Solved

files lost

Posted on 2004-03-24
13
316 Views
Last Modified: 2010-04-13
We have a W2k server in a w2k domain in a LAN (192.168.1.x) behind a firewall with iis 5.0, .NET 1.1 and vss 6.0d.
We experienced slow response time and after we rebooted the server, a major part of the data files were gone. \program files and \winnt seem Ok as well as \vss but e.g. \netdata (equals wwwroot) \drivers (downloaded drivers), \download (other downloades files) and other are gone. recycler is empty.

The server is protected with NAV EE 7.5 with vir defs 22.3.04 rev.7. A scan for viruses didn't find anything.

Any ideas? We do have an actual backup but the whole situation makes us a bit nervous, since we do not know what happened.

Roger
0
Comment
Question by:TuliTaivas
  • 5
  • 3
  • 2
  • +2
13 Comments
 
LVL 67

Assisted Solution

by:sirbounty
sirbounty earned 125 total points
ID: 10666924
0
 
LVL 7

Expert Comment

by:YarnoSG
ID: 10667074
Also-  Check the Event log for ATAPI, SCSI, and Disk errors.
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 125 total points
ID: 10667109
TuliTaivas

This is more likely either duff/corrupt disks or misguided/malicious housekeeping

I suggest you do a chkdsk /f on all drives, reboot and check your system event logs for drive errors

Check your file/folder permissions on the relevant directories to see who could have deleted the files and switch on file access auditing on the server

You will need to do a restore from backup
HTH
Cheers

JamesDS
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 10667168
0
 

Author Comment

by:TuliTaivas
ID: 10667410
* sirbounty
OK, I'll try one or another an let you know.

*  1stITMAN
no, we dont use BlackICE

* JamesDS
RAID status is optimal, I havent done chkdks but rather checked the drives under windows.  There was no problem reported.
When I run chkdsk (although w/out /F - I don't want to destroy evidence) it says "Windows found problems with the file system, although it doesnt say what kind of problems. I'm a bit reluctant to use the /f switch. Is there any way to get a little more information from chkdsk?

* YarnoSG
No disk related entries in eventlog (neither sys nor app). Only errors there are "aspnet_wp.exe unexpectedly quit". It has done this several times in the last few days, however seemingly without causing any problems.



I should mention that although the files are gone, the directory structure is intact.

Also "Documents and settings" is not affected at all.

Roger
0
 

Author Comment

by:TuliTaivas
ID: 10668635
chkdsk (without /f) in a DOS windows
- after checking indexes: recovers lost files
- after verifying security descript.: finds problems with the file system (discovers free space marked allocated in the master file table bitmap and the volume bitmap)
- suggests running chkdsk with the /f parameter.

When I do this, it checks the disk during startup and seems to fix problems (the screen is cleard too soon to read everything). However, when I then chkdks in a DOS window again it reports more errors. Is this normal? Do I have to repeat chkdsk / f until every error is gone?

R.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 16

Expert Comment

by:JamesDS
ID: 10668846
It looks like you definitly have got some corruption in the filesystem, question is how?

If you are having to run CHKDSK on boot mre then once then the volume is an a bad state and will probably need a re-format and restore.

JamesDS
0
 
LVL 7

Assisted Solution

by:YarnoSG
YarnoSG earned 125 total points
ID: 10668919
The information on the chkdsk will be stored in the event log, though if it finds problems repeatedly, your drive/array is going out, and there will be other issues in the event log to look at. -  Sounds like it is time to replace the drive (before it gets any worse.....)
0
 

Author Comment

by:TuliTaivas
ID: 10678724
Hi

The mistery is solved. JamesDS's guess "misguided housekeeping" was right on target. There was this batch file that should delete *.* in all subdirs of a certain dir. Unfortunately this dir was gone and the batch startet its job at C:\ . Luckily the job was interrupted by restarting the server (for quite an other reason) befor it got to the vital directories like windows, program files and so on.

Nevertheless there still seems to be an (unrelated to the lost files) problem with the file system. I'll deal with that in a few days.
0
 

Author Comment

by:TuliTaivas
ID: 10678943
According o the event log the first chkdsk reported errors (cleaning up instance tags, minor inconsistencies, 346 unused index entries and security descriptors) and made corrections to the file system, the second and third chkdsk found no problem.

However I'm sure, that when I ran chkdsk (without /f) in cmd.exe it repeatedly reported problems. E.g. right now it reprots free space marked as allocated in the volume bitmap. So maybe chkdsk while booting and chkdsk in a cmd window do not report the same?

Roger
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10684495
TuliTaivas

Glad you found the problem.

It is possible that CHKDSK on boot and in a CMD window report differently as the first is invoke before the volumes are mounted and therefore external to the environment. I would not be happy tho, until both are clear.

Cheers

James
0
 
LVL 19

Assisted Solution

by:Zaheer Iqbal
Zaheer Iqbal earned 125 total points
ID: 10685198
Well Have you tried recovery software to recover the lost files!!
As long as the sectors on the drive are not overwritten you should be able to recover deleted files..
http://www.recovermyfiles.com/
http://www.active-undelete.com/
http://www.winternals.com/products/repairandrecovery/filerestore.asp?source=google&campaign=1&group=1&creative=1
0
 

Author Comment

by:TuliTaivas
ID: 10694711
* 1stITMAN
We thought about it but didnt' have a program at hand (I had my privat ontrack CD at home) and wanted the server back asap. Maybe I try it anyway just for the fun of it and see if I can get some of the files back that were not in the backup. I dont have much hope though since we restored a few GBs..

* James
I agree that I expect both to be the same but then "free space allocated in the volume bit map" could mean a process is just reserving disk space (pagefile?). Time permitting I will do a bit research into that matter and let you know if I find an answer.

Roger

PS: I split the points among the 4 of you. I guess there are enough of them to make everybody happy.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Get to know the ins and outs of building a web-based ERP system for your enterprise. Development timeline, technology, and costs outlined.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now