Solved

files lost

Posted on 2004-03-24
13
318 Views
Last Modified: 2010-04-13
We have a W2k server in a w2k domain in a LAN (192.168.1.x) behind a firewall with iis 5.0, .NET 1.1 and vss 6.0d.
We experienced slow response time and after we rebooted the server, a major part of the data files were gone. \program files and \winnt seem Ok as well as \vss but e.g. \netdata (equals wwwroot) \drivers (downloaded drivers), \download (other downloades files) and other are gone. recycler is empty.

The server is protected with NAV EE 7.5 with vir defs 22.3.04 rev.7. A scan for viruses didn't find anything.

Any ideas? We do have an actual backup but the whole situation makes us a bit nervous, since we do not know what happened.

Roger
0
Comment
Question by:TuliTaivas
  • 5
  • 3
  • 2
  • +2
13 Comments
 
LVL 67

Assisted Solution

by:sirbounty
sirbounty earned 125 total points
ID: 10666924
0
 
LVL 7

Expert Comment

by:YarnoSG
ID: 10667074
Also-  Check the Event log for ATAPI, SCSI, and Disk errors.
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 125 total points
ID: 10667109
TuliTaivas

This is more likely either duff/corrupt disks or misguided/malicious housekeeping

I suggest you do a chkdsk /f on all drives, reboot and check your system event logs for drive errors

Check your file/folder permissions on the relevant directories to see who could have deleted the files and switch on file access auditing on the server

You will need to do a restore from backup
HTH
Cheers

JamesDS
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 10667168
0
 

Author Comment

by:TuliTaivas
ID: 10667410
* sirbounty
OK, I'll try one or another an let you know.

*  1stITMAN
no, we dont use BlackICE

* JamesDS
RAID status is optimal, I havent done chkdks but rather checked the drives under windows.  There was no problem reported.
When I run chkdsk (although w/out /F - I don't want to destroy evidence) it says "Windows found problems with the file system, although it doesnt say what kind of problems. I'm a bit reluctant to use the /f switch. Is there any way to get a little more information from chkdsk?

* YarnoSG
No disk related entries in eventlog (neither sys nor app). Only errors there are "aspnet_wp.exe unexpectedly quit". It has done this several times in the last few days, however seemingly without causing any problems.



I should mention that although the files are gone, the directory structure is intact.

Also "Documents and settings" is not affected at all.

Roger
0
 

Author Comment

by:TuliTaivas
ID: 10668635
chkdsk (without /f) in a DOS windows
- after checking indexes: recovers lost files
- after verifying security descript.: finds problems with the file system (discovers free space marked allocated in the master file table bitmap and the volume bitmap)
- suggests running chkdsk with the /f parameter.

When I do this, it checks the disk during startup and seems to fix problems (the screen is cleard too soon to read everything). However, when I then chkdks in a DOS window again it reports more errors. Is this normal? Do I have to repeat chkdsk / f until every error is gone?

R.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10668846
It looks like you definitly have got some corruption in the filesystem, question is how?

If you are having to run CHKDSK on boot mre then once then the volume is an a bad state and will probably need a re-format and restore.

JamesDS
0
 
LVL 7

Assisted Solution

by:YarnoSG
YarnoSG earned 125 total points
ID: 10668919
The information on the chkdsk will be stored in the event log, though if it finds problems repeatedly, your drive/array is going out, and there will be other issues in the event log to look at. -  Sounds like it is time to replace the drive (before it gets any worse.....)
0
 

Author Comment

by:TuliTaivas
ID: 10678724
Hi

The mistery is solved. JamesDS's guess "misguided housekeeping" was right on target. There was this batch file that should delete *.* in all subdirs of a certain dir. Unfortunately this dir was gone and the batch startet its job at C:\ . Luckily the job was interrupted by restarting the server (for quite an other reason) befor it got to the vital directories like windows, program files and so on.

Nevertheless there still seems to be an (unrelated to the lost files) problem with the file system. I'll deal with that in a few days.
0
 

Author Comment

by:TuliTaivas
ID: 10678943
According o the event log the first chkdsk reported errors (cleaning up instance tags, minor inconsistencies, 346 unused index entries and security descriptors) and made corrections to the file system, the second and third chkdsk found no problem.

However I'm sure, that when I ran chkdsk (without /f) in cmd.exe it repeatedly reported problems. E.g. right now it reprots free space marked as allocated in the volume bitmap. So maybe chkdsk while booting and chkdsk in a cmd window do not report the same?

Roger
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10684495
TuliTaivas

Glad you found the problem.

It is possible that CHKDSK on boot and in a CMD window report differently as the first is invoke before the volumes are mounted and therefore external to the environment. I would not be happy tho, until both are clear.

Cheers

James
0
 
LVL 19

Assisted Solution

by:Zaheer Iqbal
Zaheer Iqbal earned 125 total points
ID: 10685198
Well Have you tried recovery software to recover the lost files!!
As long as the sectors on the drive are not overwritten you should be able to recover deleted files..
http://www.recovermyfiles.com/
http://www.active-undelete.com/
http://www.winternals.com/products/repairandrecovery/filerestore.asp?source=google&campaign=1&group=1&creative=1
0
 

Author Comment

by:TuliTaivas
ID: 10694711
* 1stITMAN
We thought about it but didnt' have a program at hand (I had my privat ontrack CD at home) and wanted the server back asap. Maybe I try it anyway just for the fun of it and see if I can get some of the files back that were not in the backup. I dont have much hope though since we restored a few GBs..

* James
I agree that I expect both to be the same but then "free space allocated in the volume bit map" could mean a process is just reserving disk space (pagefile?). Time permitting I will do a bit research into that matter and let you know if I find an answer.

Roger

PS: I split the points among the 4 of you. I guess there are enough of them to make everybody happy.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question