Announcement

Collapse
No announcement yet.

Network connectivity lost

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Network connectivity lost

    I have seen this question asked before on this forum but it does not appear to have been resolved. I have posted on Microsoft's forum but would like to post the question here as well. I have tried to include as much information as possible:

    I have had an intermittent problem with the Windows 7 clients on my domain (htlincs.local) which has become a serious issue.

    The domain has two domain controllers - Win 2008 Standard (Phobos) with all FSMO roles, DNS and WINS and one Win 2003 R2 SP2 (Titan) with DNS, DHCP and WINS. The Win 2003 used to be the main DC until the Win 2008 was introduced 7 months ago. Domain functional level is Win 2003.

    Clients comprise Win 2000, XP, Vista and 7. All clients get their addresses via DHCP. The servers have static addresses.

    Previously, the Windows 7 clients would lose their connection to DFS shares/network/Internet. The loss of connectivity would last for a few minutes before returning or a restart would solve the problem. This would usually only affect one or two clients. The remaining clients would be fine.

    Today, four of our five Windows 7 clients have experienced this problem and it is back with a vengeance. The initial symptoms were loss of Internet followed by being unable to connect to the network. The local area connection icon in the Notification area has a yellow exclamation mark over it. The Windows 7 client that is unaffected is the same model machine bought at the same time as two of the others and has the same software.

    I have tried the following:

    Restarting the machines has no effect.
    Trying to connect to \\machinename results in an authentication dialog with: "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."
    netsh int ip reset followed by ipconfig /flushdns and restarting has no effect
    netsh winsock reset has no effect.
    Turning off IP v.6 has no effect.
    Running Windows Network Diagnostics results in: 'The DNS server isn't responding'
    Setting static IP addresses has no effect.

    When setting a static IP address I chose to 'validate settings on exit' and after the dialog closed the network diagnostics appeared and then displayed the result: 'The DNS server isn't responding'

    If I lock the client then unlock it, it takes 60 seconds for either a) the desktop to appear or b) an 'incorrect password' message to appear. The password has definitely been typed correctly.

    I can ping any device on the network by IP address but when I ping by name e.g. 'ping phobos' and 'ping phobos.htlincs.local' it fails.

    Remote Desktop to the win 7 clients fails, as does trying to connect via Computer Management or regedit (The network path was not found).

    The system log contains the following warning and error events:

    Netlogon 5719
    DNS Client Events 1006
    GroupPolicy 1054
    Time-Service 129

    These all relate to being unable to find a DNS server/Domain

    There is no problem with any of the other clients on the network. DNS and WINS entries are correct for the DC's. I have also tried changing the DNS settings on the DC's so that they use NetBIOS over TCP/IP and restarted them.

    IPConfig /all from the Win 2008 DC:

    Code:
    Microsoft Windows [Version 6.0.6002]
    Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
    
    C:\Users\administrator.HTLINCS>ipconfig /all
    
    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : Phobos
       Primary Dns Suffix  . . . . . . . : htlincs.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : htlincs.local
    
    Ethernet adapter Local Area Connection:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
     VBD Client)
       Physical Address. . . . . . . . . : A4-BA-DB-40-2F-79
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.0.10(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.0.95
       DNS Servers . . . . . . . . . . . : 192.168.0.10
       Primary WINS Server . . . . . . . : 192.168.0.10
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Tunnel adapter Local Area Connection* 12:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : isatap.{B5C37581-11FA-4C75-873D-7050746C6
    34E}
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    C:\Users\administrator.HTLINCS>
    IPConfig /all from a Win 7 client with static address (unable to connect to network):

    Code:
    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    
    C:\Users\Blood.HTLINCS>ipconfig /all
    
    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : Damn
       Primary Dns Suffix  . . . . . . . : htlincs.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : htlincs.local
    
    Ethernet adapter Local Area Connection:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
       Physical Address. . . . . . . . . : B8-AC-6F-42-21-DC
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.0.81(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.0.95
       DNS Servers . . . . . . . . . . . : 192.168.0.10
                                           192.168.0.2
       Primary WINS Server . . . . . . . : 192.168.0.2
       Secondary WINS Server . . . . . . : 192.168.0.10
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Tunnel adapter isatap.{3AFDADFB-C483-43FA-BF76-F4E728832C61}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter Local Area Connection* 9:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    C:\Users\Blood.HTLINCS>
    IPConfig /all from Win 7 client with DHCP assigned (reserved) address (unable to connect):

    Code:
    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    
    C:\Users\Blood>ipconfig /all
    
    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : Blast
       Primary Dns Suffix  . . . . . . . : htlincs.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : htlincs.local
    
    Ethernet adapter Local Area Connection:
    
       Connection-specific DNS Suffix  . : htlincs.local
       Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
       Physical Address. . . . . . . . . : 00-25-64-BF-EE-78
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.0.131(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : 17 February 2011 08:29:12
       Lease Expires . . . . . . . . . . : 26 February 2011 08:29:12
       Default Gateway . . . . . . . . . : 192.168.0.95
       DHCP Server . . . . . . . . . . . : 192.168.0.2
       DNS Servers . . . . . . . . . . . : 192.168.0.10
                                           192.168.0.2
       Primary WINS Server . . . . . . . : 192.168.0.2
       Secondary WINS Server . . . . . . : 192.168.0.10
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Tunnel adapter isatap.htlincs.local:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : htlincs.local
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter Local Area Connection* 11:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    C:\Users\Blood>
    Continued...
    A recent poll suggests that 6 out of 7 dwarfs are not happy

  • #2
    Re: Network connectivity lost

    Continued...

    IPConfig /all from Win 7 client with DHCP assigned (reserved) address (able to connect):

    Code:
    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    
    C:\Users\Blood>ipconfig /all
    
    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : Working
       Primary Dns Suffix  . . . . . . . : htlincs.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : htlincs.local
    
    Ethernet adapter Local Area Connection:
    
       Connection-specific DNS Suffix  . : htlincs.local
       Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
       Physical Address. . . . . . . . . : 00-25-64-BF-F0-70
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::f1c3:41fb:39be:3543%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.0.132(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : 17 February 2011 08:34:19
       Lease Expires . . . . . . . . . . : 26 February 2011 08:34:19
       Default Gateway . . . . . . . . . : 192.168.0.95
       DHCP Server . . . . . . . . . . . : 192.168.0.2
       DHCPv6 IAID . . . . . . . . . . . : 234890596
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-43-49-1D-00-25-64-BF-F0-70
    
       DNS Servers . . . . . . . . . . . : 192.168.0.10
                                           192.168.0.2
       Primary WINS Server . . . . . . . : 192.168.0.2
       Secondary WINS Server . . . . . . : 192.168.0.10
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Tunnel adapter isatap.htlincs.local:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : htlincs.local
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter Local Area Connection* 11:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    C:\Users\Blood>

    The clients DNS settings are set to poll the Win 2008 DNS server first (.10) and the Win 2003 DNS server second (.2). This is the order in which they are listed in the DHCP option. All DHCP addresses for the clients are reserved (192.168.0.100-150). The DC's point to themselves for DNS. The gateway, on both the static (servers) assigned addresses and in DHCP is set to the local IP address of a router (.95). All machines on the network use this same gateway.

    Also, power saving options are disabled for the NIC's.

    If anyone can help me with this I would very much appreciate it. I am open to any suggestions on how to fix this.

    Thanks.
    A recent poll suggests that 6 out of 7 dwarfs are not happy

    Comment


    • #3
      Re: Network connectivity lost

      Disabling the Sophos Firewall enables access to the Internet and network again. Re-enabling it blocks everything again.

      I don't know why the fifth Win 7 machine remains unaffected.

      Windows Firewall service is disabled across all the computers.
      A recent poll suggests that 6 out of 7 dwarfs are not happy

      Comment


      • #4
        Re: Network connectivity lost

        Just in case any other Sophos users come across this:

        This was a strange one. The cause was that svchost.exe was being blocked because it's memory had been modified. The blocked svchost processes were all UDP requests for DNS to our DNS servers. All the machines had a full AV scan last night and nothing was detected.

        There is an option in the general firewall settings to disable the monitoring of memory for processes, but it is (obviously) not recommended. More here.

        I disabled the monitoring of memory modification and this has allowed me to turn the firewall back on without affecting connectivity.

        I have spoken to Sophos about this and they have escalated the case as the tech support person I spoke to felt that more investigation was required.
        A recent poll suggests that 6 out of 7 dwarfs are not happy

        Comment


        • #5
          Re: Network connectivity lost

          Thanks for sharing. We use Sophos but we've always stuck to using the Windows firewall rather than the Sophos firewall, glad we did now. Not come across the issue personally, we're in the process of upgrading our customers to Enterprise Console 4.5 seeing as 3 is being retired.
          BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
          sigpic
          Cruachan's Blog

          Comment


          • #6
            Re: Network connectivity lost

            Well, Sophos was doing it's job, as configured. You can't blame it for that. I still don't understand why one Windows 7 client remained unaffected
            A recent poll suggests that 6 out of 7 dwarfs are not happy

            Comment


            • #7
              Re: Network connectivity lost

              I have seen problems with Win 7 Home Premium where it required a DWORD to be added to the registry at:

              HKEY_local_machine\SYSTEM\CurrentControlSet\Contro l\Lsa

              do add DWORD and name it LmCompatibilityLevel
              set the value to 1

              reboot.

              Comment


              • #8
                Re: Network connectivity lost

                Thanks for the reply, wkrause77.

                Update: Sophos asked me to try setting the firewall to monitor modified memory again for the affected clients and so far everything is fine.

                I assume that Sophos have fixed the issue.
                A recent poll suggests that 6 out of 7 dwarfs are not happy

                Comment


                • #9
                  Re: Network connectivity lost

                  Try This........Unjoin defective systems from domain. Uninstall LAN drivers....restart.....install drivers again....now delete system entry from active directory....i.e. find out defective computer name in active directory users and computers snap in and delete system entries. Now again join those computers in domain......after this check your system name entered in dns host records automatically if not try to add manually.

                  Regards,
                  Praveen Kumar Bonala.
                  Last edited by praveenbonala; 8th April 2011, 13:19. Reason: forgot to add signature

                  Comment


                  • #10
                    Re: Network connectivity lost

                    Have you disabled the UAC feature?

                    Try that, I also heard turning DEP off works too, but I haven't tried that with my systems yet.

                    Comment


                    • #11
                      Re: Network connectivity lost

                      This entire issue was down to Sophos Firewall blocking DNS requests where the memory had been modified.

                      As said above, Sophos Firewall was doing exactly what it should have been doing.

                      I am very reluctant to disable an essential security feature, and I don't think it will make much difference to be honest.

                      Thanks anyway.
                      A recent poll suggests that 6 out of 7 dwarfs are not happy

                      Comment


                      • #12
                        Re: Network connectivity lost

                        Originally posted by Blood View Post
                        This entire issue was down to Sophos Firewall blocking DNS requests where the memory had been modified.

                        As said above, Sophos Firewall was doing exactly what it should have been doing.

                        I am very reluctant to disable an essential security feature, and I don't think it will make much difference to be honest.

                        Thanks anyway.
                        It was recommended to disable UAC, but I'm not sure if it's working anyway. I haven't heard of the machines losing network connection though, but have heard they are restarting for no reason and maybe bluescreening then rebooting.

                        Disabling UAC only disables the ability to input your admin credentials while logged in as a regular domain user, but instead will just deny access to an administrative level feature and state to contact your administrator to perform this feature and will not give you the option to input your admin credentials. So I wouldn't call it an "essential" security feature.
                        Last edited by Mudd; 22nd May 2011, 21:46.

                        Comment


                        • #13
                          Re: Network connectivity lost

                          Originally posted by Mudd View Post
                          Disabling UAC only disables the ability to input your admin credentials while logged in as a regular domain user, but instead will just deny access to an administrative level feature and state to contact your administrator to perform this feature and will not give you the option to input your admin credentials. So I wouldn't call it an "essential" security feature.
                          I cannot agree with you. By disabling the UAC you inform the OS you are not willing to be notified anymore about any changes you (as the user) or an application (using your credentials) will do. So, there is no denying of any kind, on the contrary, the changes will be applied without you will ever know about it.
                          I was skeptical at first also about UAC. Until that day my manager came back fro a conference and told our HD guys he cannot access his DOK anymore. They checked it on four XP computers until they came to my Windows 7. Only when the UAC kicked in we understand it was a virus on it. Their computers got infected, mine was OK.
                          By disabling the UAC you bring Windows 7 to the security level of XP, an OS almost five times less secure than 7. Thus, I would definitely call this an essential security feature.

                          Sorin Solomon


                          In order to succeed, your desire for success should be greater than your fear of failure.
                          -

                          Comment


                          • #14
                            Re: Network connectivity lost

                            Originally posted by sorinso View Post
                            I cannot agree with you. By disabling the UAC you inform the OS you are not willing to be notified anymore about any changes you (as the user) or an application (using your credentials) will do. So, there is no denying of any kind, on the contrary, the changes will be applied without you will ever know about it.
                            I was skeptical at first also about UAC. Until that day my manager came back fro a conference and told our HD guys he cannot access his DOK anymore. They checked it on four XP computers until they came to my Windows 7. Only when the UAC kicked in we understand it was a virus on it. Their computers got infected, mine was OK.
                            By disabling the UAC you bring Windows 7 to the security level of XP, an OS almost five times less secure than 7. Thus, I would definitely call this an essential security feature.
                            I'll agree with you on a stand-alone or non-domain type situation, but if it's in a corporate or domain type environmet, and if it's viruses your worried about, then being notified about that is what your Anti-Virus solution, and other policies is for. The average user will almost always select OK to run the software just to get that windows out of their face so they can get back to work. If your nieve enough to give your average users on your network this ability then that's on you as a system admin. I've turned off UAC before and because of the solutions I've implemented on my network from Anti-Virus on the desktop, and firewall level (packet scanning) to Software Restriction Policies (GPO), I've had very little infections make it through in which most only infected the users profile only and not the entire machine and that came "from the user" initiating the execution to run via email or flash drive. The SRP Policies is enough to stop anything from infecting a machine IF setup correctly with the software installed on your desktops. Basically your configuring policies on your Machine to install in one directory "C:\Program Files" and in other directories pre-approved on the GPO in which most viruses installs in directories outside of this directory, plus having SRP setup will run a check with the approved software list setup in SRP.

                            So with stand alone/non-domain environments where the user is the admin I'll agree, but in a managed domain environment, I give no admin priviledges to my users at all.
                            Last edited by Mudd; 26th May 2011, 19:16. Reason: Spelling

                            Comment


                            • #15
                              Re: Network connectivity lost

                              Originally posted by Mudd View Post
                              The average user will almost always select OK to run the software
                              The average user should not have administrative privileges, IMHO. Thus, s/he will need to provide the administrative credentials, the OK button will not be available.
                              Just to be sure I'm understood right, I'm not saying your set-up is not right. You should do whatever you feel is right for you and your organization. I just wanted to be certain those reading these posts in the future understand the full meaning and purpose of UAC.

                              Sorin Solomon


                              In order to succeed, your desire for success should be greater than your fear of failure.
                              -

                              Comment

                              Working...
                              X