Link to home
Start Free TrialLog in
Avatar of Marcus N
Marcus NFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Network unreachable multiple processes in SBS 2011 why?

Configuration is SBS 2011 on HP Proliant ML330.

Issue is after a few hours I loose LAN connectivity. Server NIC shows little yellow warning triangle. Have to reboot server to recover LAN (and WAN/Internet).

Ran BPA on DNS and that's fine. Ran Fix my Network and get message about no static IPv6 but not using IPv6 (although it is enabled Out of the Box).

Looked at running processes and I seem to get duplicates (see picture e.g. conhost.exe and fdhost.exe and fdlauncher.exe and csrss.exe).

Need to stop LAN NIC from dropping connectivity and multiple daily reboots. Need to understand the reason for duplicate processes.

Running Symantec SBS AV. Still had infection from Wajam and Dealply. Cleaned from system but not fixed problem. Ran full AV scan. No issues or problems.
SBS2011-Duplicate-Processes.png
Avatar of Andy M
Andy M
Flag of United Kingdom of Great Britain and Northern Ireland image

When you say you're not using IPv6 have you disabled it on the NIC or just left it as-is?
Avatar of Marcus N

ASKER

The NIC has IPv6 enabled and the IP address, subnet, gateway and DNS are automatically allocated.

IPv6 is enabled in SBS DHCP management console. It has a scope which is:
2002:c0a8:101::0.0.0.1 to 2002:c0a8:101::0.0.0.1::ffff:ffff:ffff:ffff

Oddly, however, when I type ipconfig /all into a cmd.exe it reports

IPv6 Address......................: 2002:5221:416d:0:35f4:69de:276f:7cca(Preferred)
IPv6 Address......................: 2005:123:456:789::2(Preferred)
Link-local IPv6 Address.....: fe80::35f4:69de:276f:7cca%11(preferred)

In the DNS Management Console under Forward Lookup Zones -> Domain there are AAAA records for both these IPv6 Addresses (see attachment).

I have no idea about IPv6 nor whether these are right nor (to be frank) how they were set!
SBS2011-DNS-Records.png
Do you have managed switches?  Do their logs show anything?

Does any of the Windows Event logs show anything?

Have you tried just to disable and enable the NIC instead of rebooting?

Multiple copies of the same process running can be normal.

Multuiple conhost.exe is "normal".   These are typically what people call "dos command windows", but it can be any task that needs a "command" window.

fdhost seems to be a SQL "command" session, I don't run MSSQL server, but I would assume this is normal.
Configuration is as follows.

Internet - ISP DSL Router - Unmanaged Switch - SBS 2011
                                                                                 - LAN

So no switch logs.

Have disabled NIC and enabled it. Stays offline.

Server has no cmd.exe command windows up yet there are more than 6 conhost.exe processes. Only windows are Server Manager and Windows Firewall with Advanced Security.

Happy to look in Event Logs. Where would be a good place to start, please?
conhost is more than just cmd.exe window. there are other process that use it "under the covers."  Example:  I run Cygwin and X-Windows.  The root x-window runs under a conhost process, each shell window runs under a conhost process. So with one root, and 3 shells I have 4 conhost process.

Based on the description of the fdhost process in your screen shot, my guess is each one of those runs under a conhost process.

I would start in System event log.

Also, if you don't need IPv6, I would disable it.  There are some things that have problems when IPv6 is enabled.   Example: With IPv6 enabled using RPC over HTTP with Outlook 2003 breaks certain tasks dealing with directory/contact information.  E-mail works, but directory stuff does not.  You disable IPv6 and directory works without any issues.
Disabling IPv6 is definitely not recommended for SBS 2011. At least, according to Microsoft.

I get the error:
Unable to add the interface {855B4C44-6B13-4CB1-B00D-AE4878C786B4} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.

Source RemoteAccess
EventID 20106

Same again with interface {3BD9F7B3-16B0-472C-B873-BFD8674323B2}

Also

The dynamic registration of the DNS record 'ForestDnsZones.<domain>.local. 600 IN A 192.168.x.y' failed on the following DNS server

Source NETLOGON
EventID 5774
By the way I have run the following command

dcdiag.exe /test:DNS

and it comes back with

TEST: Basic (Basc)
Warning: The AAAA record from this DC was not found

TEST: Records Registration (RReg)
Network Adapter [000000010] adapter type
Warning: Missing AAAA record at DNS server 192.168.x.y

Warning: Record Registrations not found in some network adapters
IPv4 DNS uses "A" records for host to IP address resolution.  IPv6 uses "AAAA" for the same thing.

If SBS says not to disable IPv6, then I would have to say don't do it.  However, you should setup the required "AAAA" records then.

However, I doubt very much that IPv6 DNS issues is causing a NIC to be disabled, however it could be something weird within SBS.
ASKER CERTIFIED SOLUTION
Avatar of Olaf De Ceuster
Olaf De Ceuster
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK, but is it OK to do the following?
a) in DNS management console delete the IPv6 scope (i.e. have no IPv6 scope), then
b) in DNS management console delete all the AAAA records in the Forward Lookup Zones
c) make sure that the NIC IPv6 settings are set to automatic (should get nothing)
d) net stop dns
e) ipconfig /flushdns
e) net start dns
f) ipconfig /registerdns

Is there a way to delete and regenerate all the AAAA records from DNS management console?
Just need to run in an admin command prompt:
e and f.
Olaf
OK I'll try this when I get back to the office in the morning. Thanks.
If you want to see things break, disable IPv6. SBS needs it for service to service communications among its many integrated packages.

Was this a fresh install or a migration?

How did the server get viruses? Were they in redirected user files or was the server itself infected?
I've no intention of disabling IPv6 - I have read that SBS needs this so it will stay enabled. I haven't given it a scope though....

The SBS was a fresh install on new hardware. Worked fine for months until just recently.

I had problems with Symantec SBS AV and although Symantec tried to fix it they never did. There was a brief period between when I completely wiped Symantec off the server and then reinstalled it when there was no AV installed.

I had to download the latest version of Symantec AV from their website and when IE was fired up it presents a stack of questions about whether this and that are OK. I guess I just clicked OK to some things that were not. However, the Wajam and Dealply were successfully cleaned off. Apparently they are not viruses but I had no wish for them to get onto the server so they are nasty regardless.

Question from me is; should I create an IPv6 scope and, if so, how to I find out what that is for an ip range of 192.168.54.1 to ...54.255 ?
By the way, I have a static IPv6 address on the NIC. I have not created and enabled an IPv6 scope in DHCP, although IPv6 is enabled.

When I type ipconfig /all I get;

3 x IPv6 addresses all marked as (preferred) one of which is the static NIC address the other two are from nothing I have done. I also have 1x link-local IPv6 address which is sort of similar to one of the IPv6 addresses but not the static NIC one.

I am convinced that my loss of LAN / WAN connectivity is related to some DNS or IPv6 issue....
-->  I have not created and  enabled an IPv6 scope in DHCP, although IPv6 is enabled.

--> Question from me is; should I create an IPv6 scope and, if so, how to I find out what that is for an ip range of 192.168.54.1 to ...54.255 ?

First You only need to do this if you plan to hand out IPv6 addresses via DHCP.  If you don't plan on using DHCP for IPv6 addresses, you don't need to create a scope.

Second there is no relationship between IPv6 and IPv4 addresses.  So even if you were to create a DHCP IPv6 scope, what you are using for IPv4 does not matter.  If you mean what is a "private" DHCP IPv6 subnet, that is fc00::/7.

I don't think DNS has to do with this.  DNS does not disable a NIC.

Did you check to see if anything was in any of the event logs?
Thanks for clarifying the IPv6 matter. Over the weekend I installed a new (Adaptec) NIC adapter and disabled the old (Broadcom) one. Since then I haven't yet had a WAN connectivity issue. I'll wait another week to see if the original problem returns. I'll post an update on Saturday.
1: Run the HP diagnostics at startup to see if you have any issues with the NICS.
Didn't diagnostics pick up the issue?
Olaf
The HP diagnostics complains that there is more than one NIC adapter.

The problem with the Broadcom (on-board) NIC was that it was in "power saving mode" and it powered down and could not be revived without a reboot. This appears to be a problem with the latest driver. I have rolled back the driver to the previous one and the problem has gone away.

However, since installing the Adaptec NIC adapter, with more options for network traffic control, I have gone on to disable the Broadcom NIC completely.

So far I have several days of continuous connectivity. When a week is up I will report whether the original problem has been resolved.

Thank you for continuing to take an interest in this matter.
That is one heck of a bug.  I'm surprised there isn't a new version of the drive to solve that problem.  I would have assumed one would have come out REAL quick.
OK, the end result is that the Broadcom driver caused the problems. The server network connectivity is fine now. I'm using an Adaptec NIC and that seems to be doing fine.