Questions

Cannot Access Shared Drives

+
0 Votes
Locked

Cannot Access Shared Drives

sysdevcbc24
We have a Lenovo PC running on these specs which I administer remotely:

Intel Core i5-2400 3.10 Ghz
4 GB RAM
OS=Microsoft Windows Server 2003 R2 SP2 Enterprise

(by the way, just a disclaimer, this is the first time I am administering a file share server. i have no background whatsoever in server handling)

Now a bit of history, this server is use only inside the company. Its use is mainly for file sharing. This server's motherboard crashed weeks ago due to sudden power failure (yes its not connected to any kind of UPS) and lately its motherboard was replaced. After the replacement, all directories shared were completely accessible, connections going in and out is good, all looked working properly.

Now the problem occurs like this: Every morning, users cannot connect to the file server saying the path is not found, something like that. I tried troubleshooting the problem: I pinged it and it worked fine. I pinged its IP address and it worked fine. I tried to connect through remote desktop and it worked fine. Everything seems to work EXCEPT from clients connecting to its shared directories. I tried connecting to the server through the run prompt using the IP address but to no avail. The only work around is to restart the server every time this would occur, and per observation, this occurs everyday: we restart it at the morning, we work, everything's fine, we go home, and when we go back the next day, can't connect again.

Its weird and i don't want to settle on restarting the server everyday: it doesn't feel right and it defeats the purpose of being accessible all the time.

A bit of help would be much appreciated. Thank you in advance.


-Sam
  • +
    0 Votes
    OH Smeg

    It sounds as if a Service is turning off or something like that when the system is left alone or is getting no communication.

    Col

    +
    0 Votes
    sysdevcbc24

    Hmm, what log should i look at?

    In the system tools > event viewer > system, the last activity yesterday (June 19) was around 6:50pm for event 7036 (Service Control Manager) which has a description of "The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.".

    In the system tools > event viewer > application, the first activity today (June 20) was around 12:41am for a mysterious event (1704 = "Security policy in the Group policy objects has been applied successfully.") then at around 8:28, there is this error saying "Faulting application svchost.exe, version 5.2.3790.3959, faulting module unknown, version 0.0.0.0, fault address 0x015ff4b6."

    What do you think?

    +
    0 Votes
    OH Smeg

    http://support.microsoft .com/?kbid=932762

    remember to remove the space from between microsoft and the .com for a working link.

    Apparently if this Hot Fix is not applied it may result in the service turning itself off, but it also may not fix the issue.

    It could also be related to an infection of

    w32.downadup.b.

    Which may also be the issue but then again it maybe neither of these.

    Col

    +
    0 Votes
    sysdevcbc24

    I've checked the technical details of W32.Downadup.B from symantec (http://www.symantec .com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2) and tried to check if the posted symptoms match my problem, unfortunately it doesn't. The registry entries listed there that would prove the existence of the worm is luckily not found.

    Moving to the next solution, i downloaded the hotfix from microsoft and id be installing it tomorrow morning. As expected, the problem repeated this morning and i have to restart the server again. I'll be observing the server tomorrow morning and check if some services, like the computer browser service, would fail, before I roll out the fix.

    Thanks a lot! I'll keep you posted.

    -Sam

    +
    0 Votes
    sysdevcbc24

    As unfortunate as it is, the fix didnt work. this is the error that i got:

    0000: 41 70 70 6c 69 63 61 74 Applicat
    0008: 69 6f 6e 20 46 61 69 6c ion Fail
    0010: 75 72 65 20 20 73 76 63 ure svc
    0018: 68 6f 73 74 2e 65 78 65 host.exe
    0020: 20 35 2e 32 2e 33 37 39 5.2.379
    0028: 30 2e 33 39 35 39 20 69 0.3959 i
    0030: 6e 20 75 6e 6b 6e 6f 77 n unknow
    0038: 6e 20 30 2e 30 2e 30 2e n 0.0.0.
    0040: 30 20 61 74 20 6f 66 66 0 at off
    0048: 73 65 74 20 30 31 35 66 set 015f
    0050: 66 34 62 36 f4b6


    This happened right after they opened the server. (yes, the server is being closed every weekends, and since today is a Monday, they opened it, then around quarter to 8, the error happened again.) A restart fixed the problem again.

    +
    0 Votes
    OH Smeg

    Do you have any idea what is running around 7.45 AM?

    It may very well be that. Otherwise I'm not sure what's going on, though I'll see what I can think of.

    Col

    +
    0 Votes
    sysdevcbc24

    Hello OH Smeg. According to the users, they run our vb6 application around that time. This app connects to the server and accesses a shared folder. The shared folder contains msAccess database files that the application use as its reference for login credentials. After successfully running the app, they usually exit the app. Then the next connection attempts would already fail. An example of a specific error message when connecting to the server through the run prompt is "The specified network name is no longer available".

    -Sam

    +
    0 Votes
    sysdevcbc24

    In addition, i dont know if its worth noting, but if i try to connect to the server from inside itself through the run prompt, it would return an error of "No network provider accepted the given network path."

    -Sam

    +
    0 Votes
    Who Am I Really

    bad hardware
    corrupt software / OS component(s)
    or
    virus / malware infection

    how was this system rebuilt?
    MB replaced only with all other old components reused

    and how was the OS restored?

    even with backup software that allows "bare metal" recovery there can be incompatibilities that creep in unannounced for weeks - months etc.
    until a process / program or even a winders update tries to access that part of the OS install and chaos ensues

    +
    0 Votes
    glen.harris

    Has someone set their desktop/smartphone etc to a fixed IP which is the same as a server?
    Perhaps this person boots up their machine, or walks into the office and connects to wireless at 7:45ish and causes the server to fall off the network.

    How are you connecting via remote desktop? Hostname or IP?

    Just thinking that maybe the server is being forced to pick up a new IP, but if the users are connecting by name then the previous IP would still be stored in their DNS cache, so if \\server usually uses IP 192.168.0.2 and mysteriously changes to 192.168.0.10 (for example because johnsmobilephone has stolen the servers IP address), anyone trying to reach \\server will actually reach johnsmobile phone.

    You can test the theory by running the command ipconfig /flushdns from one of the machines that can't connect to it next time it happens then try to connect by name again.

    I could of course be way off the mark, but it may be worth a try.

    +
    0 Votes
    sysdevcbc24

    Guys, thank you for the inputs. Everybody's input really helped. We've already fixed the server using a "shotgun" approach: We downloaded ALL updates for Windows Server 2003 from the Microsoft Updates site and we've disabled the "Guest" account of the server.

    There is this unidentified workstation (inside the security event viewer) named "lQPxf2ISQgEV1bGK" under user "NT AUTHORITY\SYSTEM" that tries to connect to the server. Security viewer shows that at first try, it fails to connect, so it then connects through the Guest account and successfully logs in. After that log-in event, all users connected at that point would be dropped instantly like flies. This connection drop out might be because of the Computer Browser service getting shutdown, again, because of that SVCHOST error that occurs a second after that "login" event.

    Right now we've already traced the IP of the workstation named "lQPxf2ISQgEV1bGK" (which was hidden before) and we'll cleanse it.

    Again, thanks for everybody's help.

  • +
    0 Votes
    OH Smeg

    It sounds as if a Service is turning off or something like that when the system is left alone or is getting no communication.

    Col

    +
    0 Votes
    sysdevcbc24

    Hmm, what log should i look at?

    In the system tools > event viewer > system, the last activity yesterday (June 19) was around 6:50pm for event 7036 (Service Control Manager) which has a description of "The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.".

    In the system tools > event viewer > application, the first activity today (June 20) was around 12:41am for a mysterious event (1704 = "Security policy in the Group policy objects has been applied successfully.") then at around 8:28, there is this error saying "Faulting application svchost.exe, version 5.2.3790.3959, faulting module unknown, version 0.0.0.0, fault address 0x015ff4b6."

    What do you think?

    +
    0 Votes
    OH Smeg

    http://support.microsoft .com/?kbid=932762

    remember to remove the space from between microsoft and the .com for a working link.

    Apparently if this Hot Fix is not applied it may result in the service turning itself off, but it also may not fix the issue.

    It could also be related to an infection of

    w32.downadup.b.

    Which may also be the issue but then again it maybe neither of these.

    Col

    +
    0 Votes
    sysdevcbc24

    I've checked the technical details of W32.Downadup.B from symantec (http://www.symantec .com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2) and tried to check if the posted symptoms match my problem, unfortunately it doesn't. The registry entries listed there that would prove the existence of the worm is luckily not found.

    Moving to the next solution, i downloaded the hotfix from microsoft and id be installing it tomorrow morning. As expected, the problem repeated this morning and i have to restart the server again. I'll be observing the server tomorrow morning and check if some services, like the computer browser service, would fail, before I roll out the fix.

    Thanks a lot! I'll keep you posted.

    -Sam

    +
    0 Votes
    sysdevcbc24

    As unfortunate as it is, the fix didnt work. this is the error that i got:

    0000: 41 70 70 6c 69 63 61 74 Applicat
    0008: 69 6f 6e 20 46 61 69 6c ion Fail
    0010: 75 72 65 20 20 73 76 63 ure svc
    0018: 68 6f 73 74 2e 65 78 65 host.exe
    0020: 20 35 2e 32 2e 33 37 39 5.2.379
    0028: 30 2e 33 39 35 39 20 69 0.3959 i
    0030: 6e 20 75 6e 6b 6e 6f 77 n unknow
    0038: 6e 20 30 2e 30 2e 30 2e n 0.0.0.
    0040: 30 20 61 74 20 6f 66 66 0 at off
    0048: 73 65 74 20 30 31 35 66 set 015f
    0050: 66 34 62 36 f4b6


    This happened right after they opened the server. (yes, the server is being closed every weekends, and since today is a Monday, they opened it, then around quarter to 8, the error happened again.) A restart fixed the problem again.

    +
    0 Votes
    OH Smeg

    Do you have any idea what is running around 7.45 AM?

    It may very well be that. Otherwise I'm not sure what's going on, though I'll see what I can think of.

    Col

    +
    0 Votes
    sysdevcbc24

    Hello OH Smeg. According to the users, they run our vb6 application around that time. This app connects to the server and accesses a shared folder. The shared folder contains msAccess database files that the application use as its reference for login credentials. After successfully running the app, they usually exit the app. Then the next connection attempts would already fail. An example of a specific error message when connecting to the server through the run prompt is "The specified network name is no longer available".

    -Sam

    +
    0 Votes
    sysdevcbc24

    In addition, i dont know if its worth noting, but if i try to connect to the server from inside itself through the run prompt, it would return an error of "No network provider accepted the given network path."

    -Sam

    +
    0 Votes
    Who Am I Really

    bad hardware
    corrupt software / OS component(s)
    or
    virus / malware infection

    how was this system rebuilt?
    MB replaced only with all other old components reused

    and how was the OS restored?

    even with backup software that allows "bare metal" recovery there can be incompatibilities that creep in unannounced for weeks - months etc.
    until a process / program or even a winders update tries to access that part of the OS install and chaos ensues

    +
    0 Votes
    glen.harris

    Has someone set their desktop/smartphone etc to a fixed IP which is the same as a server?
    Perhaps this person boots up their machine, or walks into the office and connects to wireless at 7:45ish and causes the server to fall off the network.

    How are you connecting via remote desktop? Hostname or IP?

    Just thinking that maybe the server is being forced to pick up a new IP, but if the users are connecting by name then the previous IP would still be stored in their DNS cache, so if \\server usually uses IP 192.168.0.2 and mysteriously changes to 192.168.0.10 (for example because johnsmobilephone has stolen the servers IP address), anyone trying to reach \\server will actually reach johnsmobile phone.

    You can test the theory by running the command ipconfig /flushdns from one of the machines that can't connect to it next time it happens then try to connect by name again.

    I could of course be way off the mark, but it may be worth a try.

    +
    0 Votes
    sysdevcbc24

    Guys, thank you for the inputs. Everybody's input really helped. We've already fixed the server using a "shotgun" approach: We downloaded ALL updates for Windows Server 2003 from the Microsoft Updates site and we've disabled the "Guest" account of the server.

    There is this unidentified workstation (inside the security event viewer) named "lQPxf2ISQgEV1bGK" under user "NT AUTHORITY\SYSTEM" that tries to connect to the server. Security viewer shows that at first try, it fails to connect, so it then connects through the Guest account and successfully logs in. After that log-in event, all users connected at that point would be dropped instantly like flies. This connection drop out might be because of the Computer Browser service getting shutdown, again, because of that SVCHOST error that occurs a second after that "login" event.

    Right now we've already traced the IP of the workstation named "lQPxf2ISQgEV1bGK" (which was hidden before) and we'll cleanse it.

    Again, thanks for everybody's help.