Link to home
Create AccountLog in
Avatar of bdhtechnology
bdhtechnology

asked on

strange network problem

I have a problem with one of my clients using a specific program.  He continues to get 'network errors' using a specific program, Lexis Nexis PCLaw.  We have spoken to PCLaw's tech support and they are sure it is a network problem, though none of the other 11 computers on the network seem to have any problems.

The problem is PCLaw keeps locking up with an error similar to:
"sysciocod error.  S:\ACG\PCLAW32/Data/DynData/MattInf Program Line 1427"

Once the error pops up the program freezes and has to be closed with the task manager.
PCLaw’s tech support state that it is a read error on the files (MattInf.idx & MattInf.dat) caused by ‘a disconnect of the network to your new computer system’.  

We have replaced the network cable from the PC to the switch to no avail.  

The computer is a new Windows 7 Pro 64-bit workstation and the server is running Windows 2008 Small Business Server 64-bit edition.  Several other computers are running Windows 7 Pro 64-bit without any issues at all.

Any ideas on what to try next?
Avatar of nlandas
nlandas

Could it potentially be a locking issue? Try checking the oplocks settings on each client.

It used to be on previous versions.
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MRXSmb\Parameters OplocksDisabled = 1

Double check that on Windows 7.
Avatar of bdhtechnology

ASKER

There isn't a Parameters key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MRXSmb\

Should I created one with a DWORD value 'OplocksDisabled' set to 1 under it?
Avatar of Brian
Bad port on the switch? Try moving it to another port.

I have found that tech support for most Law specific programs will blame the network and server until they're blue in face, so take what they say with a grain of salt.
This seems to be correct for Vista.....

He added this key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MRXSmb\Parameters\
OplocksDisabled REG_DWORD 0

The following key on the sever (0 Disabled, 1 enabled)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
EnableOplocks REG_DWORD 1

The keys are described in more detail at http://support.microsoft.com/kb/296264.

I'm not sure about Windows 7.  You could try to disable it on the server as a test.
http://blogs.msdn.com/b/openspecification/archive/2009/05/22/client-caching-features-oplock-vs-lease.aspx

As washburnma noted I would try a different port. If that fixes the issue you have a bad port on the switch and I would place an empty RJ45 connector in the bad port so you don't use it again.

If that does not work upgrade the drivers for the network card.
Some more information could also be of help.
What type of network card and what type of switch is it? (Make, Model and Revision if present)
Is the switch manageable via an IP address or comm cable?

If the switch is manageable and the driver upgrade does not work I would go to the switch and see if you can monitor the statistics on the port that is giving you trouble.
@eli_cook & @washburnma:
We have tried changing the network switch port of both the server and the workstation.  We have even replaced the entire network cable running from the switch to the workstation.

The switch is a Linksys 24 port unmanaged switch.

The network card of the workstation is integrated into the motherboard.  It is a MSI X58 Pro-E motherboard.



@nlandas:
For now I have disabled the Oplocks on the server by setting:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\
EnableOplocks to 0

The information for disabling it on the workstation seemed somewhat ambiguous so I have not tried that as of yet.



@giltjr:
Yes we have tried running the "Verify Data Integrity" tool many times and it doesn't seem to help.
Is the problem easily re-creatable?

If so, I would try running a packet capture (I suggest wireshark, http://www.wireshark.org) on the desktop that is having the problems and see what it shows.
It happens quite frequently.  The problem is that it works for several hours but if it stays open it will fail at some point, not necessarily while it's being used.  The problem is on a data entry screen.  The client goes to enter information and will come back to it through the day and add additional information.  When he goes to add new information or save is when the error seems to occur.

Forgive me but I am not familiar with wireshark or it's operation.  I took a look at earlier but stopped not knowing exactly how to interpret the information it captured.
Ah, you know I just noticed that the file that had the problem is the "S" drive.  Which I am going to assume is a mapped share.

Next time it happens you may want to go to a command prompt and issue the command:

   net use

I'm wondering if for some reason the share is getting disconnected and not getting re-connected fast enough.

Are there any errors/messages in any of the event logs on the users computer?

Can they ping the server that the share is mounted on?

Now you mention 11 computers.  Is the server that the share is on a real Windows Server OS?  Or is it a desktop OS?

If a real server, do you have enough licenses?

If a desktop OS, that could be your problem.  MS Windows desktop OSs are limited to 10 clients concurrent connected.
I think qiltjr is on to something. It could be the share disconnecting.

Can you give us details on the server - OS version, patch level.

If it's a real server and it is disconnecting then check the autotuning settings on the workstation end.

Open up an elevated command prompt. (Open it as an Administrator by right clicking on the icon)

Start by disabling it and see if that fixes the problem -
netsh interface tcp set global autotuninglevel=disabled

If you find that this doesn’t fix your problem, you can turn it back on.
netsh interface tcp set global autotuninglevel=normal

You can use this command to see the state of the TCP global paremeters.
netsh interface tcp show global

If it does fix the problem and you want to not completely disable autotuning you can set it to
netsh interface tcp set global autotuninglevel=higlyrestricted

and see if it still works.
It is Windows Small Business Server 2008 so it is a real server OS and the licensing is not the issue.

Ping seems to work ok.  I haven't checked the event logs, I'll give that a shot if it continues to happen.
A few stabs off the top of my head

Get the latest NIC driver
Set your NIC to not go to sleep under driver properties.
Is this an embedded Realtek NIC? Try an Intel.
Run a ping -t (to the server ip) and monitor it while in use. When the problem occurs are there any dropped pings.
Patch the OS fully.
Disable any workstation virus software(temporarily)
Anything else running on this machine that isn't on the others? Malware apps Adaware, etc. Disable them.
I also think that _ may be on the right track, after checking the licensing with Small Business Server 2008 it comes with 5 cals and licensing may be the reason the drive is becoming disconnected. The Microsoft link below details the licensing for Small Business Server
http://www.microsoft.com/sbs/en/us/licensing.aspx

You may need to purchase additional cals for your network if licensing is the issue.
It comes with 5 CALS however in all version of server 2008 the licensing is not enforced it is only a legal requirement.  There is no technical mechanism for CAL tracking or enforcement in SBS 2008.
Okay licensing aside, Did you find anything in the event logs?
Sorry for the delay I had to wait for it to happen again and for the client to let me know about it.  It happened at 8:23 pm this evening and at 7:43 pm in the event log is the following warning:
Event ID: 4227
Source: tcpip

TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. This error typically occurs when outgoing connections are opened and closed at a high rate, causing all available local ports to be used and forcing TCP/IP to reuse a local port for an outgoing connection. To minimize the risk of data corruption, the TCP/IP standard requires a minimum time period to elapse between successive connections from a given local endpoint to a given remote endpoint.


The warning seems to have occurred several times through the day without his program crashing though.
O.K., There are two registry keys you can change to help prevent this.  Neither exist to start with and use a default value and both are under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

The first is TcpTimedWaitDelay, this is a DWORD value.  The default is decmial 120 seconds and you can set to as low as 30.  I would change it to 30.

The second is MaxUserPorts.  This is also a DWORD value and the default is 5000, I would increase this to 10,000.


TcpTimedWaitDelay is how long a TCP connection will stay in close way.  TCP will wait 2 times this value, so at 120 seconds it will wait for 4 minutes before actually closing a connection.  Lowering this value to 30 mean it will wait for 1 minute.  If you specify a value lower than 30, it will use 60.

MaxUserPorts is the maxumun number of TCP/UDP ports that will be used for establishing outbound connection.  The default is 5000, but port 1-1023 are reserved and so this leaves you with about 4000 ports you can use.

With both of the above set to their defaults if you open/close a lot of TCP connections, you could easily run out of ports in a 4 minute period.  By lowering TcpTimeWaitDelay and increasing MaxUserPorts you should prevent this problem.

This needs to be done on the desktop, although setting TcpTimedWaitDelay down to 30 on the server would not be a bad idea either.
What do you get if your run a netstat on the machine? It seems strange that you would be running out of ports if the computer is not being used. I would suspect that it may have some spyware or the TCP connections are not getting properly closed.

If you run the following command it will save a file to the root of the C drive so you can view it in a text editor. netstat -b > c:\netstat.txt

If you want a gui you could also try tcpview from the systernals suite.
http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

I would run this while you have no programs running then run it again once you are running the Lexis Nexus software. If you want you can also post up the files here so they can reviewed. Then compare the files to see what kind of connections are being made and how many. I have never seen a network application like PC Law or Time Matters use all of the available connections (ports) on a computer.

If it is spyware if you change the above registry values it may consume more resources and ports on the computer and network.
I have been waiting to hear back on the last change if he is still having problems or not.  I will run netstat on the machine and see what the results are.  It would seem odd to me if there were more than 5000 ports being used...
Results of netstat -b with normal programs open.  It doesn't look like a whole lot...

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    10.0.0.156:49181       app01-12:https         ESTABLISHED
 [LogMeIn.exe]
  TCP    10.0.0.156:49205       XXserverXX:microsoft-ds  ESTABLISHED
 Can not obtain ownership information
  TCP    10.0.0.156:49211       www:https              CLOSE_WAIT
 [Dropbox.exe]
  TCP    10.0.0.156:49212       174:https              CLOSE_WAIT
 [Dropbox.exe]
  TCP    10.0.0.156:49214       174:http               ESTABLISHED
 [Dropbox.exe]
  TCP    10.0.0.156:49234       75:https               CLOSE_WAIT
 [Dropbox.exe]
  TCP    10.0.0.156:50014       XXserverXX:42987   ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:50017       XXserverXX:42987   ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:50018       XXserverXX:42987   ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:50021       XXserverXX:1029    ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:51503       cdn-208-111-161-254:http  CLOSE_WAIT
 [OUTLOOK.EXE]
  TCP    10.0.0.156:51670       app01-12:https         TIME_WAIT
  TCP    10.0.0.156:51674       app01-12:https         TIME_WAIT
  TCP    10.0.0.156:51675       app01-12:https         TIME_WAIT
  TCP    10.0.0.156:51677       app01-12:https         TIME_WAIT
  TCP    10.0.0.156:51678       app01-12:https         TIME_WAIT
  TCP    10.0.0.156:51688       app01-12:https         ESTABLISHED
 [LogMeIn.exe]
  TCP    10.0.0.156:51692       XXserverXX:1029    TIME_WAIT
  TCP    10.0.0.156:51694       65.55.57.251:http      ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:51695       a204-245-162-58:http   ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:51699       XXserverXX:1780      TIME_WAIT
  TCP    10.0.0.156:51700       XXserverXX:1780      TIME_WAIT
  TCP    10.0.0.156:51701       XXserverXX:1780      TIME_WAIT
  TCP    10.0.0.156:51702       XXserverXX:1780      TIME_WAIT
  TCP    10.0.0.156:51703       XXserverXX:1780      TIME_WAIT
  TCP    127.0.0.1:2002         XXworkstationXX:49210          ESTABLISHED
 [LogMeIn.exe]
  TCP    127.0.0.1:19872        XXworkstationXX:49213          ESTABLISHED
 [Dropbox.exe]
  TCP    127.0.0.1:49210        XXworkstationXX:2002           ESTABLISHED
 [LogMeInSystray.exe]
  TCP    127.0.0.1:49213        XXworkstationXX:19872          ESTABLISHED
 [Dropbox.exe]
It doesn't appear that there are any suspicious connections and you don't have a lot of connections in the TIME_WAIT status. Hopefully the settings that giltjr has recommended resolve the issue with your workstation.
Yep, not a whole lot of connection, not a lot in TIME_WAIT and you have connection with very high PORT numbers, as if MaxUserPorts is already set to a very high number, like 65535.

Were you having the problem when the netstat command from above was done?
It wasn't happening while the issue was occurring.  I have instructed him on how to run the command and to do it while the issue is occurring so we will see what happens.

He also is having problems with Word documents taking between 4-10 minutes to open occasionally.  I am suspecting that these problems must be related.
Some additional errors in the event log...

Event ID: 50
Source: mrxsmb

{Delayed Write Failed} Windows was unable to save all the data for the file \ACG\PCLAW32\DATA\DynData\TTECD5.idx. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

-----------------------------------
Event ID: 139
Source: Mup

{Delayed Write Failed} Windows was unable to save all the data for the file \ACG\PCLAW32\DATA\DynData\TTECD5.idx. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

I am assuming that \ACG\PCLAW32\DATA\DynData\TTECD5.idx is a file that is on a share from some file server.

This indicates that the share has become disconnected and is taking longer that Windows expects to get re-connected.
There may be an incompatibility with your switch and the on-board lan. I had a problem with Intel on-board nics and Cisco built in fast ethernet ports setting the link speed manually corrected the issue. You should be able to set the link speed in the properties of the nic. Open the device manager, find your hardware and open the properties. You should be able to set the link speed and duplex under the advanced tab.

For my system to work I had to set it to half duplex even though the the nic and switch were both full duplex. So you may want to try different speeds or duplex settings.

If you have not yet tried an add-in nic, I would suggest trying one now.
Yes exactly the path: \ACG\PCLAW32\DATA\DynData\TTECD5.idx is a network share.

I upgraded the NIC drivers yesterday but he says he can't reboot until tomorrow (Wed) so we'll see what happens after that.
When he gets the error you may also what to have him issue the command:

    net use

This will show what shares he has mapped and what their status is.

Also the registry changes I talked about may need to be made on the server also.
I am still waiting on the results of the net use command.  Here are some net use results, what appears strange to me is the 10.0.0.254 address appearing, which is the wireless access point.  This computer is hard wired so it shouldn't need to access anything on the wireless access point.  Joel-PC is the local computer the command is being run on.


Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    10.0.0.156:2869        10.0.0.254:1143        TIME_WAIT
  TCP    10.0.0.156:51785       174:http               ESTABLISHED
 [Dropbox.exe]
  TCP    10.0.0.156:51792       app01-12:http          ESTABLISHED
 [LogMeIn.exe]
  TCP    10.0.0.156:52203       75:https               CLOSE_WAIT
 [Dropbox.exe]
  TCP    10.0.0.156:61768       cdn-208-111-160-6:http  CLOSE_WAIT
 [OUTLOOK.EXE]
  TCP    10.0.0.156:61845       XXserverXX:5228    ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:61848       XXserverXX:5228    ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:61853       XXserverXX:1029    ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:61986       65.55.57.251:http      CLOSE_WAIT
 [OUTLOOK.EXE]
  TCP    10.0.0.156:61987       a204-245-162-58:http   ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:62051       channel-30-35:http     ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:62066       XXserverXX:microsoft-ds  ESTABLISHED
 Can not obtain ownership information
  TCP    10.0.0.156:62075       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:62076       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:62077       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:62078       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:62079       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:62080       www-12-02-snc5:http    ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:62081       a184-84-247-9:http     CLOSE_WAIT
 [iexplore.exe]
  TCP    10.0.0.156:62082       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:62083       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:62089       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:62091       melinda:netbios-ssn    TIME_WAIT
  TCP    10.0.0.156:62093       angela:netbios-ssn     TIME_WAIT
  TCP    10.0.0.156:62094       angela:netbios-ssn     TIME_WAIT
  TCP    10.0.0.156:62095       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:62096       10.0.0.254:1780        TIME_WAIT
  TCP    127.0.0.1:2002         Joel-PC:49210          ESTABLISHED
 [LogMeIn.exe]
  TCP    127.0.0.1:19872        Joel-PC:49213          ESTABLISHED
 [Dropbox.exe]
  TCP    127.0.0.1:49210        Joel-PC:2002           ESTABLISHED
 [LogMeInSystray.exe]
  TCP    127.0.0.1:49213        Joel-PC:19872          ESTABLISHED
 [Dropbox.exe]
  TCP    [fe80::a1b2:c4a7:d3de:3ed%13]:62086  [fe80::463:dc6d:44f4:8bea%13]:icslap  ESTABLISHED
  EventSystem
 [svchost.exe]


--------------------------------------------------------------------------------------------------------


Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    10.0.0.156:135         XXserverXX:10065   ESTABLISHED
  RpcSs
 [svchost.exe]
  TCP    10.0.0.156:135         XXserverXX:10066   ESTABLISHED
  RpcSs
 [svchost.exe]
  TCP    10.0.0.156:51785       174:http               ESTABLISHED
 [Dropbox.exe]
  TCP    10.0.0.156:51792       app01-12:http          ESTABLISHED
 [LogMeIn.exe]
  TCP    10.0.0.156:52203       75:https               CLOSE_WAIT
 [Dropbox.exe]
  TCP    10.0.0.156:61497       channel-30-35:http     ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:61768       cdn-208-111-160-6:http  CLOSE_WAIT
 [OUTLOOK.EXE]
  TCP    10.0.0.156:61845       XXserverXX:5228    ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:61848       XXserverXX:5228    ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:61853       XXserverXX:1029    ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:61962       www-10-04-snc4:http    ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:61963       a184-84-247-35:http    ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:61964       a184-84-247-35:http    ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:61970       rs6:http               TIME_WAIT
  TCP    10.0.0.156:61971       melinda:netbios-ssn    TIME_WAIT
  TCP    10.0.0.156:61972       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:61973       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:61974       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:61975       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:61978       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:61986       65.55.57.251:http      ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:61987       a204-245-162-58:http   ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:61989       co107ds:http           ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:61990       10.0.0.254:1780        TIME_WAIT
  TCP    10.0.0.156:61991       207.46.118.181:https   ESTABLISHED
 [OUTLOOK.EXE]
  TCP    127.0.0.1:2002         Joel-PC:49210          ESTABLISHED
 [LogMeIn.exe]
  TCP    127.0.0.1:19872        Joel-PC:49213          ESTABLISHED
 [Dropbox.exe]
  TCP    127.0.0.1:49210        Joel-PC:2002           ESTABLISHED
 [LogMeInSystray.exe]
  TCP    127.0.0.1:49213        Joel-PC:19872          ESTABLISHED
 [Dropbox.exe]

Can you run and post back the IPCONFIG /ALL command?
Turn off the wireless adapter if possible.

TCP ort 1780 is used for UPNP.
I turned off the UPNP in the wireless router, the computer does not have a wireless adapter.
What did you replace the network cable with? A manufactured one or a hand built one. Are the other Windows 7 64-bit systems using the same motherboard w/ onboard NIC? I tried to read all the posts, have you tried an add in NIC?
The other Win 7 64-bit systems are using a different motherboard, but they are all made by MSI and have onboard NICs, except for one Dell laptop.

The computer is over 50 ft from the network switch through a concrete floor, so we had a cabling company run the line through the floor.  So it is a custom cable-not a stock cable.

We have not tried another NIC yet, I suppose that would be good to try.  There is only one PCI slot which is use by the graphics card so I will have to get a PCIx graphics card to try and test as well.

I was wrong about the model number of the motherboard.  The workstation is an MSI X58M.  The server is the MSI X58 Pro-E.
Here is a PCI-e card on newegg.com. It's an Intel Gigabit NIC.
http://www.newegg.com/Product/Product.aspx?Item=N82E16833106033

I think this is a 1x card.
It seems as though the problem is occurring on another Windows 7 64-bit machine as well.  So the problem must be with the server.
What errors are occurring the server event logs?
Every 30 minutes the error below is occuring.  It is happening 8 times for each computer.  It seems to happen for both computers that are having problems, plus a third one that is not.  The third one is running XP Pro however.  

There are a few other errors peppered in there when the first error is occurring that may be related.

----------------------------------------------------------------------------------------------------------------
Event ID: 10009
Source: DistributedCom

DCOM was unable to communicate with the computer COMPNAME.DOMAIN.local using any of the configured protocols.

----------------------------------------------------------------------------------------------------------------
Event ID: 10006
Source: DistributedCom

DCOM got error "2147944122" from the computer COMPNAME.cdrlaw.local when attempting to activate the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

----------------------------------------------------------------------------------------------------------------
Event ID: 4
Source: Security-Kerberos

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server COMP2$. The target name used was RPCSS/COMP3.DOMAIN.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.LOCAL) is different from the client domain (DOMAIN.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.


To fix the first two errors you need to allow DCOM traffic through the Windows Firewall. For the third error it appears you may be having some DNS issues, mainly it appears that your DNS records are not being updated or removed when a new DHCP lease is made. You probably need to specify a username and password in the DNS console, you can follow the guide below for this:
http://www.tech-faq.com/integrating-the-dns-server-with-dhcp-and-wins.html

and here is an article detailing which DCOM ports to open, I would add a new GP for this if you don't already have a firewall policy.

http://technet.microsoft.com/en-us/library/bb676126.aspx

While I don't think that this would cause your original issue it will correct the errors in your event logs.

Another item to possibly check is what ports on the computer are needed for PCLaw, maybe there is a port that is closed and it needs to be open?

What type of nic is used in the second computer that is now also having the issue?

Are there any other errors or warnings in the event logs on the server?
Well if you search on the error 2147944122 you will find a few hits, such as:

http://www.networksteve.com/forum/topic.php/DCOM_error_10009_on_Windows_2008_SBS%C2%A0_SP1/?TopicId=3414&Posts=2
Can you also check the second workstation's event logs to verify that you are receiving the same error(s) as you posted earlier

Event ID: 4227
Source: tcpip

Event ID: 50
Source: mrxsmb

Event ID: 139
Source: Mup
I see both Event ID 50 (mrxsmb) and Event ID 139 (Mup) but not 4227 (tcpip).

There is no firewall enabled on the server currently, it has been disabled for testing.  There is also no firewall enabled on the one of the machines that the DCOM error is referring to.

The second computer is also an MSI motherboard with integrated Realtek NIC.

I am reviewing the other information now as well as looking for additional event log info.

One additional Event Log entry:

Source: DCOM
EventID: 10016

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1}
 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
So the DCOM error (10009) are all for old computers that were still listed in DNS.  I removed the entries there and enabled DNS dynamic updates in DHCP so that should clear it up.

It looks like the Kerberos error (4) may be related to old entries too:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server NEWCOMPNAME$. The target name used was RPCSS/OLDCOMPNAME.DOMAIN.local. This indicates that the...

So it looks like the DCOM errors 10006 and 10016 may be the cause.
Yes the Kerberos error is because of a mis-matched name, which should be cleared up if you corrected the DNS errors.

Did you by chance try an add-in NIC as was previously suggested?

If both machines are Win7 64 - and they both have the similar nic models then trying another brand may help.

I also checked the model of the motherboard from Comp #1 that is having the trouble and there is an up to date driver released 11/24/2010 I tried to find release notes but could not find a revision history to see what was changed and/or fixed.

http://www.msi.com/index.php?func=downloaddetail&type=driver&maincat_no=1&prod_no=1796

Is the motherboard in Comp #2 a MSI X58 as well?
No Comp #2 is an MSI GF615M-P33 (AMD) but I think it has a Realtek chipset as well.

I have not tried another adapter since the same problem was occurring on another computer.
I tried a different network switch and a different NIC in the server (Intel chipset) and still having issues.  I had them run: "net use > c:\netuse.txt" on one of the workstations when it was happening and the netuse.txt file was blank.

Here is what it looks like when it works correctly:
New connections will be remembered.


Status       Local     Remote                    Network

-------------------------------------------------------------------------------
OK           S:        \\SERVERNAME\shared_files
                                                Microsoft Windows Network
The command completed successfully.

If the file was blank that means that something somewhere did a "net use S: /delete"

Even if there was some type of network glitch you would still see the map it would just say "disconnected" on the end of the line.

No switch, switch port, NIC, or cable is going to do a "net use S: /delete".

Trying to think of a way to look for what is doing this.
On the SERVER try looking at the registry key:

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\lanmanworkstation\parameters

and look for the value KeepConn  and see what it is set to.

Then from a command promt on the server issue the command:

     net config server /autodisconnect:-1

To give credit where credit is due:

     https://www.experts-exchange.com/questions/26651823/Mapped-drives-disappear-on-Terminal-Server-2008.html

and:

    http://support.microsoft.com/kb/297684
I think the blank file may have been the result of typing the wrong command :)

I checked the output of 'net config server' and autodiscconect was set to 15 minutes so I ran:
net config server /autodisconnect:-1

There wasn't a KeepConn value under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\lanmanworkstation\parameters or HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\lanmanserver\parameters
The issue is still occurring.  Any ideas on what to try next?
Have you tried a different nic yet?
yes in the server.  since the issue occurs on more than one computer i figured that was the safe bet.
Have you verified the status of the network share from the desktop when the problem occurs?

What needs to be done, is as SOON as the user sees the problem they need to:

    write down the time their computer has, including seconds.
    issue the command "net use" and save the output
    issue the command "netview \\servername"  where servername is the name of the server the share is on
    ping server that the share should be on and save the output

It would be nice to have them also ping and do a netview to another server on the network, if you happen to have another server on the network.

Unless you have a small event log, you need to check the event log for any/all events when the problem occurred.

We need to know what the status of the share(s) is(are) and if this desktop can still access hosts on the network.
I would try a new nic in one of the desktops.

I had a linux desktop that was having problems with the network connection dropping it's connection randomly. It would connect right back up and everything would be normal again. Turned out to be an incompatible driver / card combination and replacing the nic (with a compatible one) corrected the issue.

Since this only happens to a few of your workstations to help identify the issue look for common attributes of those workstations experiencing the problem, for example are the affected workstations all Win7 64 bit with MSI motherboards?
@giltjr: I will put all of those commands into a batch file they can run when it happens again.  There is not another server but I will have it check against a couple of workstations with some shares.

@eli_cook: I haven't tried a new NIC in the desktops because there are some desktops with MSI motherboards running Win7 64 bit that are not having any problems at all.  The only main difference I can tell is that the people that are having problems aren't shutting down their computers at night.
Here are the results.  xxSERVERxx is the server, Joel-PC is the main computer with the most problems, Sharon2010 is the other computer with problems and front is a computer with no problems at all.  I had the user run a batch file to create the results below:


Tue 12/14/2010 18:27:45.72 
============================================================================ 
net use results: 
New connections will be remembered.


Status       Local     Remote                    Network

-------------------------------------------------------------------------------
OK           S:        \\xxSERVERxx\shared_files 
                                                Microsoft Windows Network
The command completed successfully.

============================================================================ 
net view \\xxSERVERxx results: 
Shared resources at \\xxSERVERxx



Share name              Type   Used as  Comment                                                                   

-------------------------------------------------------------------------------
Address                 Disk            "Access to address objects"                                               
ClientApps              Disk                                                                                      
ExchangeOAB             Disk            OAB Distribution share                                                    
HP LaserJet 4200 PCL 5  Print           HP LaserJet 4200 PCL 5                                                    
MX-5500N                Print           SHARP MX-5500N PCL6                                                       
NETLOGON                Disk            Logon server share                                                        
Public                  Disk                                                                                      
RedirectedFolders       Disk                                                                                      
shared_files            Disk   S:                                                                                 
SYSVOL                  Disk            Logon server share                                                        
TM9Data                 Disk                                                                                      
TMW9E                   Disk                                                                                      
UpdateServicesPackages  Disk            A network share to be used by client systems for collecting all software  
UserShares              Disk                                                                                      
WsusContent             Disk            A network share to be used by Local Publishing to place published conten  
WSUSTemp                Disk            A network share used by Local Publishing from a Remote WSUS Console Inst  
The command completed successfully.

============================================================================ 
ping xxSERVERxx results: 

Pinging xxSERVERxx.domain.local [10.0.0.1] with 32 bytes of data:
Reply from 10.0.0.1: bytes=32 time<1ms TTL=128
Reply from 10.0.0.1: bytes=32 time<1ms TTL=128
Reply from 10.0.0.1: bytes=32 time<1ms TTL=128
Reply from 10.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 10.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
============================================================================ 
net view \\sharon2010 results: 
There are no entries in the list.

============================================================================ 
ping sharon2010 results: 

Pinging sharon2010.domain.local [10.0.0.21] with 32 bytes of data:
Reply from 10.0.0.21: bytes=32 time<1ms TTL=128
Reply from 10.0.0.21: bytes=32 time<1ms TTL=128
Reply from 10.0.0.21: bytes=32 time<1ms TTL=128
Reply from 10.0.0.21: bytes=32 time<1ms TTL=128

Ping statistics for 10.0.0.21:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
============================================================================ 
net view \\front results: 
Shared resources at \\front



Share name  Type  Used as  Comment  

-------------------------------------------------------------------------------
CD          Disk                    
The command completed successfully.

============================================================================ 
ping front results: 

Pinging front.domain.local [10.0.0.24] with 32 bytes of data:
Reply from 10.0.0.24: bytes=32 time<1ms TTL=128
Reply from 10.0.0.24: bytes=32 time<1ms TTL=128
Reply from 10.0.0.24: bytes=32 time<1ms TTL=128
Reply from 10.0.0.24: bytes=32 time<1ms TTL=128

Ping statistics for 10.0.0.24:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
============================================================================ 
netstat results: 

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            Joel-PC:0              LISTENING
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            Joel-PC:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:2002           Joel-PC:0              LISTENING
 [LogMeIn.exe]
  TCP    0.0.0.0:5800           Joel-PC:0              LISTENING
 [WinVNC4.exe]
  TCP    0.0.0.0:5900           Joel-PC:0              LISTENING
 [WinVNC4.exe]
  TCP    0.0.0.0:49152          Joel-PC:0              LISTENING
 [wininit.exe]
  TCP    0.0.0.0:49153          Joel-PC:0              LISTENING
  eventlog
 [svchost.exe]
  TCP    0.0.0.0:49154          Joel-PC:0              LISTENING
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49181          Joel-PC:0              LISTENING
 [services.exe]
  TCP    0.0.0.0:49182          Joel-PC:0              LISTENING
 [lsass.exe]
  TCP    10.0.0.156:139         Joel-PC:0              LISTENING
 Can not obtain ownership information
  TCP    10.0.0.156:49179       app02:https            ESTABLISHED
 [LogMeIn.exe]
  TCP    10.0.0.156:49203       xxSERVERxx:microsoft-ds  ESTABLISHED
 Can not obtain ownership information
  TCP    10.0.0.156:49219       xxSERVERxx:4035    ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:49221       xxSERVERxx:4035    ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:49224       xxSERVERxx:1030    ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:49900       4.23.40.126:http       CLOSE_WAIT
 [OUTLOOK.EXE]
  TCP    10.0.0.156:49950       a204-245-162-58:http   CLOSE_WAIT
 [OUTLOOK.EXE]
  TCP    10.0.0.156:49982       app02:https            ESTABLISHED
 [LogMeIn.exe]
  TCP    10.0.0.156:49999       Sharon2010:microsoft-ds  ESTABLISHED
 Can not obtain ownership information
  TCP    10.0.0.156:50000       front:microsoft-ds     ESTABLISHED
 Can not obtain ownership information
  TCP    127.0.0.1:2002         Joel-PC:49205          ESTABLISHED
 [LogMeIn.exe]
  TCP    127.0.0.1:2559         Joel-PC:0              LISTENING
 [daemonu.exe]
  TCP    127.0.0.1:5354         Joel-PC:0              LISTENING
 [mDNSResponder.exe]
  TCP    127.0.0.1:27015        Joel-PC:0              LISTENING
 [AppleMobileDeviceService.exe]
  TCP    127.0.0.1:49205        Joel-PC:2002           ESTABLISHED
 [LogMeInSystray.exe]
  TCP    [::]:135               Joel-PC:0              LISTENING
  RpcSs
 [svchost.exe]
  TCP    [::]:445               Joel-PC:0              LISTENING
 Can not obtain ownership information
  TCP    [::]:49152             Joel-PC:0              LISTENING
 [wininit.exe]
  TCP    [::]:49153             Joel-PC:0              LISTENING
  eventlog
 [svchost.exe]
  TCP    [::]:49154             Joel-PC:0              LISTENING
  Schedule
 [svchost.exe]
  TCP    [::]:49181             Joel-PC:0              LISTENING
 [services.exe]
  TCP    [::]:49182             Joel-PC:0              LISTENING
 [lsass.exe]
  UDP    0.0.0.0:123            *:*                    
  W32Time
 [svchost.exe]
  UDP    0.0.0.0:427            *:*                    
  HPSLPSVC
 [svchost.exe]
  UDP    0.0.0.0:500            *:*                    
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:4500           *:*                    
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:5355           *:*                    
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:48000          *:*                    
 [daemonu.exe]
  UDP    0.0.0.0:59665          *:*                    
 [mDNSResponder.exe]
  UDP    10.0.0.156:137         *:*                    
 Can not obtain ownership information
  UDP    10.0.0.156:138         *:*                    
 Can not obtain ownership information
  UDP    10.0.0.156:427         *:*                    
  HPSLPSVC
 [svchost.exe]
  UDP    10.0.0.156:1900        *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    10.0.0.156:5353        *:*                    
 [mDNSResponder.exe]
  UDP    10.0.0.156:11389       *:*                    
 [LogMeIn.exe]
  UDP    10.0.0.156:11390       *:*                    
 [LogMeIn.exe]
  UDP    10.0.0.156:62024       *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:1900         *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:50826        *:*                    
 [WINWORD.EXE]
  UDP    127.0.0.1:56674        *:*                    
 [OUTLOOK.EXE]
  UDP    127.0.0.1:59493        *:*                    
 [lsass.exe]
  UDP    127.0.0.1:59496        *:*                    
  gpsvc
 [svchost.exe]
  UDP    127.0.0.1:59663        *:*                    
 [AppleMobileDeviceService.exe]
  UDP    127.0.0.1:59664        *:*                    
 [AppleMobileDeviceService.exe]
  UDP    127.0.0.1:59667        *:*                    
  NlaSvc
 [svchost.exe]
  UDP    127.0.0.1:60257        *:*                    
 [AOLAcsd.exe]
  UDP    127.0.0.1:60542        *:*                    
 [OUTLOOK.EXE]
  UDP    127.0.0.1:62025        *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:63787        *:*                    
 [iexplore.exe]
  UDP    [::]:123               *:*                    
  W32Time
 [svchost.exe]
  UDP    [::]:500               *:*                    
  IKEEXT
 [svchost.exe]
  UDP    [::]:4500              *:*                    
  IKEEXT
 [svchost.exe]
  UDP    [::]:5355              *:*                    
  Dnscache
 [svchost.exe]
  UDP    [::]:59666             *:*                    
 [mDNSResponder.exe]
  UDP    [::1]:1900             *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    [::1]:5353             *:*                    
 [mDNSResponder.exe]
  UDP    [::1]:62023            *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::a1b2:c4a7:d3de:3ed%13]:1900  *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::a1b2:c4a7:d3de:3ed%13]:62022  *:*                    
  SSDPSRV
 [svchost.exe]
============================================================================ 
Tue 12/14/2010 18:27:59.41 

Open in new window

Below is the results when the problem is occurring.  It doesn't look like the network drive is disconnecting or pings are slowed down at all.

Thu 12/16/2010 21:39:20.76 
============================================================================ 
net use results: 
New connections will be remembered.


Status       Local     Remote                    Network

-------------------------------------------------------------------------------
OK           S:        \\xxSERVERxx\shared_files 
                                                Microsoft Windows Network
The command completed successfully.

============================================================================ 
net view \\xxSERVERxx results: 
Shared resources at \\xxSERVERxx



Share name              Type   Used as  Comment                                                                   

-------------------------------------------------------------------------------
Address                 Disk            "Access to address objects"                                               
ClientApps              Disk                                                                                      
ExchangeOAB             Disk            OAB Distribution share                                                    
HP LaserJet 4200 PCL 5  Print           HP LaserJet 4200 PCL 5                                                    
MX-5500N                Print           SHARP MX-5500N PCL6                                                       
NETLOGON                Disk            Logon server share                                                        
Public                  Disk                                                                                      
RedirectedFolders       Disk                                                                                      
shared_files            Disk   S:                                                                                 
SYSVOL                  Disk            Logon server share                                                        
TM9Data                 Disk                                                                                      
TMW9E                   Disk                                                                                      
UpdateServicesPackages  Disk            A network share to be used by client systems for collecting all software  
UserShares              Disk                                                                                      
WsusContent             Disk            A network share to be used by Local Publishing to place published conten  
WSUSTemp                Disk            A network share used by Local Publishing from a Remote WSUS Console Inst  
The command completed successfully.

============================================================================ 
ping xxSERVERxx results: 

Pinging xxSERVERxx.domain.local [10.0.0.1] with 32 bytes of data:
Reply from 10.0.0.1: bytes=32 time<1ms TTL=128
Reply from 10.0.0.1: bytes=32 time<1ms TTL=128
Reply from 10.0.0.1: bytes=32 time<1ms TTL=128
Reply from 10.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 10.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
============================================================================ 
net view \\sharon2010 results: 
Shared resources at \\sharon2010



Share name  Type  Used as  Comment  

-------------------------------------------------------------------------------
testshare   Disk                    
The command completed successfully.

============================================================================ 
ping sharon2010 results: 

Pinging sharon2010.domain.local [10.0.0.21] with 32 bytes of data:
Reply from 10.0.0.21: bytes=32 time<1ms TTL=128
Reply from 10.0.0.21: bytes=32 time<1ms TTL=128
Reply from 10.0.0.21: bytes=32 time<1ms TTL=128
Reply from 10.0.0.21: bytes=32 time<1ms TTL=128

Ping statistics for 10.0.0.21:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
============================================================================ 
net view \\front results: 
Shared resources at \\front



Share name  Type  Used as  Comment  

-------------------------------------------------------------------------------
CD          Disk                    
The command completed successfully.

============================================================================ 
ping front results: 

Pinging front.domain.local [10.0.0.24] with 32 bytes of data:
Reply from 10.0.0.24: bytes=32 time<1ms TTL=128
Reply from 10.0.0.24: bytes=32 time<1ms TTL=128
Reply from 10.0.0.24: bytes=32 time<1ms TTL=128
Reply from 10.0.0.24: bytes=32 time<1ms TTL=128

Ping statistics for 10.0.0.24:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
============================================================================ 
netstat results: 

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            Joel-PC:0              LISTENING
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            Joel-PC:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:2002           Joel-PC:0              LISTENING
 [LogMeIn.exe]
  TCP    0.0.0.0:5800           Joel-PC:0              LISTENING
 [WinVNC4.exe]
  TCP    0.0.0.0:5900           Joel-PC:0              LISTENING
 [WinVNC4.exe]
  TCP    0.0.0.0:49152          Joel-PC:0              LISTENING
 [wininit.exe]
  TCP    0.0.0.0:49153          Joel-PC:0              LISTENING
  eventlog
 [svchost.exe]
  TCP    0.0.0.0:49154          Joel-PC:0              LISTENING
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49155          Joel-PC:0              LISTENING
 [services.exe]
  TCP    0.0.0.0:49156          Joel-PC:0              LISTENING
 [lsass.exe]
  TCP    10.0.0.156:139         Joel-PC:0              LISTENING
 Can not obtain ownership information
  TCP    10.0.0.156:49345       xxSERVERxx:59148   ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:49347       xxSERVERxx:59148   ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:49350       xxSERVERxx:1030    ESTABLISHED
 [OUTLOOK.EXE]
  TCP    10.0.0.156:52292       xxSERVERxx:microsoft-ds  ESTABLISHED
 Can not obtain ownership information
  TCP    10.0.0.156:52411       64.94.18.153:https     ESTABLISHED
 [LogMeIn.exe]
  TCP    10.0.0.156:53769       channel-30-35:http     ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53887       204.160.104.126:http   CLOSE_WAIT
 [OUTLOOK.EXE]
  TCP    10.0.0.156:53889       a204-245-162-50:http   CLOSE_WAIT
 [OUTLOOK.EXE]
  TCP    10.0.0.156:53929       www-11-02-snc5:http    ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53930       a72-246-31-58:http     ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53931       a72-246-30-145:http    ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53932       a184-84-247-25:http    ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53933       a184-84-247-25:http    ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53934       a184-84-247-25:http    ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53935       a72-246-31-43:http     ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53936       www-11-02-snc5:http    ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53937       channel-30-35:http     ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53938       www-11-02-snc5:http    ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53939       a72-246-31-16:http     ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53940       a72-246-31-16:http     ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53941       a72-246-31-73:http     ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53942       a184-84-247-27:http    ESTABLISHED
 [iexplore.exe]
  TCP    10.0.0.156:53943       Sharon2010:microsoft-ds  ESTABLISHED
 Can not obtain ownership information
  TCP    10.0.0.156:53945       front:microsoft-ds     ESTABLISHED
 Can not obtain ownership information
  TCP    127.0.0.1:2002         Joel-PC:52412          ESTABLISHED
 [LogMeIn.exe]
  TCP    127.0.0.1:2559         Joel-PC:0              LISTENING
 [daemonu.exe]
  TCP    127.0.0.1:5354         Joel-PC:0              LISTENING
 [mDNSResponder.exe]
  TCP    127.0.0.1:27015        Joel-PC:0              LISTENING
 [AppleMobileDeviceService.exe]
  TCP    127.0.0.1:27015        Joel-PC:49309          ESTABLISHED
 [AppleMobileDeviceService.exe]
  TCP    127.0.0.1:49309        Joel-PC:27015          ESTABLISHED
 [iTunesHelper.exe]
  TCP    127.0.0.1:52412        Joel-PC:2002           ESTABLISHED
 [LogMeInSystray.exe]
  TCP    [::]:135               Joel-PC:0              LISTENING
  RpcSs
 [svchost.exe]
  TCP    [::]:445               Joel-PC:0              LISTENING
 Can not obtain ownership information
  TCP    [::]:49152             Joel-PC:0              LISTENING
 [wininit.exe]
  TCP    [::]:49153             Joel-PC:0              LISTENING
  eventlog
 [svchost.exe]
  TCP    [::]:49154             Joel-PC:0              LISTENING
  Schedule
 [svchost.exe]
  TCP    [::]:49155             Joel-PC:0              LISTENING
 [services.exe]
  TCP    [::]:49156             Joel-PC:0              LISTENING
 [lsass.exe]
  UDP    0.0.0.0:123            *:*                    
  W32Time
 [svchost.exe]
  UDP    0.0.0.0:427            *:*                    
  HPSLPSVC
 [svchost.exe]
  UDP    0.0.0.0:500            *:*                    
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:4500           *:*                    
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:5355           *:*                    
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:48000          *:*                    
 [daemonu.exe]
  UDP    0.0.0.0:62287          *:*                    
 [mDNSResponder.exe]
  UDP    10.0.0.156:137         *:*                    
 Can not obtain ownership information
  UDP    10.0.0.156:138         *:*                    
 Can not obtain ownership information
  UDP    10.0.0.156:427         *:*                    
  HPSLPSVC
 [svchost.exe]
  UDP    10.0.0.156:1900        *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    10.0.0.156:5353        *:*                    
 [mDNSResponder.exe]
  UDP    10.0.0.156:53971       *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:1900         *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:52032        *:*                    
 [iexplore.exe]
  UDP    127.0.0.1:52528        *:*                    
 [iTunesHelper.exe]
  UDP    127.0.0.1:52529        *:*                    
 [iTunesHelper.exe]
  UDP    127.0.0.1:53778        *:*                    
  gpsvc
 [svchost.exe]
  UDP    127.0.0.1:53972        *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:54145        *:*                    
 [aolsoftware.exe]
  UDP    127.0.0.1:54372        *:*                    
 [lsass.exe]
  UDP    127.0.0.1:56602        *:*                    
  NlaSvc
 [svchost.exe]
  UDP    127.0.0.1:58413        *:*                    
 [WINWORD.EXE]
  UDP    127.0.0.1:60496        *:*                    
 [OUTLOOK.EXE]
  UDP    127.0.0.1:60498        *:*                    
 [OUTLOOK.EXE]
  UDP    127.0.0.1:62285        *:*                    
 [AppleMobileDeviceService.exe]
  UDP    127.0.0.1:62286        *:*                    
 [AppleMobileDeviceService.exe]
  UDP    127.0.0.1:64115        *:*                    
 [iexplore.exe]
  UDP    [::]:123               *:*                    
  W32Time
 [svchost.exe]
  UDP    [::]:500               *:*                    
  IKEEXT
 [svchost.exe]
  UDP    [::]:4500              *:*                    
  IKEEXT
 [svchost.exe]
  UDP    [::]:5355              *:*                    
  Dnscache
 [svchost.exe]
  UDP    [::]:62288             *:*                    
 [mDNSResponder.exe]
  UDP    [::1]:1900             *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    [::1]:5353             *:*                    
 [mDNSResponder.exe]
  UDP    [::1]:53970            *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::a1b2:c4a7:d3de:3ed%13]:546  *:*                    
  Dhcp
 [svchost.exe]
  UDP    [fe80::a1b2:c4a7:d3de:3ed%13]:1900  *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::a1b2:c4a7:d3de:3ed%13]:53969  *:*                    
  SSDPSRV
 [svchost.exe]
============================================================================ 
Thu 12/16/2010 21:39:39.99 

Open in new window

O.K., maybe a few basic questions about Lexis Nexis PCLaw are in order.

Is this supposed to be a multi-user system?  

Since it appear the user are accessing the files MattInf.idx & MattInf.dat via file shares, I doubt if it is supposed to be a multi-user system.  Meaning only one person at a time is supposed to be in it and if multiple people are trying to run it at the same time there could be problems.

At this point in time the only thing I can think of is to run a packet capture on the PC that is having the problem the most often and hope to catch the problem and see what the capture has.

Since the map is still there, it is either a weird flaky network problem or the file server is responding with a file status that the program does not like.
It is a multi-user program.  It installs software on each workstation that connects to the server.  The .idx and .dat files are whatever kind of database the system is using.

I am unfamiliar with the packet capture techniques.  Would you be able to provide more details on how to do something like that?
SOLUTION
Avatar of giltjr
giltjr
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I will run wireshark on both the client and the server to see what is going on.  Will keep you posted.

Who knows about their DB design, I think it is a poorly designed program so it wouldn't surprise me if their DB setup was flawed.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I have been running wireshark and there are lots of 'errors' [malformed packet] or [TCP segment of a reassembled PDU] but to be honest I don't really know what I am looking for.  I looked around the time the last error occurred and there is a TON of stuff going on so it's quite difficult to understand.
Lexis Nexis tech support kept saying to rebuild the data when these errors occurred but it didn't really seem to help.  I will check with their support people to see if they offer an SQL based product instead of the file based one.  Thanks for the idea!
Have you made any progress with this? We are having a similar issue (same error but on a different idx file). An interesting part of this is for us this only happens in the late afternoon (roughly after 4:30pm). Right now we are pursuing the backup software route based on LexisNexis' suggestion but I am thinking this is a dead end.
I am wondering if maybe its a memory leak, which might explain why this only happens later in the day.
I'm still looking at the packet captures.  Unfortuntly I don't see anything that looks like out right errors.  However, since this occurs over a couple minute period, I'm looking at few hundered packets.
The most current version of PC Law supports SQL the system requirements below show what is and is not supported.

http://support.lexisnexis.com/iPCLaw/record.asp?ArticleID=9201

I would recommend upgrading to the latest version and migrate to the SQL database.

If that is not possible you may want to check the antivirus software that is on the machines having the trouble. I recently had avast! preventing a network file based database program from properly working. I turned the security off as a test and everything worked as expected, it took me about 1 hour to dial in the settings for the a/v to work with that specific program. The strange thing is the a/v had been installed and everything had been working for about 2 months before it caused any trouble, maybe the antivirus is interfering in your situation as well.
@eli_cook
I am checking with PCLaw to see if we can switch to the SQL version.  We have uninstalled anti-virus on the server and affected workstations in order to rule it out and the same problem is happening.


@AnimateSystems
It does seem to happen in the afternoons or evenings, though not always.  Can you provide your server setup (OS, hardware, etc)?  I wonder if we might discover a commonality that might help in diagnosing the issue.

@giltjr
Thank you for looking at the capture logs, there is quite a lot of stuff there!
The server is an HP ProLiant ML350 G6 with 8GB RAM 2x2.27GHz Xeon CPUs. Server is running SBS 2008. This is a small client running only a half dozen PC's or so, but PCLaw seems to crash on all of them (not at the same time though). It always seems to be later in the day, I have set up our monitoring software to email me any time PCLaw32.exe crashes on a workstation and it always seems to be late in the day. It seems to be impossible to reproduce at any given time which makes troubleshooting very difficult as you are aware.
My client is also running SBS 2008, with 10 workstations.  Perhaps it is a SBS 2008 issue?  I switched them to the SQL version yesterday so we will see if it works any better.
I've been a little busy, but I have forgotten this.  I can't find any obvious errors, yet.

However, one thing that is confusing me is that in none of the traces do I see anytype of request for MattInf.dat or MattInf.idx.

Are these the real files that the error is occuring on?
They were actual files.  It was using a CTREE database before if that helps.  We have switched it to SQL based now so those files are no longer there.  The switch happened about a week ago and I haven't heard about any more problems yet, knock on wood.
Glad to here switching from c-tree to SQL based DB helped.  

Based on what I saw in the trace the files MattInf.idx & MattInf.dat where not be access via SMB (that is a network share or UNC).

My assumption would be that those files were accessed directly on the server and that there was some other network communcation going on between the clients and the server other than SMB
Just wondering how things went after you switched to the SQL version. Still crash free? We are running a script right now to monitor the PCLAW32.EXE application to see how it consumes memory over the course of the day. We take a snapshot every 15 minutes and it does seem to grow throughout the day. We are trying to find out if there is a 'magic number' at which point it crashes.
Switching to the SQL version did seem to help.  They were also having problems with Word documents occasionally taking forever to open and that seems to be ok now too.  Something with PCLaw's CTREE format and SBS 2008 server must not play nice together.

Thank you to everyone for all the help!