were turned off so the policy would never hit those and you should not be required to reset anything on them.Of course this would have to be attempted in off production hours ,but, you need to carry out diagnosis for which enabling policy again is required.
- Marcat ca răspuns de TECHSHAN 3 februarie 2012 16:29
- Mesaj
- Citare
3 ianuarie 2012 04:52

0

Hi Philips & Jkazama

Thanks for your valuable suggestions and I will do the steps you advised me in the off production hours and update you

Thanks & Regards S.Swaminathan Live & let others live!!!
- Mesaj
- Citare
3 ianuarie 2012 08:31

0

Hi

It is found that the windows firewall is on in the SBS 2011 and when I checked inside the control panel> firewall settings , I found that "These settings are being managed by vendor application Symantec Endpoint Protection.

I found this when according to Philip's comment , I was checking the firewall status"

Use the native Windows firewall for your needs. It is controlled by the GPOs in question with SEP possibly conflicting with the Windows firewall. Is it off?"
Thanks & Regards S.Swaminathan Live & let others live!!!
- Mesaj
- Citare
4 ianuarie 2012 06:43

0

What's the present status?

What happens if you stop the profile for windows firewall on both client[windows 7] and server?

netsh advfirewallset allprofiles state off
- Mesaj
- Citare
4 ianuarie 2012 08:25

0
Hi Jkazama

In one windows 7 client pc , first I executed netsh advfirewall allprofiles state on instead of off , I got the result as OK

Then I gave the same command with off switch; the result is OK for that also

What does this mean?

Thanks & Regards S.Swaminathan Live & let others live!!!
- Editat de TECHSHAN 4 ianuarie 2012 08:26
- Mesaj
- Citare
4 ianuarie 2012 09:04

0
This means that firewall is turned off and on depending on what you typed,o/p is always OK.

You need to disable[off] the firewall and then reapply the GPO and test [as I explained in my earlier posts].
- Editat de Jkazama 4 ianuarie 2012 09:06
- Mesaj
- Citare
10 ianuarie 2012 19:30

0
Hi Jkazama,Susan & all

Now I am remember the suggestion made by Susan previously

Those firewall policies work in every sbs 2003, 2008 and 2011 I've ever touched. There's some other issue at play here not identified because those are default firewall policies that just work.

Can you post up an ipconfig from the server and the workstation, and compare the IP addresses in those to what the group policy has the policies set for.

Something else is going on in this network.

Susan one question:- What do the disabling of this mentioned policies in this issue have effect on this problem ( I mean the network starts working normally)& why when the policy enabled default at the time of troubleshooting two weeks before had the same problem( I mean the network came to halt)?

Still the network is running under the disabled policy state.We don't have the off production hours that is the reason.

Yesterday one of our laptop domain user who is not in station in the office came yesterday & when he tried to connect to the domain as usual , the same symptom of his laptop startup beame very slow during the running startup scripts of his login in domain; once he logged in, the same symptom of Request timed out occurred when I tried to ping any host in the network.

Since I had the doubt with Symantec Endpoint Protection, I used cleanwipe utility by symantec for removing it.During the removal process of it, many stages go in sequence.Out of that in the duration where teefer2.sys is removed, suddenly I noticed the connectivity came between the laptop and the dc, which gave me some hints about the cause.

Then it started working without Antivirus, when I tried to install again the connectivity lost; I did the reset of ip & winsock it turned on

Any idea?

Thanks & Regards S.Swaminathan Live & let others live!!!
- Editat de TECHSHAN 10 ianuarie 2012 19:32
- Mesaj
- Citare
3 februarie 2012 16:13

0

If its only a question of problem with resetting ip stack/winsock then you can turn off all workstations ,but, 1.Then carry out the test,if issue does reoccur then simply disable the policies.Since all other workstations were turned off so the policy would never hit those and you should not be required to reset anything on them.Of course this would have to be attempted in off production hours ,but, you need to carry out diagnosis for which enabling policy again is required.

Hi Jkazama, Susan Bradley,Supergumby,LPhilip Elder, Larry Struckmeyer & others!

Atlast a month long crisis was solved out following the Jkazama steps of enabling the disabled policies during the off production hours by separating the server from the rest of the network and applying the Jkazama solution and tested.

Found working fine and so we brought back the server in the working environment and everything works fine .

Thanks for all of your technical support

Thanks & Regards S.Swaminathan Live & let others live!!!
- Mesaj
- Citare
3 februarie 2012 16:15

0
If its only a question of problem with resetting ip stack/winsock then you can turn off all workstations ,but, 1.Then carry out the test,if issue does reoccur then simply disable the policies.Since all other workstations were turned off so the policy would never hit those and you should not be required to reset anything on them.Of course this would have to be attempted in off production hours ,but, you need to carry out diagnosis for which enabling policy again is required.

Hi Jkazama, Susan Bradley,Supergumby,LPhilip Elder, Larry Struckmeyer & others!

Atlast a month long crisis was solved out following the Jkazama steps of enabling the disabled policies during the off production hours of yesterday's holiday by separating the server from the rest of the network and applying the Jkazama solution and tested.

Found working fine and so we brought back the server in the working environment and everything works fine .

Thanks for all of your technical support

Thanks & Regards S.Swaminathan Live & let others live!!!

Thanks & Regards S.Swaminathan Live & let others live!!!
- Editat de TECHSHAN 3 februarie 2012 16:16
- Editat de TECHSHAN 3 februarie 2012 16:17
- Mesaj
- Citare

Sudden loss of connectivity in our SBS 2011 domain in our company!!!

Toate mesajele

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?