Some shares "disappear" during the weekend

On a Windows Server 2003 fully patched, during the last 3 weekends, for some reason about 2/3 of the shares on the server are gone. The files and directories are still there with the proper permissions, but the shares themselfs disappear.

It is on the same shares every time.

The default hidden share for the drive is still there.

The shares are not all on the same physical drives or same logical drives.

Nothing is recorded in the System or Application logs of the server.

I do have auditing turned on for the registry key that corresponds to the lanmanserver\shares but that is going to be hard to track down as there are hundreds of thousands of lines and sine I do not know exactly when this is occuring I will have to search the entire list.

Everything is fine on Friday, then Monday morning when users start connecting the shares are not there.
LVL 1
John TolmachoffNetwork AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

schristeCommented:
To track what is happening to your shares - Enable Auditing (Right click folder(not the share), security tab, advanced button, auding tab, add the group(s) that has 'full rights' to that folder. and button it up.

Next time your shares disappear - you should have a security log entry logging the change, and what account was used.

-Cheers-


0
ChiefITCommented:
Can you tell us a little about the shares themselves? Are they DFS shares, DFSR shares, are they in a namspace, are they replicated between sites, ect...???
0
John TolmachoffNetwork AdministratorAuthor Commented:
Shares are not replicated, not DFS, just standard Windows Server shares.

Last week, I found out that one of the external USB drives used only for backups (part of a set) was offline. None of the missing shares/directories were on this drive, it is a single partition shared for backups only.

Using the auditing I had previously setup on the registry key, I was able to find that the LanManServer\Shares registry key was being accessed, read and written to by System at the time of the backup starting that used that external offline USB drive.

So, now I know when the shares "disappeared" but I still do not know why.

Another key thing I found: Once I recreated the missing shares,all of the shares were listed in HKLM\System\ContrtolSet001 (as well as CurrentControlSet) but not in ControlSet003 which is the LastKnownGood key. I exported the shares key from CurrentControlSet and imported them into ControlSet003.

As for the external USB Drive, I found went I went on site that the power cord was loose from the power supply and questioned the client and found out the security camera vendor had been in the server room and had replaced the camera command module which is plugged into next to the plug for that USB drive. BLEEPING WONDERFUL!

So, this last weekend, the backup job using that external USB drive ran fine (it is actually a redundant backup job, hence notifications were not set on it previously) and reviewing the audit log all I see are reads of the shares registery key, no writes.

So while the problem is no longer occuring, I still want to know why System apparantly deleted those shares when that backup job ran.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
John TolmachoffNetwork AdministratorAuthor Commented:
Still searching for an answer as to why it happened.
0
ChiefITCommented:
There's no reasonable explanation why those shares are gone. A backup job shouldn't have caused this because the backup job doesn't remove the data in any way. It just reads the data, sector for sector, and copies that to another location, (for your application, on the USB drives). If the USB drives were unplugged during the backup, the server may have shown the backup completed, but the USB drives may have missed some of the shares. I could see this happening. But, youshouldn't have to recreate the shares. All you would have to do is perform another backup of the server shares and all would be dandy.



0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.