From: Piotr Majcher <PiotrMajcher@discussions.microsoft.com>
To:
none
Subject:
RE: Yet another ACPITABL.DAT issue...
Date:
08/23/2007 07:06:01
Have you tried booting into recovery console and
running chkdsk /r command?
It helped with identical acpitabl.dat issue on my win2k3R2
PM
"Flerbizky@gmail.com" wrote:
> Hi...
>
> Searched and searched and searched, and still,
nothing..
>
> I have a server here at home running SBS2003 with
SP2. Has been
> running with no issues what so ever for the last
3 months.. Then
> today, we had a short power outage which of
course means the server
> was shut down quite hard..
>
> After the power came back, no attempts at
starting the server have
> been a success - If I boot it normally, it just
hangs at the splash
> screen, and if I try in Safe mode, it gets to the
dreaded ACPITABL.DAT
> - and then nothing. I've tried booting on an
SBS2003 CD with the raid
> drivers and SP2 streamlined - Hangs at the blue
"Starting Windows"
> screen, so no Repair console either...
>
> I have successfully flashed both the bios on the
raid controller and
> on the motherboard.
>
> I have no USB devices attached either...
>
> So - Suggestions are welcomed..
>
> Cheers, And thanks,
> Steffen
>
>
Top
From: kj [SBS MVP]
<KevinJ.SBS@SPAMFREE.gmail.com>
To:
none
Subject:
Re: Windows Server 2003 Performance Report
Date:
09/04/2007 00:52:13
SBS monitoring uses the same free space percentage for
all drives including
USB drives and other devices that apear as hard
drives.
Assuming "HarddiskVolume5" is a legitmate
partition on one of the Raid
controllers then you'll need to manually cofigure the
alert or disable it.
Jim Peterson wrote:
> I have a client that is Using Windows SBS 2003. I
recently added (3)
> new hard drives in a RAID 5 configuration. The
are (2) arrays on the
> server. The original RAID 5 configuration, and
the new RAID 5
> configuration. The total size of the new configuration
is 146 GB. The
> available hard drive space is 146 GB. Every
morning I receive the
> below error from the Windows Server 2003
Performance Report.
>
> Alert on SERVER at 8/29/2007 8:49:08 AM
>
> The following disk is low on free disk space. Low
levels of free disk
> space can cause performance problems and prevent
users from saving
> files on the disk.
>
> Drive Letter: HarddiskVolume5
> Free Disk Space: 0.000000. MB
> % Free Disk Space: 0.000000.%
>
> You can disable this alert or change its threshold
by using the
> Change Alert Notifications task in the Server
Management Monitoring
> and Reporting taskpad.
>
> How do I get Windows to recognize that the drive
isnt out of space?
>
> Thanks
>
> Jim Peterson
--
/kj
Top
From: t
<t@discussions.microsoft.com>
To:
none
Subject:
RE: Windows Server 2003 Performance Report
Date:
09/05/2007 17:08:15
"Jim Peterson" wrote:
> I have a client that is Using Windows SBS 2003. I
recently added (3) new hard
> drives in a RAID 5 configuration. The are (2)
arrays on the server. The
> original RAID 5 configuration, and the new RAID 5
configuration. The total
> size of the new configuration is 146 GB. The
available hard drive space is
> 146 GB. Every morning I receive the below error
from the Windows Server 2003
> Performance Report.
>
> Alert on SERVER at 8/29/2007 8:49:08 AM
>
> The following disk is low on free disk space. Low
levels of free disk space
> can cause performance problems and prevent users
from saving files on the
> disk.
>
> Drive Letter: HarddiskVolume5
> Free Disk Space: 0.000000. MB
> % Free Disk Space: 0.000000.%
>
> You can disable this alert or change its
threshold by using the Change Alert
> Notifications task in the Server Management
Monitoring and Reporting taskpad.
>
> How do I get Windows to recognize that the drive
isnt out of space?
>
> Thanks
>
> Jim Peterson
Top
From: kj [SBS MVP]
<KevinJ.SBS@SPAMFREE.gmail.com>
To:
none
Subject:
Re: Windows 2003 SMB to Windows 2003 STD CALS??
Date:
08/28/2007 16:36:01
malarie wrote:
> Hi gentlemen,
>
> My domain controller is on a windows server 2003
SMB. I have all my
> CALS inastalled on this server. I am limited to
75 users with SMB, i
> am thinking of upgrading to a standard edition or
to 2008 if the
> reviews are neat.
> My question is this: Is it possible to migrate
all the CALS I bought
> for SMB to STD/2008??
>
>
> Thanks a lot.
In the past MS has provided Licensing migration paths
to standard versions.
I would expect that they will offer a "Transition
Pack" for 2008, Centro
(the mid sized business version of SBS, as well as
upgrades for Cougar ( the
64bit SBS version based upon 2008 and Exchange 2007 ).
However, 2008 is unreleased and therfore no licensing
is yet cast in
concrete.
--
/kj
Top
From: Corey Hynes [MVP]
<corey@hynesite.biz>
To:
none
Subject:
Re: Windows 2003 servers
Date:
09/20/2007 08:05:24
Deploy System Center Essentials, or invest time and
resources into creating
something similar using scripts and such.
"april" wrote in message
news:u59$%23Gw%23HHA.536@TK2MSFTNGP06.phx.gbl...
> Is there any way that I can set up email
notification about the servers'
> status or critical things happening?
>
> Please advise!
>
> Thanks a lot!
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Windows 2003 Server with terminal services\netgear ProSafe
vpn firewall fvx538\Intel Pro EB 1000GB has a very slow RDP remote
connection.
Date:
09/10/2007 14:38:05
Hello,
can you check if the switch port isn't set to full
duplex instead of auto ?
What happens if you switch the servers cable between
them ?
does the "old" server got also the service
pack 2 ?
what does show netstat -e on the new one ?
Install the lastest driver from intel.
--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
wrote in message
news:fIydnauHs_y-v37bnZ2dnUVZ_tqtnZ2d@comcast.com...
> Hello,
>
> I recently setup two Windows 2003 Server with
terminal services. When I
> connect with remote desktop from a server or
laptop on the switch the
> connection is fast, but when I connect to the 2
severs with remote desktop
> outside the firewall I have a very slow
connection. The older terminal
> servers on the switch have a very fast remote
desktop connection outside
> the
> firewall. Windows 2003 Server with terminal
services\netgear ProSafe vpn
> firewall fvx538\Intel Pro EB 1000GB has a very
slow RDP remote connection
> I
> think it is the NICs, uninstalling the NICs
drivers and trying older and
> newer drivers without much of an improvement. Can
someone that seen this
> issue with Windows 2003 Enterprise and Intelpro
1000GB EB Nics help me or
> point out problems with netgear ProSafe vpn
firewall fvx538\Intel Pro EB
> 1000GB has a very slow RDP remote connection
outside the firewall.
>
> FYI, I did notice after removing the NIC drivers
and installing them
> again,
> I thought fixed it,the remote connection outside
the firwall was fast for
> several hours till the next day it was slow
again.
>
>
> Thanks
> Joe
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Windows 2003 DHCP Server setup
Date:
09/27/2007 06:30:39
Hello IT,
How to move a DHCP database from a computer that is
running Windows NT Server
4.0, Windows 2000, or Windows Server 2003 to a computer
that is running Windows
Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;325473
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS"
with no warranties, and confers
no rights.
> Now current windows 2003 server setup in old
server. we have build up
> a new windows 2003 server in new server machine.
This new server have
> been joined domain as new Domain controller. Also
i want mrigate
> exisitng DHCP server all data to new server.
please advice.
>
Top
From: KevinMc
<kevinmckinnerney@hotmail.com>
To:
none
Subject:
Re: Win PE/WDS/Wim File Questions
Date:
09/25/2007 16:51:43
Robert,
To answer your questions,
> 1. Does WinPE come with WDS, or is it still
available only on the OEM
> Preinstallation Kit?
WinPe is available in the WAIK which can be downloaded
free from
http://technet2.microsoft.com/WindowsVista/en/library/129a1712-e3d8-46c1-bc09-a14349dc67db1033.mspx?mfr=true
To my knowledge WinPE is not included in WDS by
default.
> 2. Can ImageX convert a RIS or RIPrep image to a
.wim file?
ImageX is only used to interact with .wim files. See
http://technet2.microsoft.com/WindowsVista/en/library/2154c2e3-90a1-46c2-80e8-57bea12542491033.mspx?mfr=true
for more information on ImageX.
RIPrep images can be converted to .wim files by
right-clicking on them in
the WDS MMC in legacy images and selecting convert to
.wim or using WDSUTIL
with the proper command line options. (wdsutil
/Convert-Riprepimage
/Filepath:"riprep.sif" /DestinationImage
/Filepath:"XP.wim)
RISetup images must be deployed and recaptured using
WDS in order to convert
them to .wim files.
> 3. During the switch to WDS native mode re my
legacy images converted to
> WIM images?
>
> In the Windows Deployment Services Update
Step-by-Step Guide for Windows
> Server 2003, it says:
>
> "The switch to Native Mode occurs when
legacy image types are converted
> to
> WIM format and the OS Chooser functionality is
disabled (by using
> the/forceNative command.)"
No. you need to convert your legacy image files using
wdsutil or the WDS
MMC before going to native mode. The wording is not
very helpful, but
basically in that sentence they are saying that you
have to convert before
switching to Native mode (by using the /forceNative
command.) because you
will no longer be able to access the OSChooser menus.
I hope this is helpful. if you have any further
questions feel free to
respond.
-Kevin
"Robert Hindla" wrote in message
news:C31E9E1F.1B3BD%rhindla@panix.com...
> 1. Does WinPE come with WDS, or is it still
available only on the OEM
> Preinstallation Kit?
>
> 2. Can ImageX convert a RIS or RIPrep image to a
.wim file?
>
> 3. During the switch to WDS native mode re my
legacy images converted to
> WIM images?
>
> In the Windows Deployment Services Update
Step-by-Step Guide for Windows
> Server 2003, it says:
>
> "The switch to Native Mode occurs when
legacy image types are converted
> to
> WIM format and the OS Chooser functionality is
disabled (by using
> the/forceNative command.)"
>
> Does that imply that ImageX will swoop down and
convert my legacy images?
>
> Can I use ImageX to convert anyway, part from the
/forceNative command?
>
Top
From: Pegasus \(MVP\)
<I.can@fly.com>
To:
none
Subject:
Re: What determines the environment variables used by a
process???
Date:
09/11/2007 14:40:58
"DJ-Jeff" wrote in message
news:C769A255-EBE4-4282-AD08-6C0AEA9CF68C@microsoft.com...
> Ok, I am running an asp.net web application on
three different sets of
> servers.
>
> The w3wp worker process runs under the 'Network
Service' user on all three
> sets of servers.
>
> However, the TMP and TEMP environment variables
are set to different
> values
> for the ww3wp process on each server set. I am checking
the environment
> variable values using the Process Explorer tool
from SysInternals. The
> values are as follows:
> - Server set #1: TMP and TEMP are set to
"D:\TEMP"
> - Server set #2: TMP and TEMP are set to
"C:\WINDOWS\TEMP"
>
> - Server set #3: This is a special case and is
the cause of the
> problems. If I power cycle the server(s), and let
the worker process
> start
> on its own, TMP and TEMP are set to
"C:\DOCUME~1\NETWOR~1\LOCALS~1\Temp".
> However, if I recycle the app pool or issue an
iisreset, the w3wp process
> comes back up with the TMP and TEMP variables set
to
> "C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp".
>
> When server set #3 starts using the
"C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp"
> value for the variables, the web application
starts issuing 'Access
> Denied'
> errors because the application does not have
write access into the Temp
> directory, which is understandable.
>
> We have this temporarily fixed by allowing
'Network Service' full access
> to
> the Local Service temp space, but that is not a
solution.
>
> Does anyone know what would cause the scenario on
server set #3???
> Because
> set #1 has a value of "D:\Temp" in use,
it leads me to believe that these
> servers got set up incorrectly. But I don't know
enough about all this to
> know what is incorrect about it.
>
> Thanks for taking a look.
> Jeff
Here are the default values for %temp%:
- User: c:\Documents and Settings\\..\..\temp
- System: c:\Windows\temp
Note this:
- Anyone can change these variables.
- Programs can change them too.
- The User variable takes precedence over the System
variable
in a Command Prompt, and perhaps elsewhere too.
- AFAIR, applications can issue specific system calls
for either the User variable or the System variable.
Top
From: Corey Hynes [MVP]
<corey@hynesite.biz>
To:
none
Subject:
Re: WDS Help
Date:
09/18/2007 08:17:18
I might be wrong, but from memory RIS drivers are 16
bit. PE is 32 bit.
You want to get the actual NIC drivers you would use
for the system if it
had a full OS installed, and load those.
"dawaves" wrote in message
news:1189709705.643352.258240@r34g2000hsd.googlegroups.com...
> Hello!
>
> I am trying to upload an image of Server 2003 on
a Dell PowerEdge 2950
> to WDS. This is what I did:
>
> 1. Used Sysprep on the Dell Server, Reseal, auto
Shutdown.
> 2. On WDS, I created a boot image using a Vista boot.wim.
> 3. On WDS, I created a install image
> 4. On WDS, I created a capture boot image
> 5. I start up the Dell Server, boot using PXE,
hit 'F12' to
> load
> WDS boot image options.
> 6. I choose the Capture Boot image option
> 7. A "Vista-like" screen appears and
loads the Capture image
> Wizard.
> 8. I choose a local directory to save my
temporary local capture
> file
> 9. I fill in the WDS server name, hit connect
> 10. After waiting 4 minutes, I get a message
saying "cannot
> connect to server.."
> 11. I hit Shift-F10, I get a command prompt
> 12. I type ipconfig /all
> 13. I get no ip settings or configurations
> 14. Ok driver issue right? So I download the RIS
drivers from
> Broadcom's site.
> 15. I use the "drvload.exe
pathname\h06nd.inf"
> 16. "Could not load..." Error
0x800700002"
>
>
> Any ideas as to how to get these drivers onto the
image?
>
> I'm thinking I may have to use another method of
creating the image,
> rather than capturing.
>
> Do I use WAIK for that or WinPE?
>
> thanks!
>
Top
From: Christopher A. Newell
<infosystems@shiawassee.net>
To:
none
Subject:
Re: Wandering DNS entry - The answer
Date:
09/24/2007 14:25:09
OK. Here's what it turned out to be. . . . A wireless
access point (NOT
ROUTER). The only explanation I can see is that DHCP
was changed to on by
default in a firmware update. This still leaves me
with a bunch of
questions:
1. Why did only the DNS address get changed. (the DNS
is not user/admin
configurable on the device, although the address
range, subnet, gateway are)
I would have expected to have gotten the full
configuration from that
device, not a full config from one device and then DNS
only from another.
2. Why didn't this device give me a complete (albeit useless
in my
network) configuration when I stopped the official
DHCP server? When I
tried this, I got the default public config after
receiving an error message
becasue no DHSP server was found.
3. How did this effect carry over to three other
dynamicaly addressed
subnets which were sepperated by routers? (or why only
three of the four?
Although the fourth operates as a trusted domainin a
separate AD forrest.)
What I finally had to do was actually go out to the
desktop of what appeared
to be the machine which was switching DNS IPs the
quickest with a sniffer
and a hub (unmanaged switches) and capture all of the
traffic until the
config actually changed on me. Then I was able to see
the offending DHCP
packet and extract the source addresses to pinpoint
the device.
"Ace Fekay [MVP]" wrote in message
news:%23oCjJwM$HHA.4956@TK2MSFTNGP06.phx.gbl...
> In
news:%23SxuCG$%23HHA.4828@TK2MSFTNGP04.phx.gbl,
> Christopher A. Newell typed:
>> The only thing that is actually incorrect (my
error in the original
>> post) is that there are 4 LAN segments
affected. One is essentially
>> my "core" which includes our
Internet and two other private WAN
>> connections, as well as servers that are
equally utilized among our
>> departments. The other 6 segments are
departmentaly orgnaized and
>> users are grouped with server resources that
they use most frequently.
>>
>
>
> The last time I saw something like this with
similar symptoms, I found a
> Linksys wireless router someone brought in
causing it. It was providing
> DNS addresses that was configured on it's WAN
interface while it was at
> the person's home. When they brought it in
without me knowing about it,
> DHCP was still enabled. It wound up conflicting
with the customer's corp
> scope and options.
>
> Something else to think about and look for.
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with
no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 ?
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>
> Having difficulty reading or finding responses to
your post?
> Try using Outlook Express or any other
newsreader, configure a news
> account, and point it to news.microsoft.com.
Anonymous access. It's
> easy and it's free:
>
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> "Life isn't like a box of chocolates or a
bowl of cherries or
> peaches... Life is more like a jar of jalapenos.
What you do today
> may burn your butt tomorrow." - Garfield
>
Top
From: Anthony
<anthony.spam@spammedout.com>
To:
none
Subject:
Re: Wandering DNS entry - The answer
Date:
09/24/2007 16:13:08
I am glad you found it, and well done Ace for
identifying it!
Anthony, http://www.airdesk.co.uk
"Christopher A. Newell" wrote in message
news:eeh7MFu$HHA.5328@TK2MSFTNGP05.phx.gbl...
> OK. Here's what it turned out to be. . . . A
wireless access point (NOT
> ROUTER). The only explanation I can see is that
DHCP was changed to on by
> default in a firmware update. This still leaves
me with a bunch of
> questions:
> 1. Why did only the DNS address get changed. (the
DNS is not
> user/admin configurable on the device, although
the address range, subnet,
> gateway are) I would have expected to have gotten
the full configuration
> from that device, not a full config from one
device and then DNS only from
> another.
> 2. Why didn't this device give me a complete
(albeit useless in my
> network) configuration when I stopped the
official DHCP server? When I
> tried this, I got the default public config after
receiving an error
> message becasue no DHSP server was found.
> 3. How did this effect carry over to three other
dynamicaly addressed
> subnets which were sepperated by routers? (or why
only three of the four?
> Although the fourth operates as a trusted
domainin a separate AD forrest.)
>
> What I finally had to do was actually go out to
the desktop of what
> appeared to be the machine which was switching
DNS IPs the quickest with a
> sniffer and a hub (unmanaged switches) and
capture all of the traffic
> until the config actually changed on me. Then I
was able to see the
> offending DHCP packet and extract the source
addresses to pinpoint the
> device.
>
> "Ace Fekay [MVP]" wrote in message
> news:%23oCjJwM$HHA.4956@TK2MSFTNGP06.phx.gbl...
>> In
news:%23SxuCG$%23HHA.4828@TK2MSFTNGP04.phx.gbl,
>> Christopher A. Newell typed:
>>> The only thing that is actually incorrect
(my error in the original
>>> post) is that there are 4 LAN segments
affected. One is essentially
>>> my "core" which includes our
Internet and two other private WAN
>>> connections, as well as servers that are
equally utilized among our
>>> departments. The other 6 segments are
departmentaly orgnaized and
>>> users are grouped with server resources
that they use most frequently.
>>>
>>
>>
>> The last time I saw something like this with
similar symptoms, I found a
>> Linksys wireless router someone brought in
causing it. It was providing
>> DNS addresses that was configured on it's WAN
interface while it was at
>> the person's home. When they brought it in
without me knowing about it,
>> DHCP was still enabled. It wound up
conflicting with the customer's corp
>> scope and options.
>>
>> Something else to think about and look for.
>>
>> --
>> Regards,
>> Ace
>>
>> This posting is provided "AS-IS"
with no warranties or guarantees and
>> confers no rights.
>>
>> Ace Fekay, MCSE 2003 ?
>> MVP Microsoft MVP - Directory Services
>> Microsoft Certified Trainer
>>
>> Infinite Diversities in Infinite Combinations
>>
>> Having difficulty reading or finding
responses to your post?
>> Try using Outlook Express or any other
newsreader, configure a news
>> account, and point it to news.microsoft.com.
Anonymous access. It's
>> easy and it's free:
>>
>> How to Configure OEx for Internet News
>> http://support.microsoft.com/?id=171164
>>
>> "Life isn't like a box of chocolates or
a bowl of cherries or
>> peaches... Life is more like a jar of
jalapenos. What you do today
>> may burn your butt tomorrow." - Garfield
>>
>
>
Top
From: Ace Fekay [MVP]
<PleaseAskMe@SomeDomain.com>
To:
none
Subject:
Re: Wandering DNS entry - The answer
Date:
09/25/2007 22:35:32
In news:OMpw$%23u$HHA.5164@TK2MSFTNGP05.phx.gbl,
Anthony typed:
> I am glad you found it, and well done Ace for
identifying it!
> Anthony, http://www.airdesk.co.uk
>
Thanks. It was just a guess based on previous
runnings-in with something
similar.
Ace
Top
From: Ace Fekay [MVP]
<PleaseAskMe@SomeDomain.com>
To:
none
Subject:
Re: Wandering DNS entry - The answer
Date:
09/25/2007 22:39:21
In news:eeh7MFu$HHA.5328@TK2MSFTNGP05.phx.gbl,
Christopher A. Newell typed:
> OK. Here's what it turned out to be. . . . A
wireless access point
> (NOT ROUTER). The only explanation I can see is
that DHCP was
> changed to on by default in a firmware update.
This still leaves me
> with a bunch of questions:
> 1. Why did only the DNS address get changed. (the
DNS is not
> user/admin configurable on the device, although
the address range,
> subnet, gateway are) I would have expected to
have gotten the full
> configuration from that device, not a full config
from one device and
> then DNS only from another. 2. Why didn't this
device give me a
> complete (albeit useless in my
> network) configuration when I stopped the
official DHCP server? When
> I tried this, I got the default public config
after receiving an
> error message becasue no DHSP server was found.
> 3. How did this effect carry over to three other
dynamicaly
> addressed subnets which were sepperated by
routers? (or why only
> three of the four? Although the fourth operates as
a trusted domainin
> a separate AD forrest.)
> What I finally had to do was actually go out to
the desktop of what
> appeared to be the machine which was switching
DNS IPs the quickest
> with a sniffer and a hub (unmanaged switches) and
capture all of the
> traffic until the config actually changed on me.
Then I was able to
> see the offending DHCP packet and extract the
source addresses to
> pinpoint the device.
As for #1 and 2, I've seen just the DNS address get
changed especially if
the scope the wireless device is giving out is the
same. I also can't answer
#3 in your scenario. Are you using IP helpers or DHCP
agents?
Just one note, I do not believe a true access point
(AP) has teh ability to
provide DHCP from the ones that I've used from Cisco 1231's
to Linksys APs.
They bridge the wireless segment and wired segment.
Now a router will do
that, and I've seen routers do just what you've
described. Now if APs now
offer DHCP services, that's a cool little feature, but
then I would imagine
it will be on a difrerent segment and routing traffic.
Ace
Top
From: Christopher A. Newell
<infosystems@shiawassee.net>
To:
none
Subject:
Re: Wandering DNS entry - The answer
Date:
09/29/2007 12:57:03
I suppose it could be a "router" in
disguise. Now that I think about it, I
seem to recall some layer 3 features kicking around
the config. It is a
MiLAN unit that is packaged and sold as an AP. One Ethernet/POE
port, one
RF output (I have seen some Bufalo APs with 4 port
switches embeded,) WEP,
WAP, Radius authentication support. Everything runs
logicaly on a single LAN
segment, but it appears to be possible to do
"routing on a stick" (a term I
have grabbed from Cisco's explanation for doing layer
3 and 4 translations
over a single interface.)
I have a handfull of them deployed (including one at
home where I do use the
DHCP). The IP block, mask and GW IP are user
configurable. The DNS IP
assigned is not. Just no way from the UI to set it.
"Ace Fekay [MVP]" wrote in message
news:uASuV7%23$HHA.3848@TK2MSFTNGP05.phx.gbl...
> In news:eeh7MFu$HHA.5328@TK2MSFTNGP05.phx.gbl,
> Christopher A. Newell typed:
>> OK. Here's what it turned out to be. . . . A
wireless access point
>> (NOT ROUTER). The only explanation I can see
is that DHCP was
>> changed to on by default in a firmware
update. This still leaves me
>> with a bunch of questions:
>> 1. Why did only the DNS address get changed.
(the DNS is not
>> user/admin configurable on the device,
although the address range,
>> subnet, gateway are) I would have expected to
have gotten the full
>> configuration from that device, not a full
config from one device and
>> then DNS only from another. 2. Why didn't
this device give me a
>> complete (albeit useless in my
>> network) configuration when I stopped the
official DHCP server? When
>> I tried this, I got the default public config
after receiving an
>> error message becasue no DHSP server was
found.
>> 3. How did this effect carry over to three
other dynamicaly
>> addressed subnets which were sepperated by
routers? (or why only
>> three of the four? Although the fourth
operates as a trusted domainin
>> a separate AD forrest.)
>> What I finally had to do was actually go out
to the desktop of what
>> appeared to be the machine which was
switching DNS IPs the quickest
>> with a sniffer and a hub (unmanaged switches)
and capture all of the
>> traffic until the config actually changed on
me. Then I was able to
>> see the offending DHCP packet and extract the
source addresses to
>> pinpoint the device.
>
> As for #1 and 2, I've seen just the DNS address
get changed especially if
> the scope the wireless device is giving out is
the same. I also can't
> answer #3 in your scenario. Are you using IP
helpers or DHCP agents?
>
> Just one note, I do not believe a true access
point (AP) has teh ability
> to provide DHCP from the ones that I've used from
Cisco 1231's to Linksys
> APs. They bridge the wireless segment and wired segment.
Now a router will
> do that, and I've seen routers do just what
you've described. Now if APs
> now offer DHCP services, that's a cool little
feature, but then I would
> imagine it will be on a difrerent segment and
routing traffic.
>
>
> Ace
>
Top
From: Ace Fekay [MVP]
<PleaseAskMe@SomeDomain.com>
To:
none
Subject:
Re: Wandering DNS entry - The answer
Date:
09/30/2007 11:17:51
In news:e1XKjLsAIHA.5980@TK2MSFTNGP04.phx.gbl,
Christopher A. Newell typed:
> I suppose it could be a "router" in
disguise. Now that I think about
> it, I seem to recall some layer 3 features
kicking around the config.
> It is a MiLAN unit
that is packaged and sold as an AP. One
> Ethernet/POE port, one RF output (I have seen
some Bufalo APs with 4
> port switches embeded,) WEP, WAP, Radius
authentication support.
> Everything runs logicaly on a single LAN segment,
but it appears to
> be possible to do "routing on a stick"
(a term I have grabbed from
> Cisco's explanation for doing layer 3 and 4
translations over a
> single interface.)
> I have a handfull of them deployed (including one
at home where I do
> use the DHCP). The IP block, mask and GW IP are
user configurable. The
> DNS IP assigned is not. Just no way from the UI
to set it.
>
Interesting. I've never used a Milan unit.
Can you disable DHCP on it? I
tried looking for a MiLAN product
guide, but not sure what model you have:
http://www.milan.com/TransitionNetworks/MiLAN/Default.aspx
Do your docs mention how to disable DHCP?
Ace
Top
From: Anthony
<anthony.spam@spammedout.com>
To:
none
Subject:
Re: Wandering DNS entry
Date:
09/20/2007 15:41:57
Christopher,
Are your users Local Administrators?
Anthony
http://www.airdesk.co.uk
"Christopher A. Newell" wrote in message
news:un2g$Q8%23HHA.700@TK2MSFTNGP05.phx.gbl...
>I posted on this a couple of weeks ago and then
the problem "appeared" to
>clear up for a while.
>
> This appeared to be a very sporadic problem, but
as I look more closely it
> seems to be more prevalent than I had imagined.
>
> I have a medium-small, but moderatly complex
network configured in 7
> logical segments, each operating on it's own IP
subnet. In three of the
> segments, dynamically addressed PCs are
transiently loosing their DNS
> entries, multiple local DNS servers being
replaced by 168.95.1.1, an
> operating DNS server in Taiwan. (in fact the only service answering on
> about half of the 168.95.1.x subnet is DNS) The
loss of the correct DNS
> entrires disrupts the client's network
connectivity until the
> configuration is restored (all Internet access
for user PCs is through a
> proxy server, our firewall prevents any client
address from communicating
> with the Internet in any other way, so the
affected PC gets no response at
> all.) "ipconfig /renew" seems to
correct the problem, as does re-strating
> the PC.
>
> As a temporary workaround, I have assigned the
outside IP to one of my
> internal DNS servers and routed all requests for
that IP to the correct
> LAN address. This is preserving my users'
connectivity but is eliminating
> thier calls for help to notify me.
>
> After implementing the temporary solution, I have
been monitoring detailed
> traffic on the DNS server, only to find that
inquiries using the off-site
> IP are almost constant. It seems like there is
one PC, occasionally two,
> using that IP for DNS (and SMB and a few other
protocols) just about all
> the time, although the issue seems to move from
computer to computer at no
> identifiable interval. Apparently, either some of
the users are
> experiencing problems and just re-starting or the
DNS error is not lasting
> long enough to cause them to actually see the
connectivity loss.
>
> These PCs are in three different network
segments, broken up at Layer 3,
> configured by three different DHCP servers
(although all are in the same
> AD forrest.) Before I identified the problem
being present in three
> different segments, I tried stopping the known
DHCP server and trying to
> obtain address information - No rogue DHCP
apparent. We are using 128 WEP
> on a small number of wireless APs, but I have
ruled out a customer
> notebook with an ICS configuration running.
>
> I have run throuough Spyware and AV scanns of
some of the affected PCs
> with no notable results (CA-ITM and Spybot S?
> are not affected and one IP subnet that is
dynamically addressed but
> operates in an independent AD domain also seems
to be OK.
>
> Has anybody else ever seen anything remotely like
this ?
>
> Any ideas what I can look at to figure out where
a changing DNS IP could
> be getting injected into the system, across routers?
>
> I think that I would have gotten an incorrect IP
configuration if I had a
> hardware based DHCP on the LAN (like a SOHO router), but it may
bear
> noting that a search on that IP reveals it to be
one of the most commonly
> referenced publicly accessable DNS servers. The
IP appears in many pieces
> of hardware documentation (again, like SOHO gateways).
>
Top
From: Christopher A. Newell
<infosystems@shiawassee.net>
To:
none
Subject:
Re: Wandering DNS entry
Date:
09/20/2007 16:20:41
Some are. Most are "Power Users" on thier
PCs.
It is just after close of business so most of the
systems are off-line right
now, but I don't believe that there is actually a
correlation between these
issues. If anything, with one exception, I think that
most of the PCs where
I am seeing the foreign DNS entry are being used by
local
non-Adminsitrators when the problem is occuring.
"Anthony" wrote in message
news:egK65a8%23HHA.4880@TK2MSFTNGP03.phx.gbl...
> Christopher,
> Are your users Local Administrators?
> Anthony
> http://www.airdesk.co.uk
>
>
> "Christopher A. Newell" wrote in
message
> news:un2g$Q8%23HHA.700@TK2MSFTNGP05.phx.gbl...
>>I posted on this a couple of weeks ago and
then the problem "appeared" to
>>clear up for a while.
>>
>> This appeared to be a very sporadic problem,
but as I look more closely
>> it seems to be more prevalent than I had
imagined.
>>
>> I have a medium-small, but moderatly complex
network configured in 7
>> logical segments, each operating on it's own
IP subnet. In three of the
>> segments, dynamically addressed PCs are
transiently loosing their DNS
>> entries, multiple local DNS servers being
replaced by 168.95.1.1, an
>> operating DNS server in Taiwan. (in fact the only service answering on
>> about half of the 168.95.1.x subnet is DNS)
The loss of the correct DNS
>> entrires disrupts the client's network
connectivity until the
>> configuration is restored (all Internet
access for user PCs is through a
>> proxy server, our firewall prevents any
client address from communicating
>> with the Internet in any other way, so the
affected PC gets no response
>> at all.) "ipconfig /renew" seems to
correct the problem, as does
>> re-strating the PC.
>>
>> As a temporary workaround, I have assigned
the outside IP to one of my
>> internal DNS servers and routed all requests
for that IP to the correct
>> LAN address. This is preserving my users'
connectivity but is
>> eliminating thier calls for help to notify
me.
>>
>> After implementing the temporary solution, I
have been monitoring
>> detailed traffic on the DNS server, only to
find that inquiries using the
>> off-site IP are almost constant. It seems
like there is one PC,
>> occasionally two, using that IP for DNS (and
SMB and a few other
>> protocols) just about all the time, although
the issue seems to move from
>> computer to computer at no identifiable
interval. Apparently, either
>> some of the users are experiencing problems
and just re-starting or the
>> DNS error is not lasting long enough to cause
them to actually see the
>> connectivity loss.
>>
>> These PCs are in three different network
segments, broken up at Layer 3,
>> configured by three different DHCP servers
(although all are in the same
>> AD forrest.) Before I identified the problem
being present in three
>> different segments, I tried stopping the
known DHCP server and trying to
>> obtain address information - No rogue DHCP
apparent. We are using 128
>> WEP on a small number of wireless APs, but I
have ruled out a customer
>> notebook with an ICS configuration running.
>>
>> I have run throuough Spyware and AV scanns of
some of the affected PCs
>> with no notable results (CA-ITM and Spybot S?
>> are not affected and one IP subnet that is
dynamically addressed but
>> operates in an independent AD domain also
seems to be OK.
>>
>> Has anybody else ever seen anything remotely
like this ?
>>
>> Any ideas what I can look at to figure out
where a changing DNS IP could
>> be getting injected into the system, across
routers?
>>
>> I think that I would have gotten an incorrect
IP configuration if I had a
>> hardware based DHCP on the LAN (like a SOHO router), but it may
bear
>> noting that a search on that IP reveals it to
be one of the most commonly
>> referenced publicly accessable DNS servers.
The IP appears in many
>> pieces of hardware documentation (again, like
SOHO gateways).
>>
>
>
Top
From: Anthony
<anthony.spam@spammedout.com>
To:
none
Subject:
Re: Wandering DNS entry
Date:
09/20/2007 16:44:37
If you set up a PC where the user is not a Local
Admin, or a Power user,
does it change in this way?
Anthony,
http://www.airdesk.com
"Christopher A. Newell" wrote in message
news:OA$jAz8%23HHA.3916@TK2MSFTNGP02.phx.gbl...
> Some are. Most are "Power Users" on
thier PCs.
>
> It is just after close of business so most of the
systems are off-line
> right now, but I don't believe that there is
actually a correlation
> between these issues. If anything, with one
exception, I think that most
> of the PCs where I am seeing the foreign DNS
entry are being used by local
> non-Adminsitrators when the problem is occuring.
>
> "Anthony" wrote in message
> news:egK65a8%23HHA.4880@TK2MSFTNGP03.phx.gbl...
>> Christopher,
>> Are your users Local Administrators?
>> Anthony
>> http://www.airdesk.co.uk
>>
>>
>> "Christopher A. Newell" wrote in
message
>> news:un2g$Q8%23HHA.700@TK2MSFTNGP05.phx.gbl...
>>>I posted on this a couple of weeks ago and
then the problem "appeared" to
>>>clear up for a while.
>>>
>>> This appeared to be a very sporadic
problem, but as I look more closely
>>> it seems to be more prevalent than I had
imagined.
>>>
>>> I have a medium-small, but moderatly
complex network configured in 7
>>> logical segments, each operating on it's
own IP subnet. In three of the
>>> segments, dynamically addressed PCs are
transiently loosing their DNS
>>> entries, multiple local DNS servers being
replaced by 168.95.1.1, an
>>> operating DNS server in Taiwan. (in fact the only service answering on
>>> about half of the 168.95.1.x subnet is
DNS) The loss of the correct DNS
>>> entrires disrupts the client's network
connectivity until the
>>> configuration is restored (all Internet
access for user PCs is through a
>>> proxy server, our firewall prevents any
client address from
>>> communicating with the Internet in any
other way, so the affected PC
>>> gets no response at all.) "ipconfig
/renew" seems to correct the
>>> problem, as does re-strating the PC.
>>>
>>> As a temporary workaround, I have
assigned the outside IP to one of my
>>> internal DNS servers and routed all
requests for that IP to the correct
>>> LAN address. This is preserving my users'
connectivity but is
>>> eliminating thier calls for help to
notify me.
>>>
>>> After implementing the temporary
solution, I have been monitoring
>>> detailed traffic on the DNS server, only
to find that inquiries using
>>> the off-site IP are almost constant. It
seems like there is one PC,
>>> occasionally two, using that IP for DNS
(and SMB and a few other
>>> protocols) just about all the time,
although the issue seems to move
>>> from computer to computer at no
identifiable interval. Apparently,
>>> either some of the users are experiencing
problems and just re-starting
>>> or the DNS error is not lasting long
enough to cause them to actually
>>> see the connectivity loss.
>>>
>>> These PCs are in three different network
segments, broken up at Layer 3,
>>> configured by three different DHCP
servers (although all are in the same
>>> AD forrest.) Before I identified the
problem being present in three
>>> different segments, I tried stopping the
known DHCP server and trying to
>>> obtain address information - No rogue
DHCP apparent. We are using 128
>>> WEP on a small number of wireless APs,
but I have ruled out a customer
>>> notebook with an ICS configuration
running.
>>>
>>> I have run throuough Spyware and AV
scanns of some of the affected PCs
>>> with no notable results (CA-ITM and
Spybot S?
>>> are not affected and one IP subnet that
is dynamically addressed but
>>> operates in an independent AD domain also
seems to be OK.
>>>
>>> Has anybody else ever seen anything
remotely like this ?
>>>
>>> Any ideas what I can look at to figure
out where a changing DNS IP could
>>> be getting injected into the system,
across routers?
>>>
>>> I think that I would have gotten an
incorrect IP configuration if I had
>>> a hardware based DHCP on the LAN (like a SOHO router), but it may
bear
>>> noting that a search on that IP reveals
it to be one of the most
>>> commonly referenced publicly accessable
DNS servers. The IP appears in
>>> many pieces of hardware documentation
(again, like SOHO gateways).
>>>
>>
>>
>
>
Top
From: Christopher A. Newell
<infosystems@shiawassee.net>
To:
none
Subject:
Re: Wandering DNS entry
Date:
09/20/2007 18:06:37
I'm going to have to try this. We are off-hours now
and I am not seeing any
traffic to the foreign IP. Whatever device(s) are
involved or causing the
issue are logged out/powered off.
"Anthony" wrote in message
news:%23Ajw698%23HHA.1416@TK2MSFTNGP03.phx.gbl...
> If you set up a PC where the user is not a Local
Admin, or a Power user,
> does it change in this way?
> Anthony,
> http://www.airdesk.com
>
>
> "Christopher A. Newell" wrote in
message
> news:OA$jAz8%23HHA.3916@TK2MSFTNGP02.phx.gbl...
>> Some are. Most are "Power Users" on
thier PCs.
>>
>> It is just after close of business so most of
the systems are off-line
>> right now, but I don't believe that there is
actually a correlation
>> between these issues. If anything, with one
exception, I think that most
>> of the PCs where I am seeing the foreign DNS
entry are being used by
>> local non-Adminsitrators when the problem is
occuring.
>>
>> "Anthony" wrote in message
>> news:egK65a8%23HHA.4880@TK2MSFTNGP03.phx.gbl...
>>> Christopher,
>>> Are your users Local Administrators?
>>> Anthony
>>> http://www.airdesk.co.uk
>>>
>>>
>>> "Christopher A. Newell" wrote
in message
>>>
news:un2g$Q8%23HHA.700@TK2MSFTNGP05.phx.gbl...
>>>>I posted on this a couple of weeks ago
and then the problem "appeared"
>>>>to clear up for a while.
>>>>
>>>> This appeared to be a very sporadic
problem, but as I look more closely
>>>> it seems to be more prevalent than I
had imagined.
>>>>
>>>> I have a medium-small, but moderatly
complex network configured in 7
>>>> logical segments, each operating on
it's own IP subnet. In three of
>>>> the segments, dynamically addressed
PCs are transiently loosing their
>>>> DNS entries, multiple local DNS servers
being replaced by 168.95.1.1,
>>>> an operating DNS server in Taiwan. (in fact the only service answering
>>>> on about half of the 168.95.1.x
subnet is DNS) The loss of the correct
>>>> DNS entrires disrupts the client's
network connectivity until the
>>>> configuration is restored (all
Internet access for user PCs is through
>>>> a proxy server, our firewall prevents
any client address from
>>>> communicating with the Internet in
any other way, so the affected PC
>>>> gets no response at all.) "ipconfig
/renew" seems to correct the
>>>> problem, as does re-strating the PC.
>>>>
>>>> As a temporary workaround, I have
assigned the outside IP to one of my
>>>> internal DNS servers and routed all
requests for that IP to the correct
>>>> LAN address. This is preserving my
users' connectivity but is
>>>> eliminating thier calls for help to
notify me.
>>>>
>>>> After implementing the temporary
solution, I have been monitoring
>>>> detailed traffic on the DNS server,
only to find that inquiries using
>>>> the off-site IP are almost constant.
It seems like there is one PC,
>>>> occasionally two, using that IP for
DNS (and SMB and a few other
>>>> protocols) just about all the time,
although the issue seems to move
>>>> from computer to computer at no
identifiable interval. Apparently,
>>>> either some of the users are
experiencing problems and just re-starting
>>>> or the DNS error is not lasting long
enough to cause them to actually
>>>> see the connectivity loss.
>>>>
>>>> These PCs are in three different
network segments, broken up at Layer
>>>> 3, configured by three different DHCP
servers (although all are in the
>>>> same AD forrest.) Before I identified
the problem being present in
>>>> three different segments, I tried
stopping the known DHCP server and
>>>> trying to obtain address information
- No rogue DHCP apparent. We are
>>>> using 128 WEP on a small number of
wireless APs, but I have ruled out a
>>>> customer notebook with an ICS
configuration running.
>>>>
>>>> I have run throuough Spyware and AV
scanns of some of the affected PCs
>>>> with no notable results (CA-ITM and
Spybot S?
>>>> PCs are not affected and one IP
subnet that is dynamically addressed
>>>> but operates in an independent AD
domain also seems to be OK.
>>>>
>>>> Has anybody else ever seen anything
remotely like this ?
>>>>
>>>> Any ideas what I can look at to
figure out where a changing DNS IP
>>>> could be getting injected into the
system, across routers?
>>>>
>>>> I think that I would have gotten an
incorrect IP configuration if I had
>>>> a hardware based DHCP on the LAN
(like a SOHO router), but it may bear
>>>> noting that a search on that IP
reveals it to be one of the most
>>>> commonly referenced publicly accessable
DNS servers. The IP appears in
>>>> many pieces of hardware documentation
(again, like SOHO gateways).
>>>>
>>>
>>>
>>
>>
>
>
Top
From: Anthony
<anthony.spam@spammedout.com>
To:
none
Subject:
Re: Wandering DNS entry
Date:
09/21/2007 03:03:28
Christopher,
The hypothesis is that you have malware on your
clients. As the users have
local admin or power user rights this would have been
easy to introduce. We
also have to assume that your AV does not detect it.
If you google for
"trojan change dns" you will find several
references.
I think what you need to do is:
- run several AV and spyware scanners to detect it
- try the non-admin test
- try to catch it "red-handed" with a
changed registry value
- remove all users from local admin and power user
groups (and automate the
things they need those rights for)
- find out why your AV has not detected it, and switch
to one that does.
The real problem is that as your users have admin
rights, and if you can
prove the hypothesis that the machines have been
compromised, then you have
no way to know the extent of the damage and to be safe
you would need to
rebuild your network. The mitigating circumstance is
that you say all access
is through the proxy.
On balance, you probably need to rebuild all the PC's
in turn and migrate
your users onto new non-admin config. The most
important thing to do is
assess whether there is any chance your servers or
admin desktops have also
been compromised.
Anthony,
http://www.airdesk.co.uk
"Christopher A. Newell" wrote in message
news:ufv6Mu9%23HHA.1164@TK2MSFTNGP02.phx.gbl...
> I'm going to have to try this. We are off-hours
now and I am not seeing
> any traffic to the foreign IP. Whatever device(s)
are involved or causing
> the issue are logged out/powered off.
>
> "Anthony" wrote in message
> news:%23Ajw698%23HHA.1416@TK2MSFTNGP03.phx.gbl...
>> If you set up a PC where the user is not a
Local Admin, or a Power user,
>> does it change in this way?
>> Anthony,
>> http://www.airdesk.com
>>
>>
>> "Christopher A. Newell" wrote in
message
>>
news:OA$jAz8%23HHA.3916@TK2MSFTNGP02.phx.gbl...
>>> Some are. Most are "Power
Users" on thier PCs.
>>>
>>> It is just after close of business so
most of the systems are off-line
>>> right now, but I don't believe that there
is actually a correlation
>>> between these issues. If anything, with
one exception, I think that
>>> most of the PCs where I am seeing the foreign
DNS entry are being used
>>> by local non-Adminsitrators when the
problem is occuring.
>>>
>>> "Anthony" wrote in message
>>>
news:egK65a8%23HHA.4880@TK2MSFTNGP03.phx.gbl...
>>>> Christopher,
>>>> Are your users Local Administrators?
>>>> Anthony
>>>> http://www.airdesk.co.uk
>>>>
>>>>
>>>> "Christopher A. Newell"
wrote in message
>>>>
news:un2g$Q8%23HHA.700@TK2MSFTNGP05.phx.gbl...
>>>>>I posted on this a couple of weeks
ago and then the problem "appeared"
>>>>>to clear up for a while.
>>>>>
>>>>> This appeared to be a very
sporadic problem, but as I look more
>>>>> closely it seems to be more
prevalent than I had imagined.
>>>>>
>>>>> I have a medium-small, but
moderatly complex network configured in 7
>>>>> logical segments, each operating
on it's own IP subnet. In three of
>>>>> the segments, dynamically
addressed PCs are transiently loosing their
>>>>> DNS entries, multiple local DNS
servers being replaced by 168.95.1.1,
>>>>> an operating DNS server in Taiwan. (in fact the only service
>>>>> answering on about half of the
168.95.1.x subnet is DNS) The loss of
>>>>> the correct DNS entrires disrupts
the client's network connectivity
>>>>> until the configuration is
restored (all Internet access for user PCs
>>>>> is through a proxy server, our
firewall prevents any client address
>>>>> from communicating with the
Internet in any other way, so the affected
>>>>> PC gets no response at all.)
"ipconfig /renew" seems to correct the
>>>>> problem, as does re-strating the
PC.
>>>>>
>>>>> As a temporary workaround, I have
assigned the outside IP to one of my
>>>>> internal DNS servers and routed
all requests for that IP to the
>>>>> correct LAN address. This is
preserving my users' connectivity but is
>>>>> eliminating thier calls for help
to notify me.
>>>>>
>>>>> After implementing the temporary
solution, I have been monitoring
>>>>> detailed traffic on the DNS
server, only to find that inquiries using
>>>>> the off-site IP are almost
constant. It seems like there is one PC,
>>>>> occasionally two, using that IP
for DNS (and SMB and a few other
>>>>> protocols) just about all the
time, although the issue seems to move
>>>>> from computer to computer at no identifiable
interval. Apparently,
>>>>> either some of the users are
experiencing problems and just
>>>>> re-starting or the DNS error is
not lasting long enough to cause them
>>>>> to actually see the connectivity
loss.
>>>>>
>>>>> These PCs are in three different
network segments, broken up at Layer
>>>>> 3, configured by three different
DHCP servers (although all are in the
>>>>> same AD forrest.) Before I
identified the problem being present in
>>>>> three different segments, I tried
stopping the known DHCP server and
>>>>> trying to obtain address
information - No rogue DHCP apparent. We are
>>>>> using 128 WEP on a small number
of wireless APs, but I have ruled out
>>>>> a customer notebook with an ICS
configuration running.
>>>>>
>>>>> I have run throuough Spyware and
AV scanns of some of the affected PCs
>>>>> with no notable results (CA-ITM
and Spybot S?
>>>>> PCs are not affected and one IP
subnet that is dynamically addressed
>>>>> but operates in an independent AD
domain also seems to be OK.
>>>>>
>>>>> Has anybody else ever seen
anything remotely like this ?
>>>>>
>>>>> Any ideas what I can look at to
figure out where a changing DNS IP
>>>>> could be getting injected into
the system, across routers?
>>>>>
>>>>> I think that I would have gotten
an incorrect IP configuration if I
>>>>> had a hardware based DHCP on the
LAN (like a SOHO router), but it may
>>>>> bear noting that a search on that
IP reveals it to be one of the most
>>>>> commonly referenced publicly
accessable DNS servers. The IP appears
>>>>> in many pieces of hardware
documentation (again, like SOHO gateways).
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Top
From: Roger Abell [MVP]
<mvpNoSpam@asu.edu>
To:
none
Subject:
Re: Wandering DNS entry
Date:
09/20/2007 20:00:25
Christopher,
I read your posting. May it be correctly restated as:
Some, but not all, client machines that are DHCP
clients
are loosing their configured DNS servers, with these
always
being replaced by 168.95.1.1. Further, only the DHCP
clients
in three of the network segments that are part of one
AD forest
are affected (i.e. DHCP clients in other segments
and/or forest
are not affected in this way). There are no rogue DHCP
servers
on the network segments.
Your statement that renewing the DHCP lease
reestablishes
correct DNS server IPs lets us know that you are using
DHCP
scope delivered nameserver IPs. Your statement that
restarting
the machines also reestablishes indicates that there
are no GPO
delivered incorrect DNS server IPs.
Since only an account with admin authority can set the
DNS
servers in the TCP/IP config, we know this must be
happening
due to something running with system/admin context on
the
machines where this happens.
So, you need to find that admin/system process on or
remotely
accessing those machines. This is not happening
willy-nilly.
I am leaning toward a steathed malware.
Have you probed the 168.95.1.1 DNS server to see if it
is
hosting a mock zone(s) in which your client machines
might
access trusted hosts ? (i.e. is this part of a man in
the middle
effort ?).
--
Roger
"Christopher A. Newell" wrote in message
news:un2g$Q8%23HHA.700@TK2MSFTNGP05.phx.gbl...
>I posted on this a couple of weeks ago and then
the problem "appeared" to
>clear up for a while.
>
> This appeared to be a very sporadic problem, but
as I look more closely it
> seems to be more prevalent than I had imagined.
>
> I have a medium-small, but moderatly complex
network configured in 7
> logical segments, each operating on it's own IP
subnet. In three of the
> segments, dynamically addressed PCs are
transiently loosing their DNS
> entries, multiple local DNS servers being
replaced by 168.95.1.1, an
> operating DNS server in Taiwan. (in fact the only service answering on
> about half of the 168.95.1.x subnet is DNS) The
loss of the correct DNS
> entrires disrupts the client's network connectivity
until the
> configuration is restored (all Internet access
for user PCs is through a
> proxy server, our firewall prevents any client
address from communicating
> with the Internet in any other way, so the
affected PC gets no response at
> all.) "ipconfig /renew" seems to
correct the problem, as does re-strating
> the PC.
>
> As a temporary workaround, I have assigned the
outside IP to one of my
> internal DNS servers and routed all requests for
that IP to the correct
> LAN address. This is preserving my users'
connectivity but is eliminating
> thier calls for help to notify me.
>
> After implementing the temporary solution, I have
been monitoring detailed
> traffic on the DNS server, only to find that
inquiries using the off-site
> IP are almost constant. It seems like there is
one PC, occasionally two,
> using that IP for DNS (and SMB and a few other
protocols) just about all
> the time, although the issue seems to move from
computer to computer at no
> identifiable interval. Apparently, either some of
the users are
> experiencing problems and just re-starting or the
DNS error is not lasting
> long enough to cause them to actually see the
connectivity loss.
>
> These PCs are in three different network
segments, broken up at Layer 3,
> configured by three different DHCP servers
(although all are in the same
> AD forrest.) Before I identified the problem
being present in three
> different segments, I tried stopping the known
DHCP server and trying to
> obtain address information - No rogue DHCP
apparent. We are using 128 WEP
> on a small number of wireless APs, but I have
ruled out a customer
> notebook with an ICS configuration running.
>
> I have run throuough Spyware and AV scanns of
some of the affected PCs
> with no notable results (CA-ITM and Spybot S?
> are not affected and one IP subnet that is
dynamically addressed but
> operates in an independent AD domain also seems
to be OK.
>
> Has anybody else ever seen anything remotely like
this ?
>
> Any ideas what I can look at to figure out where
a changing DNS IP could
> be getting injected into the system, across
routers?
>
> I think that I would have gotten an incorrect IP
configuration if I had a
> hardware based DHCP on the LAN (like a SOHO router), but it may
bear
> noting that a search on that IP reveals it to be
one of the most commonly
> referenced publicly accessable DNS servers. The
IP appears in many pieces
> of hardware documentation (again, like SOHO gateways).
>
Top
From: Christopher A. Newell
<infosystems@shiawassee.net>
To:
none
Subject:
Re: Wandering DNS entry
Date:
09/20/2007 20:43:50
The only thing that is actually incorrect (my error in
the original post) is
that there are 4 LAN segments affected. One is
essentially my "core" which
includes our Internet and two other private WAN
connections, as well as
servers that are equally utilized among our
departments. The other 6
segments are departmentaly orgnaized and users are
grouped with server
resources that they use most frequently.
Of the three unaffected segments, one is DHCP but is
part of a trusted
domain in a separate AD forrest, One is static
addressed and is in a child
domain, one is static addressed and validates in an
external domain over a
WAN connection. The general topology is
distributed-star with each branch
LAN segment being routed through one of thier servers
to the core segment to
reach the Internet, WANs, and (occasionally) other
branch LANs.
In the three branch LAN segments, the DHCP server is
on the same system as
the routing function, bound to the NIC serving the
branch LAN (if it was
propogating to the core, I would have gotten a
configuration with the core's
DHCP server stopped.)
Running a sniffer on my core router's traffic and
filtering on the foreign
DNS IP, I am only seeing traffic from one or two
clients at any one time,
but even though no one client seems to be affected for
a long period I am
now seeing traffic from some host almost constantly
during business hours.
I have probed the foreign DNS on several common
domains (microsoft.com,
google.com, etc.) and do not see any inconsistencies
with known accurate
responses, but this has not been an exhaustive check.
I will take a closer
look at the DNS queries being directed to that host
during the day Friday
and look more closely at that.
Although we appear to be well scanned internally, I
tend to agree with the
malware assessment. What I cannot determine yet is if
it is running
directly on the affected machines or if it is
something that is being
injected externally. The fact that this is crossing
Layer 3 boundaries
leads me to suspect client, but the migratory nature
(with only a small
number of machines affected at any one time) leaves a
suspicion of a single
infected host affecting the other clients.
"Roger Abell [MVP]" wrote in message
news:%23MKuNr%23%23HHA.1208@TK2MSFTNGP03.phx.gbl...
> Christopher,
>
> I read your posting. May it be correctly restated
as:
>
> Some, but not all, client machines that are DHCP
clients
> are loosing their configured DNS servers, with
these always
> being replaced by 168.95.1.1. Further, only the
DHCP clients
> in three of the network segments that are part of
one AD forest
> are affected (i.e. DHCP clients in other segments
and/or forest
> are not affected in this way). There are no rogue
DHCP servers
> on the network segments.
>
> Your statement that renewing the DHCP lease reestablishes
> correct DNS server IPs lets us know that you are
using DHCP
> scope delivered nameserver IPs. Your statement
that restarting
> the machines also reestablishes indicates that
there are no GPO
> delivered incorrect DNS server IPs.
>
> Since only an account with admin authority can
set the DNS
> servers in the TCP/IP config, we know this must
be happening
> due to something running with system/admin
context on the
> machines where this happens.
> So, you need to find that admin/system process on
or remotely
> accessing those machines. This is not happening
willy-nilly.
>
> I am leaning toward a steathed malware.
>
> Have you probed the 168.95.1.1 DNS server to see
if it is
> hosting a mock zone(s) in which your client
machines might
> access trusted hosts ? (i.e. is this part of a
man in the middle
> effort ?).
>
> --
> Roger
>
> "Christopher A. Newell" wrote in
message
> news:un2g$Q8%23HHA.700@TK2MSFTNGP05.phx.gbl...
>>I posted on this a couple of weeks ago and
then the problem "appeared" to
>>clear up for a while.
>>
>> This appeared to be a very sporadic problem,
but as I look more closely
>> it seems to be more prevalent than I had
imagined.
>>
>> I have a medium-small, but moderatly complex
network configured in 7
>> logical segments, each operating on it's own
IP subnet. In three of the
>> segments, dynamically addressed PCs are
transiently loosing their DNS
>> entries, multiple local DNS servers being
replaced by 168.95.1.1, an
>> operating DNS server in Taiwan. (in fact the only service answering on
>> about half of the 168.95.1.x subnet is DNS)
The loss of the correct DNS
>> entrires disrupts the client's network
connectivity until the
>> configuration is restored (all Internet
access for user PCs is through a
>> proxy server, our firewall prevents any
client address from communicating
>> with the Internet in any other way, so the
affected PC gets no response
>> at all.) "ipconfig /renew" seems to
correct the problem, as does
>> re-strating the PC.
>>
>> As a temporary workaround, I have assigned
the outside IP to one of my
>> internal DNS servers and routed all requests
for that IP to the correct
>> LAN address. This is preserving my users'
connectivity but is
>> eliminating thier calls for help to notify
me.
>>
>> After implementing the temporary solution, I
have been monitoring
>> detailed traffic on the DNS server, only to
find that inquiries using the
>> off-site IP are almost constant. It seems like
there is one PC,
>> occasionally two, using that IP for DNS (and
SMB and a few other
>> protocols) just about all the time, although
the issue seems to move from
>> computer to computer at no identifiable
interval. Apparently, either
>> some of the users are experiencing problems
and just re-starting or the
>> DNS error is not lasting long enough to cause
them to actually see the
>> connectivity loss.
>>
>> These PCs are in three different network
segments, broken up at Layer 3,
>> configured by three different DHCP servers
(although all are in the same
>> AD forrest.) Before I identified the problem
being present in three
>> different segments, I tried stopping the
known DHCP server and trying to
>> obtain address information - No rogue DHCP
apparent. We are using 128
>> WEP on a small number of wireless APs, but I
have ruled out a customer
>> notebook with an ICS configuration running.
>>
>> I have run throuough Spyware and AV scanns of
some of the affected PCs
>> with no notable results (CA-ITM and Spybot S?
>> are not affected and one IP subnet that is
dynamically addressed but
>> operates in an independent AD domain also
seems to be OK.
>>
>> Has anybody else ever seen anything remotely
like this ?
>>
>> Any ideas what I can look at to figure out
where a changing DNS IP could
>> be getting injected into the system, across
routers?
>>
>> I think that I would have gotten an incorrect
IP configuration if I had a
>> hardware based DHCP on the LAN (like a SOHO router), but it may
bear
>> noting that a search on that IP reveals it to
be one of the most commonly
>> referenced publicly accessable DNS servers.
The IP appears in many
>> pieces of hardware documentation (again, like
SOHO gateways).
>>
>
>
Top
From: Roger Abell [MVP]
<mvpNoSpam@asu.edu>
To:
none
Subject:
Re: Wandering DNS entry
Date:
09/21/2007 00:58:53
Keep in mind that many clients may have incorrect DNS
server IP set,
but do not need to do DNS resolutions for extended
periods.
I would probe the DNS for your zones, those of your
business
partners, etc.. The spread could be intentional from a
single
machine using an account with admin access to the
others, or
could be a common hijackware that has spread by common
vectors. Again, something has to run as admin or
system on
the machines where the change happens, so perhaps you
could
install a watcher to profile processes that come/go in
system
or an admin context.
Roger
"Christopher A. Newell" wrote in message
news:%23SxuCG$%23HHA.4828@TK2MSFTNGP04.phx.gbl...
> The only thing that is actually incorrect (my
error in the original post)
> is that there are 4 LAN segments affected. One is
essentially my "core"
> which includes our Internet and two other private
WAN connections, as well
> as servers that are equally utilized among our
departments. The other 6
> segments are departmentaly orgnaized and users
are grouped with server
> resources that they use most frequently.
>
> Of the three unaffected segments, one is DHCP but
is part of a trusted
> domain in a separate AD forrest, One is static
addressed and is in a child
> domain, one is static addressed and validates in
an external domain over a
> WAN connection. The general topology is
distributed-star with each branch
> LAN segment being routed through one of thier
servers to the core segment
> to reach the Internet, WANs, and (occasionally)
other branch LANs.
>
> In the three branch LAN segments, the DHCP server
is on the same system as
> the routing function, bound to the NIC serving
the branch LAN (if it was
> propogating to the core, I would have gotten a
configuration with the
> core's DHCP server stopped.)
>
> Running a sniffer on my core router's traffic and
filtering on the foreign
> DNS IP, I am only seeing traffic from one or two
clients at any one time,
> but even though no one client seems to be
affected for a long period I am
> now seeing traffic from some host almost
constantly during business hours.
>
> I have probed the foreign DNS on several common
domains (microsoft.com,
> google.com, etc.) and do not see any
inconsistencies with known accurate
> responses, but this has not been an exhaustive
check. I will take a
> closer look at the DNS queries being directed to
that host during the day
> Friday and look more closely at that.
>
> Although we appear to be well scanned internally,
I tend to agree with the
> malware assessment. What I cannot determine yet
is if it is running
> directly on the affected machines or if it is
something that is being
> injected externally. The fact that this is
crossing Layer 3 boundaries
> leads me to suspect client, but the migratory
nature (with only a small
> number of machines affected at any one time)
leaves a suspicion of a
> single infected host affecting the other clients.
>
> "Roger Abell [MVP]" wrote in message
>
news:%23MKuNr%23%23HHA.1208@TK2MSFTNGP03.phx.gbl...
>> Christopher,
>>
>> I read your posting. May it be correctly
restated as:
>>
>> Some, but not all, client machines that are
DHCP clients
>> are loosing their configured DNS servers,
with these always
>> being replaced by 168.95.1.1. Further, only
the DHCP clients
>> in three of the network segments that are
part of one AD forest
>> are affected (i.e. DHCP clients in other
segments and/or forest
>> are not affected in this way). There are no
rogue DHCP servers
>> on the network segments.
>>
>> Your statement that renewing the DHCP lease
reestablishes
>> correct DNS server IPs lets us know that you
are using DHCP
>> scope delivered nameserver IPs. Your
statement that restarting
>> the machines also reestablishes indicates
that there are no GPO
>> delivered incorrect DNS server IPs.
>>
>> Since only an account with admin authority
can set the DNS
>> servers in the TCP/IP config, we know this
must be happening
>> due to something running with system/admin
context on the
>> machines where this happens.
>> So, you need to find that admin/system
process on or remotely
>> accessing those machines. This is not
happening willy-nilly.
>>
>> I am leaning toward a steathed malware.
>>
>> Have you probed the 168.95.1.1 DNS server to
see if it is
>> hosting a mock zone(s) in which your client
machines might
>> access trusted hosts ? (i.e. is this part of
a man in the middle
>> effort ?).
>>
>> --
>> Roger
>>
>> "Christopher A. Newell" wrote in
message
>>
news:un2g$Q8%23HHA.700@TK2MSFTNGP05.phx.gbl...
>>>I posted on this a couple of weeks ago and
then the problem "appeared" to
>>>clear up for a while.
>>>
>>> This appeared to be a very sporadic
problem, but as I look more closely
>>> it seems to be more prevalent than I had
imagined.
>>>
>>> I have a medium-small, but moderatly
complex network configured in 7
>>> logical segments, each operating on it's
own IP subnet. In three of the
>>> segments, dynamically addressed PCs are
transiently loosing their DNS
>>> entries, multiple local DNS servers being
replaced by 168.95.1.1, an
>>> operating DNS server in Taiwan. (in fact the only service answering on
>>> about half of the 168.95.1.x subnet is
DNS) The loss of the correct DNS
>>> entrires disrupts the client's network
connectivity until the
>>> configuration is restored (all Internet
access for user PCs is through a
>>> proxy server, our firewall prevents any
client address from
>>> communicating with the Internet in any
other way, so the affected PC
>>> gets no response at all.) "ipconfig
/renew" seems to correct the
>>> problem, as does re-strating the PC.
>>>
>>> As a temporary workaround, I have
assigned the outside IP to one of my
>>> internal DNS servers and routed all
requests for that IP to the correct
>>> LAN address. This is preserving my users'
connectivity but is
>>> eliminating thier calls for help to
notify me.
>>>
>>> After implementing the temporary
solution, I have been monitoring
>>> detailed traffic on the DNS server, only
to find that inquiries using
>>> the off-site IP are almost constant. It
seems like there is one PC,
>>> occasionally two, using that IP for DNS
(and SMB and a few other
>>> protocols) just about all the time,
although the issue seems to move
>>> from computer to computer at no identifiable
interval. Apparently,
>>> either some of the users are experiencing
problems and just re-starting
>>> or the DNS error is not lasting long
enough to cause them to actually
>>> see the connectivity loss.
>>>
>>> These PCs are in three different network
segments, broken up at Layer 3,
>>> configured by three different DHCP
servers (although all are in the same
>>> AD forrest.) Before I identified the
problem being present in three
>>> different segments, I tried stopping the
known DHCP server and trying to
>>> obtain address information - No rogue
DHCP apparent. We are using 128
>>> WEP on a small number of wireless APs,
but I have ruled out a customer
>>> notebook with an ICS configuration
running.
>>>
>>> I have run throuough Spyware and AV scanns
of some of the affected PCs
>>> with no notable results (CA-ITM and
Spybot S?
>>> are not affected and one IP subnet that
is dynamically addressed but
>>> operates in an independent AD domain also
seems to be OK.
>>>
>>> Has anybody else ever seen anything
remotely like this ?
>>>
>>> Any ideas what I can look at to figure
out where a changing DNS IP could
>>> be getting injected into the system,
across routers?
>>>
>>> I think that I would have gotten an
incorrect IP configuration if I had
>>> a hardware based DHCP on the LAN (like a SOHO router), but it may
bear
>>> noting that a search on that IP reveals
it to be one of the most
>>> commonly referenced publicly accessable
DNS servers. The IP appears in
>>> many pieces of hardware documentation
(again, like SOHO gateways).
>>>
>>
>>
>
>
Top
From: Ace Fekay [MVP]
<PleaseAskMe@SomeDomain.com>
To:
none
Subject:
Re: Wandering DNS entry
Date:
09/21/2007 22:52:44
In news:%23SxuCG$%23HHA.4828@TK2MSFTNGP04.phx.gbl,
Christopher A. Newell typed:
> The only thing that is actually incorrect (my
error in the original
> post) is that there are 4 LAN segments affected.
One is essentially
> my "core" which includes our Internet
and two other private WAN
> connections, as well as servers that are equally
utilized among our
> departments. The other 6 segments are
departmentaly orgnaized and
> users are grouped with server resources that they
use most frequently.
>
The last time I saw something like this with similar
symptoms, I found a
Linksys wireless router someone brought in causing it.
It was providing DNS
addresses that was configured on it's WAN interface
while it was at the
person's home. When they brought it in without me
knowing about it, DHCP was
still enabled. It wound up conflicting with the
customer's corp scope and
options.
Something else to think about and look for.
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties
or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 ?
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations
Having difficulty reading or finding responses to your
post?
Try using Outlook Express or any other newsreader,
configure a news
account, and point it to news.microsoft.com. Anonymous
access. It's
easy and it's free:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
"Life isn't like a box of chocolates or a bowl of
cherries or
peaches... Life is more like a jar of jalapenos. What
you do today
may burn your butt tomorrow." - Garfield
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: w2k3 logs me off right after user/password
Date:
09/25/2007 14:48:42
Hi check inline:
> - if I log on as a *normal* user, once I typed in
the credential, it
> logs me off right after - the logging off window
pops up followed by
> the ctrl-alt-del window. This doesn't always
happen but happens 9 out
> of 10 attemps(or more frequent)
Logs are full, or maybe some virus on that machine.
> - however if I type in my credential again, I can
get into the
> desktop
So you can log successfully after the second atempt?
> - admin doesn' t have this problem
That's good, you can use that account to check log
errors or if logs are
full, or if you have any process (like a virus) that
doesn't like the normal
user account.
> - if I log on as Admin, and in the System
properties window,
> profile, highlight the *normal* user account, the
"copy to" and
> "remove" button is grayed out.
Can you rename the profile manually, and then try to
logon with a new user
and check if the same behavior applies.
> - there was once or twice if I unplugged the
power completely then
> log back in as Admin, the above "copy
to" and "remove" buttons became
> availabe again.
Try the rename, if you can rename,you must first talke
ownershipt of the
folder and subfolders and files..
> - newly created profile didn't help
New profile for what user the domain admin or the
normal account?
> - absolutely nothing noticeable in event viewer
> - if I log in as Admin, then open a RDP session
to itself( mstsc /
> v:localhost), log in as the user in question, it
won't ask me for
> password twice. However, I can't launch certain
programs within the
> session (such as firefox, outlook). They are
terminated at some point
> (for example, I can see the prompt from firefox
"restore sessions/new
> session", but then nothing)
That suggests something wrong with the profile or GPO
security.
> - I reset the security policy by importing the
setupsec.inf but this
> didn't help either
It doesn't matter if the policy is being applied at
domain or OU level, the
local GPO is the one that is overwrited by alll
others.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"future2Bunknown" wrote in message
news:1190748178.396470.231270@50g2000hsm.googlegroups.com...
>I have a windows 2003 in workgroup having
following symptoms:
> - if I log on as a *normal* user, once I typed in
the credential, it
> logs me off right after - the logging off window
pops up followed by
> the ctrl-alt-del window. This doesn't always
happen but happens 9 out
> of 10 attemps(or more frequent)
> - however if I type in my credential again, I can
get into the
> desktop
> - admin doesn' t have this problem
> - if I log on as Admin, and in the System
properties window,
> profile, highlight the *normal* user account, the
"copy to" and
> "remove" button is grayed out.
> - there was once or twice if I unplugged the
power completely then
> log back in as Admin, the above "copy
to" and "remove" buttons became
> availabe again.
> - newly created profile didn't help
> - absolutely nothing noticeable in event viewer
> - if I log in as Admin, then open a RDP session
to itself( mstsc /
> v:localhost), log in as the user in question, it
won't ask me for
> password twice. However, I can't launch certain
programs within the
> session (such as firefox, outlook). They are
terminated at some point
> (for example, I can see the prompt from firefox
"restore sessions/new
> session", but then nothing)
> - I reset the security policy by importing the
setupsec.inf but this
> didn't help either
>
> Any help appreciated.
>
Top
From: future2Bunknown
<johnlan@gmail.com>
To:
none
Subject:
Re: w2k3 logs me off right after user/password
Date:
09/26/2007 09:18:32
Jorge,
Thanks for the reply. Please see my reply to your
comments:
1. This is a workgroup server therefore no upper level
GP will
override local policy
2. Second attempt to log on always suceeds
3. If, as I myself suspected and as you pointed out,
profile and/or
security settings are to blamed, I've replaced both to
no avail
4. logs in event has been cleared multiple times
during my
troubleshooting. And I don't believe there is any
other size limit on
text-based logs. Plus, all disks have sufficient space
5. I didn't bother to verify if other users have same
problem because
this is the only account I need to keep and make it
workable. But I
believe the others don't have this issue. I will try
later though and
post back.
6. while I can't say 100% sure that I am not hit by
virus, I am very
confident my compupter is clean. Having worked in
security field, I am
always cautious what's installed and my computer is
well protected.
The symptoms don't look like virus either.
7. I do have the userenv.log if you want to see it.
On Sep 25, 3:48 pm, "Jorge
Silva" wrote:
> Hi check inline:
>
> > - if I log on as a *normal* user, once I
typed in the credential, it
> > logs me off right after - the logging off
window pops up followed by
> > the ctrl-alt-del window. This doesn't always
happen but happens 9 out
> > of 10 attemps(or more frequent)
>
> Logs are full, or maybe some virus on that
machine.
>
> > - however if I type in my credential again,
I can get into the
> > desktop
>
> So you can log successfully after the second
atempt?
>
> > - admin doesn' t have this problem
>
> That's good, you can use that account to check
log errors or if logs are
> full, or if you have any process (like a virus)
that doesn't like the normal
> user account.
>
> > - if I log on as Admin, and in the System
properties window,
> > profile, highlight the *normal* user
account, the "copy to" and
> > "remove" button is grayed out.
>
> Can you rename the profile manually, and then try
to logon with a new user
> and check if the same behavior applies.
>
> > - there was once or twice if I unplugged the
power completely then
> > log back in as Admin, the above "copy
to" and "remove" buttons became
> > availabe again.
>
> Try the rename, if you can rename,you must first
talke ownershipt of the
> folder and subfolders and files..
>
> > - newly created profile didn't help
>
> New profile for what user the domain admin or the
normal account?
>
> > - absolutely nothing noticeable in event
viewer
> > - if I log in as Admin, then open a RDP
session to itself( mstsc /
> > v:localhost), log in as the user in
question, it won't ask me for
> > password twice. However, I can't launch certain
programs within the
> > session (such as firefox, outlook). They are
terminated at some point
> > (for example, I can see the prompt from
firefox "restore sessions/new
> > session", but then nothing)
>
> That suggests something wrong with the profile or
GPO security.
>
> > - I reset the security policy by importing
the setupsec.inf but this
> > didn't help either
>
> It doesn't matter if the policy is being applied
at domain or OU level, the
> local GPO is the one that is overwrited by alll
others.
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory
Services"future2Bunknown" wrote in message
>
>
news:1190748178.396470.231270@50g2000hsm.googlegroups.com...
>
> >I have a windows 2003 in workgroup having
following symptoms:
> > - if I log on as a *normal* user, once I
typed in the credential, it
> > logs me off right after - the logging off
window pops up followed by
> > the ctrl-alt-del window. This doesn't always
happen but happens 9 out
> > of 10 attemps(or more frequent)
> > - however if I type in my credential again,
I can get into the
> > desktop
> > - admin doesn' t have this problem
> > - if I log on as Admin, and in the System
properties window,
> > profile, highlight the *normal* user
account, the "copy to" and
> > "remove" button is grayed out.
> > - there was once or twice if I unplugged the
power completely then
> > log back in as Admin, the above "copy
to" and "remove" buttons became
> > availabe again.
> > - newly created profile didn't help
> > - absolutely nothing noticeable in event
viewer
> > - if I log in as Admin, then open a RDP
session to itself( mstsc /
> > v:localhost), log in as the user in
question, it won't ask me for
> > password twice. However, I can't launch
certain programs within the
> > session (such as firefox, outlook). They are
terminated at some point
> > (for example, I can see the prompt from
firefox "restore sessions/new
> > session", but then nothing)
> > - I reset the security policy by importing
the setupsec.inf but this
> > didn't help either
>
> > Any help appreciated.
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: w2k3 logs me off right after user/password
Date:
09/26/2007 11:48:10
Inline
> 1. This is a workgroup server therefore no upper
level GP will
> override local policy
Ok. But you can also check local policy.
> 2. Second attempt to log on always suceeds
Yeah this is the weird part. Never saw something
similar, that's why I
suggested that may be a Virus problem or GPO
restriction.
> 3. If, as I myself suspected and as you pointed
out, profile and/or
> security settings are to blamed, I've replaced
both to no avail
1 place less to search ;)
> 4. logs in event has been cleared multiple times
during my
> troubleshooting. And I don't believe there is any
other size limit on
> text-based logs. Plus, all disks have sufficient
space
Ok.
> 5. I didn't bother to verify if other users have
same problem because
> this is the only account I need to keep and make
it workable. But I
> believe the others don't have this issue. I will
try later though and
> post back.
Yes try to create a different account and check with
that account (I never
know, strange behaviors lead to strange solutions)
> 6. while I can't say 100% sure that I am not hit
by virus, I am very
> confident my compupter is clean. Having worked in
security field, I am
> always cautious what's installed and my computer
is well protected.
> The symptoms don't look like virus either.
You wan't waste to much time by running the antivirus,
just in case.
> 7. I do have the userenv.log if you want to see
it.
Only the things that contains errors or strange things
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"future2Bunknown" wrote in message
news:1190816312.730005.167360@22g2000hsm.googlegroups.com...
> Jorge,
>
> Thanks for the reply. Please see my reply to your
comments:
>
> 1. This is a workgroup server therefore no upper
level GP will
> override local policy
> 2. Second attempt to log on always suceeds
> 3. If, as I myself suspected and as you pointed
out, profile and/or
> security settings are to blamed, I've replaced
both to no avail
> 4. logs in event has been cleared multiple times
during my
> troubleshooting. And I don't believe there is any
other size limit on
> text-based logs. Plus, all disks have sufficient
space
> 5. I didn't bother to verify if other users have
same problem because
> this is the only account I need to keep and make
it workable. But I
> believe the others don't have this issue. I will
try later though and
> post back.
> 6. while I can't say 100% sure that I am not hit
by virus, I am very
> confident my compupter is clean. Having worked in
security field, I am
> always cautious what's installed and my computer
is well protected.
> The symptoms don't look like virus either.
> 7. I do have the userenv.log if you want to see
it.
>
> On Sep 25, 3:48 pm, "Jorge Silva"
wrote:
>> Hi check inline:
>>
>> > - if I log on as a *normal* user, once I
typed in the credential, it
>> > logs me off right after - the logging
off window pops up followed by
>> > the ctrl-alt-del window. This doesn't
always happen but happens 9 out
>> > of 10 attemps(or more frequent)
>>
>> Logs are full, or maybe some virus on that
machine.
>>
>> > - however if I type in my credential
again, I can get into the
>> > desktop
>>
>> So you can log successfully after the second
atempt?
>>
>> > - admin doesn' t have this problem
>>
>> That's good, you can use that account to
check log errors or if logs are
>> full, or if you have any process (like a
virus) that doesn't like the
>> normal
>> user account.
>>
>> > - if I log on as Admin, and in the
System properties window,
>> > profile, highlight the *normal* user
account, the "copy to" and
>> > "remove" button is grayed out.
>>
>> Can you rename the profile manually, and then
try to logon with a new
>> user
>> and check if the same behavior applies.
>>
>> > - there was once or twice if I unplugged
the power completely then
>> > log back in as Admin, the above
"copy to" and "remove" buttons became
>> > availabe again.
>>
>> Try the rename, if you can rename,you must
first talke ownershipt of the
>> folder and subfolders and files..
>>
>> > - newly created profile didn't help
>>
>> New profile for what user the domain admin or
the normal account?
>>
>> > - absolutely nothing noticeable in event
viewer
>> > - if I log in as Admin, then open a RDP
session to itself( mstsc /
>> > v:localhost), log in as the user in
question, it won't ask me for
>> > password twice. However, I can't launch
certain programs within the
>> > session (such as firefox, outlook). They
are terminated at some point
>> > (for example, I can see the prompt from
firefox "restore sessions/new
>> > session", but then nothing)
>>
>> That suggests something wrong with the
profile or GPO security.
>>
>> > - I reset the security policy by
importing the setupsec.inf but this
>> > didn't help either
>>
>> It doesn't matter if the policy is being
applied at domain or OU level,
>> the
>> local GPO is the one that is overwrited by
alll others.
>>
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MCSE, MVP Directory
Services"future2Bunknown" wrote
>> in message
>>
>>
news:1190748178.396470.231270@50g2000hsm.googlegroups.com...
>>
>> >I have a windows 2003 in workgroup having
following symptoms:
>> > - if I log on as a *normal* user, once I
typed in the credential, it
>> > logs me off right after - the logging
off window pops up followed by
>> > the ctrl-alt-del window. This doesn't
always happen but happens 9 out
>> > of 10 attemps(or more frequent)
>> > - however if I type in my credential
again, I can get into the
>> > desktop
>> > - admin doesn' t have this problem
>> > - if I log on as Admin, and in the
System properties window,
>> > profile, highlight the *normal* user
account, the "copy to" and
>> > "remove" button is grayed out.
>> > - there was once or twice if I unplugged
the power completely then
>> > log back in as Admin, the above
"copy to" and "remove" buttons became
>> > availabe again.
>> > - newly created profile didn't help
>> > - absolutely nothing noticeable in event
viewer
>> > - if I log in as Admin, then open a RDP
session to itself( mstsc /
>> > v:localhost), log in as the user in
question, it won't ask me for
>> > password twice. However, I can't launch
certain programs within the
>> > session (such as firefox, outlook). They
are terminated at some point
>> > (for example, I can see the prompt from
firefox "restore sessions/new
>> > session", but then nothing)
>> > - I reset the security policy by
importing the setupsec.inf but this
>> > didn't help either
>>
>> > Any help appreciated.
>
>
Top
From: Cyberstorme <Cyberstorme@discussions.microsoft.com>
To:
none
Subject:
Re: w2k3 logs me off right after user/password
Date:
09/28/2007 02:50:02
I remember seeing this behaviour during the early W2K3
days. I believe the
issue was corrected in SP1. Is your system at SP1?
"future2Bunknown" wrote:
> Jorge,
>
> Thanks for the reply. Please see my reply to your
comments:
>
> 1. This is a workgroup server therefore no upper
level GP will
> override local policy
> 2. Second attempt to log on always suceeds
> 3. If, as I myself suspected and as you pointed
out, profile and/or
> security settings are to blamed, I've replaced
both to no avail
> 4. logs in event has been cleared multiple times
during my
> troubleshooting. And I don't believe there is any
other size limit on
> text-based logs. Plus, all disks have sufficient
space
> 5. I didn't bother to verify if other users have
same problem because
> this is the only account I need to keep and make
it workable. But I
> believe the others don't have this issue. I will
try later though and
> post back.
> 6. while I can't say 100% sure that I am not hit
by virus, I am very
> confident my compupter is clean. Having worked in
security field, I am
> always cautious what's installed and my computer
is well protected.
> The symptoms don't look like virus either.
> 7. I do have the userenv.log if you want to see
it.
>
> On Sep 25, 3:48 pm, "Jorge Silva"
wrote:
> > Hi check inline:
> >
> > > - if I log on as a *normal* user, once
I typed in the credential, it
> > > logs me off right after - the logging
off window pops up followed by
> > > the ctrl-alt-del window. This doesn't
always happen but happens 9 out
> > > of 10 attemps(or more frequent)
> >
> > Logs are full, or maybe some virus on that
machine.
> >
> > > - however if I type in my credential
again, I can get into the
> > > desktop
> >
> > So you can log successfully after the second
atempt?
> >
> > > - admin doesn' t have this problem
> >
> > That's good, you can use that account to
check log errors or if logs are
> > full, or if you have any process (like a
virus) that doesn't like the normal
> > user account.
> >
> > > - if I log on as Admin, and in the
System properties window,
> > > profile, highlight the *normal* user
account, the "copy to" and
> > > "remove" button is grayed
out.
> >
> > Can you rename the profile manually, and
then try to logon with a new user
> > and check if the same behavior applies.
> >
> > > - there was once or twice if I
unplugged the power completely then
> > > log back in as Admin, the above
"copy to" and "remove" buttons became
> > > availabe again.
> >
> > Try the rename, if you can rename,you must
first talke ownershipt of the
> > folder and subfolders and files..
> >
> > > - newly created profile didn't help
> >
> > New profile for what user the domain admin
or the normal account?
> >
> > > - absolutely nothing noticeable in
event viewer
> > > - if I log in as Admin, then open a RDP
session to itself( mstsc /
> > > v:localhost), log in as the user in
question, it won't ask me for
> > > password twice. However, I can't launch
certain programs within the
> > > session (such as firefox, outlook).
They are terminated at some point
> > > (for example, I can see the prompt from
firefox "restore sessions/new
> > > session", but then nothing)
> >
> > That suggests something wrong with the
profile or GPO security.
> >
> > > - I reset the security policy by
importing the setupsec.inf but this
> > > didn't help either
> >
> > It doesn't matter if the policy is being
applied at domain or OU level, the
> > local GPO is the one that is overwrited by
alll others.
> >
> > --
> > I hope that the information above helps you.
> > Have a Nice day.
> >
> > Jorge Silva
> > MCSE, MVP Directory
Services"future2Bunknown" wrote in message
> >
> >
news:1190748178.396470.231270@50g2000hsm.googlegroups.com...
> >
> > >I have a windows 2003 in workgroup
having following symptoms:
> > > - if I log on as a *normal* user, once
I typed in the credential, it
> > > logs me off right after - the logging off
window pops up followed by
> > > the ctrl-alt-del window. This doesn't
always happen but happens 9 out
> > > of 10 attemps(or more frequent)
> > > - however if I type in my credential
again, I can get into the
> > > desktop
> > > - admin doesn' t have this problem
> > > - if I log on as Admin, and in the
System properties window,
> > > profile, highlight the *normal* user
account, the "copy to" and
> > > "remove" button is grayed
out.
> > > - there was once or twice if I
unplugged the power completely then
> > > log back in as Admin, the above
"copy to" and "remove" buttons became
> > > availabe again.
> > > - newly created profile didn't help
> > > - absolutely nothing noticeable in
event viewer
> > > - if I log in as Admin, then open a RDP
session to itself( mstsc /
> > > v:localhost), log in as the user in
question, it won't ask me for
> > > password twice. However, I can't launch
certain programs within the
> > > session (such as firefox, outlook). They
are terminated at some point
> > > (for example, I can see the prompt from
firefox "restore sessions/new
> > > session", but then nothing)
> > > - I reset the security policy by
importing the setupsec.inf but this
> > > didn't help either
> >
> > > Any help appreciated.
>
>
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Upgrading Windows 2000 Domain Controller in 2003
Environment
Date:
08/28/2007 14:58:59
Hello grubbsy,
From the 2003 disk you have to run adprep /forestprep
adprep /domainprep
to prepare the schema for 2003. And if you have 2003
R2 version you have
again to update the schema from the second R2 disk.
Here a nice overview:
http://support.microsoft.com/kb/555040/en-us
Do you have Exchange running on the Domain controller?
Then check out this:
http://support.microsoft.com/?id=314649
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS"
with no warranties, and confers
no rights.
> We are in the process of upgrading our last
Windows 2000 server to
> Server 2003. We will be performing an upgrade
instead of a clean
> install due to time constraints. Is there
anything special that has
> to be done when upgrading a domain controller?
All our other domain
> controllers are Server 2003.
>
Top
From: Meinolf Weber (Myweb)
<meiweb@gmx.de>
To:
none
Subject:
Re: Upgrading NT to Server 2003
Date:
08/24/2007 16:02:26
Hello Adelxt,
I was also littlebit confused when i did it, but after
upgrading with the
same domain name everything was fine.
Best regards
Meinolf Weber (Myweb)
Disclaimer: This posting is provided "AS IS"
with no warranties, and confers
no rights.
> Hi ,
>
> During the upgrade process from NT to 2003 it
asks me for a domain
> within the forest. What I'm doing is upgrading an
NT PDC so I was
> wondering why it asked me for another domain
name. I'm using the
> domain name of the NT domain but am concerned
whether the clients will
> be able to connect without problems once the 2003
AD is available. I'm
> running a simulated network but with only 2
clients.
>
> Any input would be appreciated.
>
> Thanks
> Steve
Top
From: Adelxt <sales@adelxt.com>
To:
none
Subject:
Re: Upgrading NT to Server 2003
Date:
08/27/2007 09:50:44
Thank you for your feedback. I did use the same domain
name and it does seem
to be okay. It looks like what I now have to do is go
to every user and type
in their account name because it does show up in the
pre-windows 2000 but is
balnk in the section above it. Did you have to do that
also?
Thanks
Steve
"Meinolf Weber (Myweb)" wrote in message
news:ff16fb664eb418c9b4b9f95201e0@msnews.microsoft.com...
> Hello Adelxt,
>
> I was also littlebit confused when i did it, but
after upgrading with the
> same domain name everything was fine.
>
> Best regards
>
> Meinolf Weber (Myweb)
> Disclaimer: This posting is provided "AS
IS" with no warranties, and
> confers no rights.
>
>> Hi ,
>>
>> During the upgrade process from NT to 2003 it
asks me for a domain
>> within the forest. What I'm doing is
upgrading an NT PDC so I was
>> wondering why it asked me for another domain
name. I'm using the
>> domain name of the NT domain but am concerned
whether the clients will
>> be able to connect without problems once the
2003 AD is available. I'm
>> running a simulated network but with only 2
clients.
>>
>> Any input would be appreciated.
>>
>> Thanks
>> Steve
>
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Upgrading NT to Server 2003
Date:
08/27/2007 10:32:17
Hello Adelxt,
You mean the part of the user properties tab where the
domain name normally
stands? Yes was the same by me, but you can change
them all together, just
make a query in the new gpmc for the useraccounts,
then you have all acoounts
in one list, mark them, rightclick and opne the
properties field. In 2003
you can set some values for all accounts and this
field is one of them.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS"
with no warranties, and confers
no rights.
> Thank you for your feedback. I did use the same
domain name and it
> does seem to be okay. It looks like what I now
have to do is go to
> every user and type in their account name because
it does show up in
> the pre-windows 2000 but is balnk in the section
above it. Did you
> have to do that also?
>
> Thanks
> Steve
> "Meinolf Weber (Myweb)" wrote in
message
>
news:ff16fb664eb418c9b4b9f95201e0@msnews.microsoft.com...
>
>> Hello Adelxt,
>>
>> I was also littlebit confused when i did it,
but after upgrading with
>> the same domain name everything was fine.
>>
>> Best regards
>>
>> Meinolf Weber (Myweb)
>> Disclaimer: This posting is provided "AS
IS" with no warranties, and
>> confers no rights.
>>> Hi ,
>>>
>>> During the upgrade process from NT to
2003 it asks me for a domain
>>> within the forest. What I'm doing is
upgrading an NT PDC so I was
>>> wondering why it asked me for another
domain name. I'm using the
>>> domain name of the NT domain but am
concerned whether the clients
>>> will be able to connect without problems
once the 2003 AD is
>>> available. I'm running a simulated
network but with only 2 clients.
>>>
>>> Any input would be appreciated.
>>>
>>> Thanks
>>> Steve
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Upgrade Trial Version of Server 2003 R2 to Retail Version
Date:
09/24/2007 11:22:27
Hello Paul at TireSoft Paul at,
- Insert the CD in your server, and reboot the server
- Once you get te "press any key to boot from
CD... " do so
- When you are prompted to press F6 to add drivers, do
so if you need to...
and proceed to the next step
- Once you are up to the install/repair (with recovery
console) chose to
install then proceed to the next step
- Press F8 to acknowledge the license, then the
installer will search for an
already installed version of Windows and should
discover your current 2K3
server.
- Choose to repair this installation and the upgrade
will proceed.
- Once it pops you the screen to select the keyboard,
language and regional
settings, ajust it to you needs...
- It should then ask for your License number, which
you can enter here (make
sure it's your new valid license) and continue
installation.
- Installation will complete and reboot your server.
- Log in with your user account you should be back
- you will have 60 days to activate your windows, and
you will need to re-apply
all windows update because the machine is more or less
new
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS"
with no warranties, and confers
no rights.
> I have a server running the 180 day trial of
server 2003 R3 standard
> edition.
> I have puirchased a retail copy of the same thing
and now wish to
> install
> it. What is the process to do this without wiping
out my existing
> server? Is
> there a way to just add the activation code? I
tried just install
> disk #2 but this did not do anything. I only have
9 days left so any
> help would be greatly appreciated.
>
Top
From: Paul at TireSoft
<PaulatTireSoft@discussions.microsoft.com>
To:
none
Subject:
Re: Upgrade Trial Version of Server 2003 R2 to Retail Version
Date:
09/24/2007 11:44:01
Meinolf,
Thanks for the response. Do I boot from disk #1 or can
I boot from Disk #2
since I already have SP2 installed?
"Meinolf Weber" wrote:
> Hello Paul at TireSoft Paul at,
>
>
> - Insert the CD in your server, and reboot the
server
> - Once you get te "press any key to boot
from CD... " do so
> - When you are prompted to press F6 to add
drivers, do so if you need to...
> and proceed to the next step
> - Once you are up to the install/repair (with
recovery console) chose to
> install then proceed to the next step
> - Press F8 to acknowledge the license, then the
installer will search for an
> already installed version of Windows and should discover
your current 2K3
> server.
> - Choose to repair this installation and the
upgrade will proceed.
> - Once it pops you the screen to select the
keyboard, language and regional
> settings, ajust it to you needs...
> - It should then ask for your License number,
which you can enter here (make
> sure it's your new valid license) and continue
installation.
> - Installation will complete and reboot your
server.
> - Log in with your user account you should be
back
> - you will have 60 days to activate your windows,
and you will need to re-apply
> all windows update because the machine is more or
less new
>
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS
IS" with no warranties, and confers
> no rights.
>
> > I have a server running the 180 day trial of
server 2003 R3 standard
> > edition.
> > I have puirchased a retail copy of the same
thing and now wish to
> > install
> > it. What is the process to do this without
wiping out my existing
> > server? Is
> > there a way to just add the activation code?
I tried just install
> > disk #2 but this did not do anything. I only
have 9 days left so any
> > help would be greatly appreciated.
> >
>
>
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Upgrade Trial Version of Server 2003 R2 to Retail Version
Date:
09/24/2007 13:42:06
Hello Paul,
You have to start with disk 1, because disk 2 only has
the r2 feature packs
not server 2003 itself.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS"
with no warranties, and confers
no rights.
> Meinolf,
>
> Thanks for the response. Do I boot from disk #1
or can I boot from
> Disk #2 since I already have SP2 installed?
>
> "Meinolf Weber" wrote:
>
>> Hello Paul at TireSoft Paul at,
>>
>> - Insert the CD in your server, and reboot
the server
>> - Once you get te "press any key to boot
from CD... " do so
>> - When you are prompted to press F6 to add
drivers, do so if you need
>> to...
>> and proceed to the next step
>> - Once you are up to the install/repair (with
recovery console) chose
>> to
>> install then proceed to the next step
>> - Press F8 to acknowledge the license, then
the installer will search
>> for an
>> already installed version of Windows and
should discover your current
>> 2K3
>> server.
>> - Choose to repair this installation and the
upgrade will proceed.
>> - Once it pops you the screen to select the
keyboard, language and
>> regional
>> settings, ajust it to you needs...
>> - It should then ask for your License number,
which you can enter
>> here (make
>> sure it's your new valid license) and
continue installation.
>> - Installation will complete and reboot your
server.
>> - Log in with your user account you should be
back
>> - you will have 60 days to activate your
windows, and you will need
>> to re-apply
>> all windows update because the machine is
more or less new
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS
IS" with no warranties, and
>> confers
>> no rights.
>>> I have a server running the 180 day trial
of server 2003 R3 standard
>>> edition.
>>> I have puirchased a retail copy of the
same thing and now wish to
>>> install
>>> it. What is the process to do this
without wiping out my existing
>>> server? Is
>>> there a way to just add the activation
code? I tried just install
>>> disk #2 but this did not do anything. I
only have 9 days left so any
>>> help would be greatly appreciated.
Top
From: Paul at TireSoft
<PaulatTireSoft@discussions.microsoft.com>
To:
none
Subject:
Re: Upgrade Trial Version of Server 2003 R2 to Retail Version
Date:
09/25/2007 16:20:12
Meinolf,
Just thought that I would let you know that I followed
your instructions and
did indeed update to the retail version, but in the
process lost all of my
IIS services and web sites. I will now need to spend
the next two days
trying to get everything running again.
I can not beleive that MS made such a simple process
so troubling. Why could
I have not just input some type of activation code to
upgrade from the trial
version to the retail version?? Instead thay make me
go through 1.5 hours of
installing something that was already installed and in
the process wipe out a
perfectly good web site!
"Meinolf Weber" wrote:
> Hello Paul,
>
> You have to start with disk 1, because disk 2
only has the r2 feature packs
> not server 2003 itself.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS
IS" with no warranties, and confers
> no rights.
>
> > Meinolf,
> >
> > Thanks for the response. Do I boot from disk
#1 or can I boot from
> > Disk #2 since I already have SP2 installed?
> >
> > "Meinolf Weber" wrote:
> >
> >> Hello Paul at TireSoft Paul at,
> >>
> >> - Insert the CD in your server, and
reboot the server
> >> - Once you get te "press any key to
boot from CD... " do so
> >> - When you are prompted to press F6 to
add drivers, do so if you need
> >> to...
> >> and proceed to the next step
> >> - Once you are up to the install/repair
(with recovery console) chose
> >> to
> >> install then proceed to the next step
> >> - Press F8 to acknowledge the license,
then the installer will search
> >> for an
> >> already installed version of Windows and
should discover your current
> >> 2K3
> >> server.
> >> - Choose to repair this installation and
the upgrade will proceed.
> >> - Once it pops you the screen to select
the keyboard, language and
> >> regional
> >> settings, ajust it to you needs...
> >> - It should then ask for your License
number, which you can enter
> >> here (make
> >> sure it's your new valid license) and
continue installation.
> >> - Installation will complete and reboot
your server.
> >> - Log in with your user account you
should be back
> >> - you will have 60 days to activate your
windows, and you will need
> >> to re-apply
> >> all windows update because the machine
is more or less new
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided
"AS IS" with no warranties, and
> >> confers
> >> no rights.
> >>> I have a server running the 180 day
trial of server 2003 R3 standard
> >>> edition.
> >>> I have puirchased a retail copy of
the same thing and now wish to
> >>> install
> >>> it. What is the process to do this
without wiping out my existing
> >>> server? Is
> >>> there a way to just add the
activation code? I tried just install
> >>> disk #2 but this did not do
anything. I only have 9 days left so any
> >>> help would be greatly appreciated.
>
>
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Upgrade Trial Version of Server 2003 R2 to Retail Version
Date:
09/25/2007 16:36:07
Hello Paul,
Sorry, but i did it 3 times on this way and never lost
any configuration
or data. So you didn't make any kind of backup or
image before you start
working? That's also an important part before doing
any kind of major changes.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS"
with no warranties, and confers
no rights.
> Meinolf,
>
> Just thought that I would let you know that I
followed your
> instructions and did indeed update to the retail
version, but in the
> process lost all of my IIS services and web
sites. I will now need to
> spend the next two days trying to get everything
running again.
>
> I can not beleive that MS made such a simple
process so troubling. Why
> could I have not just input some type of
activation code to upgrade
> from the trial version to the retail version??
Instead thay make me go
> through 1.5 hours of installing something that
was already installed
> and in the process wipe out a perfectly good web
site!
>
> "Meinolf Weber" wrote:
>
>> Hello Paul,
>>
>> You have to start with disk 1, because disk 2
only has the r2 feature
>> packs not server 2003 itself.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS
IS" with no warranties, and
>> confers
>> no rights.
>>> Meinolf,
>>>
>>> Thanks for the response. Do I boot from
disk #1 or can I boot from
>>> Disk #2 since I already have SP2
installed?
>>>
>>> "Meinolf Weber" wrote:
>>>
>>>> Hello Paul at TireSoft Paul at,
>>>>
>>>> - Insert the CD in your server, and
reboot the server
>>>> - Once you get te "press any key
to boot from CD... " do so
>>>> - When you are prompted to press F6
to add drivers, do so if you
>>>> need
>>>> to...
>>>> and proceed to the next step
>>>> - Once you are up to the
install/repair (with recovery console)
>>>> chose
>>>> to
>>>> install then proceed to the next step
>>>> - Press F8 to acknowledge the
license, then the installer will
>>>> search
>>>> for an
>>>> already installed version of Windows
and should discover your
>>>> current
>>>> 2K3
>>>> server.
>>>> - Choose to repair this installation
and the upgrade will proceed.
>>>> - Once it pops you the screen to
select the keyboard, language and
>>>> regional
>>>> settings, ajust it to you needs...
>>>> - It should then ask for your License
number, which you can enter
>>>> here (make
>>>> sure it's your new valid license) and
continue installation.
>>>> - Installation will complete and
reboot your server.
>>>> - Log in with your user account you
should be back
>>>> - you will have 60 days to activate
your windows, and you will need
>>>> to re-apply
>>>> all windows update because the
machine is more or less new
>>>> Best regards
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided
"AS IS" with no warranties,
>>>> and
>>>> confers
>>>> no rights.
>>>>> I have a server running the 180
day trial of server 2003 R3
>>>>> standard
>>>>> edition.
>>>>> I have puirchased a retail copy
of the same thing and now wish to
>>>>> install
>>>>> it. What is the process to do
this without wiping out my existing
>>>>> server? Is
>>>>> there a way to just add the
activation code? I tried just install
>>>>> disk #2 but this did not do
anything. I only have 9 days left so
>>>>> any
>>>>> help would be greatly
appreciated.
Top
From: Paul at TireSoft
<PaulatTireSoft@discussions.microsoft.com>
To:
none
Subject:
Re: Upgrade Trial Version of Server 2003 R2 to Retail Version
Date:
09/25/2007 17:04:05
Meinolf,
Hey I really appreicated all your help! Yes I do have
a back-up and have
loaded it back, but MS changed something on me with
all the updates.
You are the only one that provided me any answers on
getting the retail
version installed, MS did not have a clue. My beef is
with them, something so
simple should not have created all the problems I am
having??
"Meinolf Weber" wrote:
> Hello Paul,
>
> Sorry, but i did it 3 times on this way and never
lost any configuration
> or data. So you didn't make any kind of backup or
image before you start
> working? That's also an important part before
doing any kind of major changes.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS
IS" with no warranties, and confers
> no rights.
>
> > Meinolf,
> >
> > Just thought that I would let you know that
I followed your
> > instructions and did indeed update to the
retail version, but in the
> > process lost all of my IIS services and web
sites. I will now need to
> > spend the next two days trying to get
everything running again.
> >
> > I can not beleive that MS made such a simple
process so troubling. Why
> > could I have not just input some type of
activation code to upgrade
> > from the trial version to the retail
version?? Instead thay make me go
> > through 1.5 hours of installing something
that was already installed
> > and in the process wipe out a perfectly good
web site!
> >
> > "Meinolf Weber" wrote:
> >
> >> Hello Paul,
> >>
> >> You have to start with disk 1, because
disk 2 only has the r2 feature
> >> packs not server 2003 itself.
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided
"AS IS" with no warranties, and
> >> confers
> >> no rights.
> >>> Meinolf,
> >>>
> >>> Thanks for the response. Do I boot
from disk #1 or can I boot from
> >>> Disk #2 since I already have SP2
installed?
> >>>
> >>> "Meinolf Weber" wrote:
> >>>
> >>>> Hello Paul at TireSoft Paul at,
> >>>>
> >>>> - Insert the CD in your server,
and reboot the server
> >>>> - Once you get te "press
any key to boot from CD... " do so
> >>>> - When you are prompted to press
F6 to add drivers, do so if you
> >>>> need
> >>>> to...
> >>>> and proceed to the next step
> >>>> - Once you are up to the
install/repair (with recovery console)
> >>>> chose
> >>>> to
> >>>> install then proceed to the next
step
> >>>> - Press F8 to acknowledge the
license, then the installer will
> >>>> search
> >>>> for an
> >>>> already installed version of
Windows and should discover your
> >>>> current
> >>>> 2K3
> >>>> server.
> >>>> - Choose to repair this
installation and the upgrade will proceed.
> >>>> - Once it pops you the screen to
select the keyboard, language and
> >>>> regional
> >>>> settings, ajust it to you
needs...
> >>>> - It should then ask for your
License number, which you can enter
> >>>> here (make
> >>>> sure it's your new valid
license) and continue installation.
> >>>> - Installation will complete and
reboot your server.
> >>>> - Log in with your user account
you should be back
> >>>> - you will have 60 days to
activate your windows, and you will need
> >>>> to re-apply
> >>>> all windows update because the
machine is more or less new
> >>>> Best regards
> >>>> Meinolf Weber
> >>>> Disclaimer: This posting is
provided "AS IS" with no warranties,
> >>>> and
> >>>> confers
> >>>> no rights.
> >>>>> I have a server running the
180 day trial of server 2003 R3
> >>>>> standard
> >>>>> edition.
> >>>>> I have puirchased a retail
copy of the same thing and now wish to
> >>>>> install
> >>>>> it. What is the process to
do this without wiping out my existing
> >>>>> server? Is
> >>>>> there a way to just add the
activation code? I tried just install
> >>>>> disk #2 but this did not do
anything. I only have 9 days left so
> >>>>> any
> >>>>> help would be greatly
appreciated.
>
>
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Upgrade Trial Version of Server 2003 R2 to Retail Version
Date:
09/25/2007 17:18:55
Hello Paul,
Sometimes it would be nice if things would be easier,
thought the same before
my first change. Nice to hear that you have a backup.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS"
with no warranties, and confers
no rights.
> Meinolf,
>
> Hey I really appreicated all your help! Yes I do
have a back-up and
> have loaded it back, but MS changed something on
me with all the
> updates.
>
> You are the only one that provided me any answers
on getting the
> retail version installed, MS did not have a clue.
My beef is with
> them, something so simple should not have created
all the problems I
> am having??
>
> "Meinolf Weber" wrote:
>
>> Hello Paul,
>>
>> Sorry, but i did it 3 times on this way and
never lost any
>> configuration or data. So you didn't make any
kind of backup or image
>> before you start working? That's also an
important part before doing
>> any kind of major changes.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS
IS" with no warranties, and
>> confers
>> no rights.
>>> Meinolf,
>>>
>>> Just thought that I would let you know
that I followed your
>>> instructions and did indeed update to the
retail version, but in the
>>> process lost all of my IIS services and
web sites. I will now need
>>> to spend the next two days trying to get
everything running again.
>>>
>>> I can not beleive that MS made such a
simple process so troubling.
>>> Why could I have not just input some type
of activation code to
>>> upgrade from the trial version to the
retail version?? Instead thay
>>> make me go through 1.5 hours of
installing something that was
>>> already installed and in the process wipe
out a perfectly good web
>>> site!
>>>
>>> "Meinolf Weber" wrote:
>>>
>>>> Hello Paul,
>>>>
>>>> You have to start with disk 1,
because disk 2 only has the r2
>>>> feature packs not server 2003 itself.
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided
"AS IS" with no warranties,
>>>> and
>>>> confers
>>>> no rights.
>>>>> Meinolf,
>>>>>
>>>>> Thanks for the response. Do I
boot from disk #1 or can I boot
>>>>> from Disk #2 since I already have
SP2 installed?
>>>>>
>>>>> "Meinolf Weber" wrote:
>>>>>
>>>>>> Hello Paul at TireSoft Paul
at,
>>>>>>
>>>>>> - Insert the CD in your
server, and reboot the server
>>>>>> - Once you get te "press
any key to boot from CD... " do so
>>>>>> - When you are prompted to
press F6 to add drivers, do so if you
>>>>>> need
>>>>>> to...
>>>>>> and proceed to the next step
>>>>>> - Once you are up to the
install/repair (with recovery console)
>>>>>> chose
>>>>>> to
>>>>>> install then proceed to the
next step
>>>>>> - Press F8 to acknowledge the
license, then the installer will
>>>>>> search
>>>>>> for an
>>>>>> already installed version of
Windows and should discover your
>>>>>> current
>>>>>> 2K3
>>>>>> server.
>>>>>> - Choose to repair this
installation and the upgrade will
>>>>>> proceed.
>>>>>> - Once it pops you the screen
to select the keyboard, language
>>>>>> and
>>>>>> regional
>>>>>> settings, ajust it to you
needs...
>>>>>> - It should then ask for your
License number, which you can enter
>>>>>> here (make
>>>>>> sure it's your new valid
license) and continue installation.
>>>>>> - Installation will complete
and reboot your server.
>>>>>> - Log in with your user
account you should be back
>>>>>> - you will have 60 days to
activate your windows, and you will
>>>>>> need
>>>>>> to re-apply
>>>>>> all windows update because
the machine is more or less new
>>>>>> Best regards
>>>>>> Meinolf Weber
>>>>>> Disclaimer: This posting is
provided "AS IS" with no warranties,
>>>>>> and
>>>>>> confers
>>>>>> no rights.
>>>>>>> I have a server running
the 180 day trial of server 2003 R3
>>>>>>> standard
>>>>>>> edition.
>>>>>>> I have puirchased a
retail copy of the same thing and now wish
>>>>>>> to
>>>>>>> install
>>>>>>> it. What is the process
to do this without wiping out my
>>>>>>> existing
>>>>>>> server? Is
>>>>>>> there a way to just add
the activation code? I tried just
>>>>>>> install
>>>>>>> disk #2 but this did not
do anything. I only have 9 days left so
>>>>>>> any
>>>>>>> help would be greatly
appreciated.
Top
From: Adelxt <sales@adelxt.com>
To:
none
Subject:
Re: Upgrade from NT to Server 2003
Date:
08/24/2007 14:48:50
Hi Everyone,
I found my problem, it was the "build"? of
the Cd's that I was using. When I
downloaded a trial version of Win 2003 R2, it gave me
the upgrade option.
Thanks
Steve
"Adelxt" wrote in message
news:%237BLG9M4HHA.3916@TK2MSFTNGP02.phx.gbl...
> HI,
>
> Still having problems upgrading from Windows NT
SP6a to Windows 2003
> stadard edition. Here's what I've done so far:
>
> I tried removing SP6A just to see if that made a
difference, it didn't.
>
> I then tried to upgrade from NT to Windows 2000
server and it worked. The
> upgrade seemed to have no problem. I noticed the
AD was installed during
> the upgrade and it did ask me for a domain name
even though the NT box had
> a domain? Any thoughts on that? Am I upgrading
incorrectly? I also noticed
> that the users were there but that their login
account name was blank?
>
> Now when I tried to upgrade from Windows 2000
server to Windwso 2003 I
> received the same message stating that Windows
2003 does not upgrade from
> Windows 2000. Again, I've tried 2 Windows 2003
CD's and in their own
> little manual it says that you can upgrade.
>
> I did notice the partition was low on hard drive
space so I'm going to
> create a 8 gb partition for NT and try it again.
In the meantime has
> anyone run across this issue of not being able to
upgrade from NT to 2003?
>
> Also, do I really have to upgrade or is there a
way to bring over the NT
> user accounts into 2003 AD without having the client
machines re-joining
> the domain and causing profile problems?
>
> Thanks
> Steve
>
>
>
>
> "Adelxt" wrote in message
> news:ul0M2xB4HHA.4476@TK2MSFTNGP06.phx.gbl...
>>I tried thast and got the same results. Still
trying other things.
>>
>> Steve
>>
>> "Meinolf Weber (Myweb)" wrote in
message
>>
news:ff16fb664bae08c9ae3021d33d5a@msnews.microsoft.com...
>>> Hello Adelxt,
>>>
>>> Did you try the winnt32 /checkupgradeonly
option from the 2003 install
>>> cd on the NT 4 PDC?
>>>
>>> Best regards
>>>
>>> Meinolf Weber (Myweb)
>>> Disclaimer: This posting is provided
"AS IS" with no warranties, and
>>> confers no rights.
>>>
>>>> Hi,
>>>>
>>>> I was actually at SP6A with the
hotfix. For some reason when I put in
>>>> the CD and start the process of
upgrading I get the message that I
>>>> mentioned earlier. This is a genuine
Microsoft CD and I don't believe
>>>> it's the R2 version.
>>>>
>>>> I'll redo my test network and try it
on another computer but I'm not
>>>> sure why. One thing I do know, that
my video resolution is only 16
>>>> colors, so I'll find the driver for
the card and see if that isn't the
>>>> problem.
>>>>
>>>> If anyone else has come across this
issue please let me know.
>>>>
>>>> Steve
>>>>
>>>> "Myweb" wrote in message
>>>>
news:ff16fb664b3b68c9ace598708dfe@msnews.microsoft.com...
>>>>
>>>>> Hello Adelxt,
>>>>>
>>>>> I did it without any problem from
NT4 but it was sp6a and i think
>>>>> that is the minimum sp you need
for 2003. So upgrade to sp6a before
>>>>> and then try again.
>>>>>
>>>>> Best regards
>>>>>
>>>>> Myweb
>>>>> Disclaimer: This posting is
provided "AS IS" with no warranties, and
>>>>> confers no rights.
>>>>>> Hi,
>>>>>>
>>>>>> I am trying to upgrade a
Windows NT PDC to Windows 2003. Here's how
>>>>>> I attempted to do it but I am
running into a problem.
>>>>>>
>>>>>> I created a BDC as the one I
was going to work on. I then promoted
>>>>>> the BDC to a PDC just in case
things would go bad on the original
>>>>>> PDC (It demoted itself to a
BDC).
>>>>>>
>>>>>> When I inserted the Windows
2003 CD-RoM in the PDC it came back and
>>>>>> said that setup doesn't
upgrade from NT to 2003.
>>>>>>
>>>>>> In all the white papers that
I've read, it's mentioned that you can
>>>>>> upgrade from NT (SP5) tp
Server 2003.
>>>>>>
>>>>>> Can someone give me their
input.
>>>>>>
>>>>>> Thanks
>>>>>> Steve
>>>
>>>
>>
>>
>
>
Top
From: t
<t@discussions.microsoft.com>
To:
none
Subject:
RE: Upgrade a windows 2003 Sp1 cluster
Date:
09/13/2007 13:42:05
"Stefano Colombo" wrote:
> Is it possible to upgrade a cluster with 2 hosts
Windows 2003 SP1 to Windows
> 2003 R2 SP2 ?
> Thanks
>
Top
From: Jupiter Jones [MVP]
<jones_jupiter@hotnomail.com>
To:
none
Subject:
Re: Uninstallating Windows server 2003
Date:
08/25/2007 13:22:14
Both on the same directory?
In the future you should never install 2 operating
systems on the same
directory.
Leave it alone until you have time for a Clean
Installation since
removing one operating system may damage another in
the same
directory.
--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar
http://www.dts-l.org
"Noorani" wrote in message
news:1187564963.791240.144520@q4g2000prc.googlegroups.com...
> Hello,
>
> I would be thankful if any one provide me the
solution to uninstall
> windows server 2003. The sinario is I installed
windows xp pro on my
> dell laptop and at the same time for my school I
installed windows
> server 2003 180 day copy which got expired which
was installed in
> the
> same directory. I am unable to work on server
2003 and would like to
> uninstall it without disturbing the xp and other
application
> programs.
>
> If any one has the solution please upate me or
reply to my post. I
> highly appreciate and wish the best.
>
> Thanks and regards
Top
From: kj [SBS MVP]
<KevinJ.SBS@SPAMFREE.gmail.com>
To:
none
Subject:
Re: Uninstall Exchange from SBS 2003
Date:
09/10/2007 15:17:53
JeffB wrote:
> I have a test server at home and I'd like to
uninstall Exchange so I
> can reinstall. When I go to do this, it states
there are users
> connected to Exchange and I need to 'disable
mail' first, before I
> can delete Exchange.
>
> Not sure hopw to do this. I'm also the only
account on machine and I
> haven't used mail yet.
>
> any help will be appreciated.
>
> Jeff
Reinstall? Exchange or SBS?
SBS is an integrated product where Exchange, IIS,
Sharepoint, ISA, et all,
are all tightly bound. You should only use SBS Setup
for installation and
re-installation, and the wizards for configuration,
adding users, computers,
etc.
btw, there also is an active newgroup specifically for
SBS2003, that is
microsoft.public.windows.server.sbs
--
/kj
Top
From: Meinolf Weber (Myweb)
<meiweb@gmx.de>
To:
none
Subject:
Re: unable to access help and support on Windows 2003 server
with service pack 2
Date:
08/26/2007 14:21:55
Hello John,
Here is your solution i think:
http://blogs.technet.com/sbs/archive/2007/03/20/help-and-support-service-missing-after-installing-windows-2003-service-pack-2.aspx
Best regards
Meinolf Weber (Myweb)
Disclaimer: This posting is provided "AS IS"
with no warranties, and confers
no rights.
> On a Windows 2003 Small Business Server with
service pack 2 installed
> I get this error when attempting to open the help
file.
>
> Windows cannot open help and support because a
system service is not
> running
>
> To fix this problem, start the service named help
and support
>
Top
From: Lanwench [MVP - Exchange] <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com>
To:
none
Subject:
Re: unable to access help and support on Windows 2003 server
Date:
08/25/2007 09:52:09
John wrote:
> I'm getting the following error when trying to
access the help and
> support within Windows 2003 server with service
pack 2 installed.
>
> I re-installed service pack 2 and still have the
following error.
>
> Windows cannot open help and support because a
system service is not
> running
> To fix this problem, start the service named help
and support
Is the service there?
>
> When looking further into this, MS took out the
help and support from
> the services.msc setup for Service pack 2.
>
> Any idea's?
Are you perhaps running SBS?
http://blogs.technet.com/sbs/archive/2007/03/20/help-and-support-service-missing-after-installing-windows-2003-service-pack-2.aspx
Top
From: Meinolf Weber (Myweb)
<meiweb@gmx.de>
To:
none
Subject:
Re: unable to access help and support on Windows 2003 server
Date:
08/25/2007 16:14:52
Hello Lanwench [MVP - Exchange],
The article you mentioned also applies for 2003
standard and also enterprise
editions. And theire was also someone here that used
it for 64bit versions.
Best regards
Meinolf Weber (Myweb)
Disclaimer: This posting is provided "AS IS"
with no warranties, and confers
no rights.
> John wrote:
>
>> I'm getting the following error when trying
to access the help and
>> support within Windows 2003 server with
service pack 2 installed.
>>
>> I re-installed service pack 2 and still have
the following error.
>>
>> Windows cannot open help and support because
a system service is not
>> running
>> To fix this problem, start the service named
help and support
> Is the service there?
>
>> When looking further into this, MS took out
the help and support from
>> the services.msc setup for Service pack 2.
>>
>> Any idea's?
>>
> Are you perhaps running SBS?
>
>
http://blogs.technet.com/sbs/archive/2007/03/20/help-and-support-servi
>
ce-missing-after-installing-windows-2003-service-pack-2.aspx
>
Top
From: John <john@edd.com>
To:
none
Subject:
Re: unable to access help and support on Windows 2003 server
Date:
08/26/2007 20:30:36
Thanks that did the trick!
"Lanwench [MVP - Exchange]"
wrote in message
news:ecxi1ny5HHA.5844@TK2MSFTNGP02.phx.gbl...
> John wrote:
>> I'm getting the following error when trying
to access the help and
>> support within Windows 2003 server with
service pack 2 installed.
>>
>> I re-installed service pack 2 and still have
the following error.
>>
>> Windows cannot open help and support because
a system service is not
>> running
>> To fix this problem, start the service named
help and support
>
> Is the service there?
>>
>> When looking further into this, MS took out
the help and support from
>> the services.msc setup for Service pack 2.
>>
>> Any idea's?
>
> Are you perhaps running SBS?
>
>
http://blogs.technet.com/sbs/archive/2007/03/20/help-and-support-service-missing-after-installing-windows-2003-service-pack-2.aspx
>
>
>
>
Top
Post your
questions, comments, feedbacks and suggestions
|