Windows Server 2003 killing adsl router on startup

I've just reinstalled my 2003 server after yet another AD corruption.
Booting the fresh install was fine. I performed a Windows Update,
rebooted, installed AD and rebooted again.

Now, every time my server starts up, it causes my adsl router to stop
responding to any network requests. Can't even ping it. If I shut the
server down and power-cycle the router, all is fine again, and will
remain so until I start the server up again.

The only things different about this install to the last are:

- using different FQDN
- using 2000 mixed mode instead of 2003 native, to ease SAMBA issues

The router is set as the server's default gateway.

Things I've tried so far are:

- verified that they're both using valid, distinct IP addresses
- confirmed that DHCP server isn't running, to avoid IP# conflicts
- rebooted in Safe Mode with Networking, problem still occurs

I'm about to try in Safe Mode (no networking) to see if that causes the
problem too. As it kills my internet connection, I wanted to post this
first

Any ideas what I'm doing wrong? I can't think of any legitimate network
operation that causes complete death to another device.

Many thanks,

Drew


DrewM

Hello,

Is it possible that you are infected by a virus that floods the network?

--
Regards,
Kristofer Gafvert - IIS MVP
Reply to newsgroup only. Remove NEWS if you must reply by email, but please
do not.
www.ilopia.com - FAQ and Tutorials for Windows Server 2003


"DrewM" <(E-Mail Removed)> wrote in message
news:uWkUhBx$(E-Mail Removed)...
> I've just reinstalled my 2003 server after yet another AD corruption.
> Booting the fresh install was fine. I performed a Windows Update,
> rebooted, installed AD and rebooted again.
>
> Now, every time my server starts up, it causes my adsl router to stop
> responding to any network requests. Can't even ping it. If I shut the
> server down and power-cycle the router, all is fine again, and will
> remain so until I start the server up again.
>
> The only things different about this install to the last are:
>
> - using different FQDN
> - using 2000 mixed mode instead of 2003 native, to ease SAMBA issues
>
> The router is set as the server's default gateway.
>
> Things I've tried so far are:
>
> - verified that they're both using valid, distinct IP addresses
> - confirmed that DHCP server isn't running, to avoid IP# conflicts
> - rebooted in Safe Mode with Networking, problem still occurs
>
> I'm about to try in Safe Mode (no networking) to see if that causes the
> problem too. As it kills my internet connection, I wanted to post this
> first
>
> Any ideas what I'm doing wrong? I can't think of any legitimate network
> operation that causes complete death to another device.
>
> Many thanks,
>
> Drew

Kristofer Gafvert wrote:

> Is it possible that you are infected by a virus that floods the network?

I certainly couldn't rule that out 100%. Although I'd class it as
unlikely. I'll run a scan.

Booting into Safe Mode with no networking doesn't cause a problem (as
expected).

Kristofer Gafvert wrote:

> Is it possible that you are infected by a virus that floods the network?

After running some tests, I can't find anything to support that hypothesis.

Any other suggestions?

I would boot the server up with the Ethrnet cable disconnected, connect it
and then monitor the Nic status that shows sent and received packets. If
your server starts sending out high volums of traffic for no reason you are
infected. Just because a scan comes up neg dosn't mean that your server
CAN'T be infected. If you just rebuilt your server and connected to the
internet to apply the patches, you'll never make it. Your server will become
infected before you get the patches applied. And once infected the patches
don't do anything.

"DrewM" <(E-Mail Removed)> wrote in message
news:uWkUhBx$(E-Mail Removed)...
> I've just reinstalled my 2003 server after yet another AD corruption.
> Booting the fresh install was fine. I performed a Windows Update,
> rebooted, installed AD and rebooted again.
>
> Now, every time my server starts up, it causes my adsl router to stop
> responding to any network requests. Can't even ping it. If I shut the
> server down and power-cycle the router, all is fine again, and will
> remain so until I start the server up again.
>
> The only things different about this install to the last are:
>
> - using different FQDN
> - using 2000 mixed mode instead of 2003 native, to ease SAMBA issues
>
> The router is set as the server's default gateway.
>
> Things I've tried so far are:
>
> - verified that they're both using valid, distinct IP addresses
> - confirmed that DHCP server isn't running, to avoid IP# conflicts
> - rebooted in Safe Mode with Networking, problem still occurs
>
> I'm about to try in Safe Mode (no networking) to see if that causes the
> problem too. As it kills my internet connection, I wanted to post this
> first
>
> Any ideas what I'm doing wrong? I can't think of any legitimate network
> operation that causes complete death to another device.
>
> Many thanks,
>
> Drew

Gino wrote:

> I would boot the server up with the Ethrnet cable disconnected, connect it
> and then monitor the Nic status that shows sent and received packets. If
> your server starts sending out high volums of traffic for no reason you are
> infected. Just because a scan comes up neg dosn't mean that your server
> CAN'T be infected.

I tried monitoring this from the router, and could see no unusual
increase in traffic before the router died.

Other than the test described, is there a reliable way to detect whether
the machine is infected?

> If you just rebuilt your server and connected to the
> internet to apply the patches, you'll never make it. Your server will become
> infected before you get the patches applied. And once infected the patches
> don't do anything.

This may sound stupid, but how can I patch the server without going to
get the patches? The only approach I can think of is to install linux on
the server first, download the patches somehow, burn them onto a CD,
reinstall with Windows and install the patches. Not ideal.

Also, whatever it is that is infecting the machine would have to get
through a hardwire filewall (on total lock-down) and router, and be
totally dependent on Active Directory. When I uninstall AD, the problem
vanishes.

drew.

In item <%23gg3zD4$(E-Mail Removed)>,
DrewM says...

> Gino wrote:
>
>> I would boot the server up with the Ethrnet cable disconnected, connect it
>> and then monitor the Nic status that shows sent and received packets. If
>> your server starts sending out high volums of traffic for no reason you are
>> infected. Just because a scan comes up neg dosn't mean that your server
>> CAN'T be infected.
>
> I tried monitoring this from the router, and could see no unusual
> increase in traffic before the router died.
>
> Other than the test described, is there a reliable way to detect whether
> the machine is infected?
>
>> If you just rebuilt your server and connected to the
>> internet to apply the patches, you'll never make it. Your server will become
>> infected before you get the patches applied. And once infected the patches
>> don't do anything.
>
> This may sound stupid, but how can I patch the server without going to
> get the patches? The only approach I can think of is to install linux on
> the server first, download the patches somehow, burn them onto a CD,
> reinstall with Windows and install the patches. Not ideal.
>
> Also, whatever it is that is infecting the machine would have to get
> through a hardwire filewall (on total lock-down) and router, and be
> totally dependent on Active Directory. When I uninstall AD, the problem
> vanishes.
>
> drew.

Does the router have logging? Also is your FQDN the same as a registered one on
the internet? Is you AD server also the DNS server for itself?
The router log should show you the traffic attempting to pass through it. You
said you only have the issue when you install AD. Just for clairity are you
using a FQDN like mydomain.domain or something someone else may own like
microsoft.com. Is your DNS server for the domain external to you? If so you will
have issues with srv records AD needs.

--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup

Learn script faster by searching here
http://www.microsoft.com/technet/tre...er/default.asp

Michael Holzemer wrote:

> Does the router have logging?

Unfortunately, no.

> Also is your FQDN the same as a registered one on
> the internet?

Yes, I'm using office.company.net, where company.net is registered and
under my control at our ISP. I've set up an A record for 'office' within
that zone to point to the IP address our adsl uses

> Is you AD server also the DNS server for itself?

Yes. With forwarders to our ISPs DNS servers.

> The router log should show you the traffic attempting to pass through it. You
> said you only have the issue when you install AD. Just for clairity are you
> using a FQDN like mydomain.domain or something someone else may own like
> microsoft.com.

office.company.net, registered to us.

> Is your DNS server for the domain external to you? If so you will
> have issues with srv records AD needs.

Yup, it's at our ISP, on the other side of a locked-down firewall, and
is running linux.

.... so, how *should* I do this? To be honest, I'd be happy using an old
NT4 style single word domain name, but the installer gives dire warnings
against this. I assume it should be possible to run as
office.company.net without needing to host our own public DNS servers.

thanks for your time.


drew

I think it is the combination of patches installed via Windows Update. It
wouldn't be the first time I have seen a combination of patches screw things
up,...for that matter I have seen plenty screwed up by just one patch, let
alone a combination of them. Those fairly recent RPC patches for example
stop the older MS Proxy2 dead in its tracks, the solution is to not install
those patches and to take other measures to protect the machine from the RPC
worms.

I never use Windows Update, I don't trust dumping all those patches on a
machine. I always have the SPs and patches that I have "hand picked" burned
onto a CD, then when I build the machine I apply the patches from a the CD
before I expose the machine to the Internet. After that I apply only
patches that I trust and feel that they are "must-haves" and I don't worry
about the rest,...it is better to wait until a full Service Pack comes out.

If you read the "mitigating circumstances" listed for the different
vulnerabilities you will find that the situation doesn't apply to most
machines on a private network behind a firewall or proxy that isn't exposed
directly to the Internet. You just have to decide which applies to your
situation.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"DrewM" <(E-Mail Removed)> wrote in message
news:#Tcqal6$(E-Mail Removed)...
> Michael Holzemer wrote:
>
> > Does the router have logging?
>
> Unfortunately, no.
>
> > Also is your FQDN the same as a registered one on
> > the internet?
>
> Yes, I'm using office.company.net, where company.net is registered and
> under my control at our ISP. I've set up an A record for 'office' within
> that zone to point to the IP address our adsl uses
>
> > Is you AD server also the DNS server for itself?
>
> Yes. With forwarders to our ISPs DNS servers.
>
> > The router log should show you the traffic attempting to pass through
it. You
> > said you only have the issue when you install AD. Just for clairity are
you
> > using a FQDN like mydomain.domain or something someone else may own like
> > microsoft.com.
>
> office.company.net, registered to us.
>
> > Is your DNS server for the domain external to you? If so you will
> > have issues with srv records AD needs.
>
> Yup, it's at our ISP, on the other side of a locked-down firewall, and
> is running linux.
>
> ... so, how *should* I do this? To be honest, I'd be happy using an old
> NT4 style single word domain name, but the installer gives dire warnings
> against this. I assume it should be possible to run as
> office.company.net without needing to host our own public DNS servers.
>
> thanks for your time.
>
>
> drew

In item <%23Tcqal6$(E-Mail Removed)>,
DrewM says...

> Michael Holzemer wrote:
>
>> Does the router have logging?
>
> Unfortunately, no.
>
>> Also is your FQDN the same as a registered one on
>> the internet?
>
> Yes, I'm using office.company.net, where company.net is registered and
> under my control at our ISP. I've set up an A record for 'office' within
> that zone to point to the IP address our adsl uses
>
>> Is you AD server also the DNS server for itself?
>
> Yes. With forwarders to our ISPs DNS servers.
>
>> The router log should show you the traffic attempting to pass through it. You
>> said you only have the issue when you install AD. Just for clairity are you
>> using a FQDN like mydomain.domain or something someone else may own like
>> microsoft.com.
>
> office.company.net, registered to us.
>
>> Is your DNS server for the domain external to you? If so you will
>> have issues with srv records AD needs.
>
> Yup, it's at our ISP, on the other side of a locked-down firewall, and
> is running linux.
>
> ... so, how *should* I do this? To be honest, I'd be happy using an old
> NT4 style single word domain name, but the installer gives dire warnings
> against this. I assume it should be possible to run as
> office.company.net without needing to host our own public DNS servers.
>
> thanks for your time.
>
>
> drew

So the FQDN for the server is server.office.company.net? You said an A (host)
record was pointed back to your router. The folks over at the DNS group are
very, very good at these kinds of issues, so I am going to post this to
microsoft.public.windows.server.dns. They will be able to help you with the
*should* part

--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup

Learn script faster by searching here
http://www.microsoft.com/technet/tre...er/default.asp