none
Network connectivity lost / intermittent

    Question

  • Hi

    I have had an intermittent problem with the Windows 7 clients on my domain (htlincs.local) which has become a serious issue.

    The domain has two domain controllers - Win 2008 Standard (Phobos) with all FSMO roles, DNS and WINS and one Win 2003 R2 SP2 (Titan) with DNS, DHCP and WINS. The Win 2003 used to be the main DC until the Win 2008 was introduced 7 months ago. Domain functional level is Win 2003.

    Clients comprise Win 2000, XP, Vista and 7. All clients get their addresses via DHCP. The servers have static addresses.

    Previously, the Windows 7 clients would lose their connection to DFS shares/network/Internet. The loss of connectivity would last for a few minutes before returning or a restart would solve the problem. This would usually only affect one or two clients. The remaining clients would be fine.

    Today, four of our five Windows 7 clients have experienced this problem and it is back with a vengeance. The initial symptoms were loss of Internet followed by being unable to connect to the network. The local area connection icon in the Notification area has a yellow exclamation mark over it.

    Restarting the machines has no effect.
    Trying to connect to \\machinename results in an authentication dialog with: "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."
    netsh int ip reset followed by ipconfig /flushdns and restarting has no effect
    netsh winsock reset has no effect.
    Turning off IP v.6 has no effect.
    Running Windows Network Diagnostics results in: 'The DNS server isn't responding'
    Setting static IP addresses has no effect.

    When setting a static IP address I chose to 'validate settings on exit' and after the dialog closed the network diagnostics appeared and then displayed the result: 'The DNS server isn't responding'

    If I lock the client then unlock it, it takes 60 seconds for either a) the desktop to appear or b) an 'incorrect password' message to appear. The password has definitely been typed correctly.

    I can ping any device on the network by IP address but when I ping by name e.g. 'ping phobos' and 'ping phobos.htlincs.local' it fails.

    Remote Desktop to the win 7 clients fails, as does trying to connect via Computer Management or regedit (The network path was not found).

    The system log contains the following warning and error events

    Netlogon 5719
    DNS Client Events 1006
    GroupPolicy 1054
    Time-Service 129

    There is no problem with any of the other clients on the network. DNS and WINS entries are correct for the DC's. I have also tried changing the DNS settings on the DC's so that they use NetBIOS over TCP/IP and restarted them.

    If anyone can help me with this I would very much appreciate it.

    Thanks.

    Tuesday, February 15, 2011 3:54 PM

Answers

  • Thanks for your reply, Juke Chou.
    The connectivity was blocked by our Sophos firewall.
    Just in case any other Sophos users come across this:

    This was a strange one. The cause was that svchost.exe was being blocked because it's memory had been modified. The blocked svchost processes were all UDP requests for DNS to our DNS servers. All the machines had a full AV scan last night and nothing was detected.

    There is an option in the general firewall settings to disable the monitoring of memory for processes, but it is (obviously) not recommended. More here.

    I disabled the monitoring of memory modification and this has allowed me to turn the firewall back on without affecting connectivity.

    I have spoken to Sophos about this and they have escalated the case as the tech support person I spoke to felt that more investigation was required.
    Friday, February 18, 2011 5:22 PM

All replies

  • Based on the level of detail on your question you certainly appear fully experienced, so pardon me for asking the following basic question:
    A common mistake of network administrators of small networks is to include the ISP's DNS servers as a DNS servers either configured on the server's NIC, or distributed to the clients via DHCP.  Can you confirm that the ONLY place the ISP DNS servers are listed, if any, is as a forwarder within the DNS server properties itself?

    Also can you confirm that the TIME on each and every server and client is exactly the same (to the minute)?

    Wednesday, February 16, 2011 12:48 AM
  • Hi, The Fellenator, thank you for replying.

    The clients DNS settings are set to the Win 2008 DNS server first (.10) and the Win 2003 DNS server second (.2). This is the order in which they are listed in the DHCP option. The DC's point to themselves for DNS. The gateway, on both the static (servers) assigned addresses and in DHCP is set to the local IP address of a router (.95). All machines on the network use this same gateway.

    Therefore, all requests not resolvable by the local DNS server i.e. external websites, are routed via the gateway.

    IPconfig /all from a Win 7 client (Note this has a static address that I assigned yesterday when troubleshooting this):

    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Users\Agnes>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : Agnes
       Primary Dns Suffix  . . . . . . . : htlincs.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : htlincs.local

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
       Physical Address. . . . . . . . . : F0-4D-A2-23-58-47
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.0.80(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.0.95
       DNS Servers . . . . . . . . . . . : 192.168.0.10
                                           192.168.0.2
       Primary WINS Server . . . . . . . : 192.168.0.2
       Secondary WINS Server . . . . . . : 192.168.0.10
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{7DB5B5D6-DC20-4B40-A95D-52C585AD1FCF}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 11:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    C:\Users\Agnes>

    IPConfig /all from the Win 2008 DC:

    Microsoft Windows [Version 6.0.6002]
    Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

    C:\Users\administrator.HTLINCS>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : Phobos
       Primary Dns Suffix  . . . . . . . : htlincs.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : htlincs.local

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
     VBD Client)
       Physical Address. . . . . . . . . : A4-BA-DB-40-2F-79
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.0.10(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.0.95
       DNS Servers . . . . . . . . . . . : 192.168.0.10
       Primary WINS Server . . . . . . . : 192.168.0.10
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 12:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : isatap.{B5C37581-11FA-4C75-873D-7050746C6
    34E}
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    C:\Users\administrator.HTLINCS>

    The time on all the servers, and clients, is exactly the same.

    Wednesday, February 16, 2011 9:40 AM
  • For what it's worth, power saving options are disabled on the NIC's.
    Wednesday, February 16, 2011 11:29 AM
  • Hi,

    Disabling the Windows 7 firewall temporarily.

    You may use nslookup to specify the server to resolve a DNS name or NetBIOS name for a test.

    For detailed information, Please refer to the following link.

    http://technet.microsoft.com/en-us/library/bb490950.aspx

    Meanwhile, can you ping the DNS server when the problem occurs?

    Enabling DHCP and export ipconfig information when the issue reoccurs.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, February 18, 2011 9:25 AM
    Moderator
  • Thanks for your reply, Juke Chou.
    The connectivity was blocked by our Sophos firewall.
    Just in case any other Sophos users come across this:

    This was a strange one. The cause was that svchost.exe was being blocked because it's memory had been modified. The blocked svchost processes were all UDP requests for DNS to our DNS servers. All the machines had a full AV scan last night and nothing was detected.

    There is an option in the general firewall settings to disable the monitoring of memory for processes, but it is (obviously) not recommended. More here.

    I disabled the monitoring of memory modification and this has allowed me to turn the firewall back on without affecting connectivity.

    I have spoken to Sophos about this and they have escalated the case as the tech support person I spoke to felt that more investigation was required.
    Friday, February 18, 2011 5:22 PM
  • Hi,

    As you say, I think to contact the tech support of Sophos is a better way.

    Waiting for their reply.

    Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Monday, February 21, 2011 8:21 AM
    Moderator