Solved

Network unreachable multiple processes in SBS 2011 why?

Posted on 2014-03-05
21
397 Views
Last Modified: 2014-04-06
Configuration is SBS 2011 on HP Proliant ML330.

Issue is after a few hours I loose LAN connectivity. Server NIC shows little yellow warning triangle. Have to reboot server to recover LAN (and WAN/Internet).

Ran BPA on DNS and that's fine. Ran Fix my Network and get message about no static IPv6 but not using IPv6 (although it is enabled Out of the Box).

Looked at running processes and I seem to get duplicates (see picture e.g. conhost.exe and fdhost.exe and fdlauncher.exe and csrss.exe).

Need to stop LAN NIC from dropping connectivity and multiple daily reboots. Need to understand the reason for duplicate processes.

Running Symantec SBS AV. Still had infection from Wajam and Dealply. Cleaned from system but not fixed problem. Ran full AV scan. No issues or problems.
SBS2011-Duplicate-Processes.png
0
Comment
Question by:MarcusN
  • 11
  • 5
  • 3
  • +2
21 Comments
 
LVL 13

Expert Comment

by:Andy M
Comment Utility
When you say you're not using IPv6 have you disabled it on the NIC or just left it as-is?
0
 

Author Comment

by:MarcusN
Comment Utility
The NIC has IPv6 enabled and the IP address, subnet, gateway and DNS are automatically allocated.

IPv6 is enabled in SBS DHCP management console. It has a scope which is:
2002:c0a8:101::0.0.0.1 to 2002:c0a8:101::0.0.0.1::ffff:ffff:ffff:ffff

Oddly, however, when I type ipconfig /all into a cmd.exe it reports

IPv6 Address......................: 2002:5221:416d:0:35f4:69de:276f:7cca(Preferred)
IPv6 Address......................: 2005:123:456:789::2(Preferred)
Link-local IPv6 Address.....: fe80::35f4:69de:276f:7cca%11(preferred)

In the DNS Management Console under Forward Lookup Zones -> Domain there are AAAA records for both these IPv6 Addresses (see attachment).

I have no idea about IPv6 nor whether these are right nor (to be frank) how they were set!
SBS2011-DNS-Records.png
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Do you have managed switches?  Do their logs show anything?

Does any of the Windows Event logs show anything?

Have you tried just to disable and enable the NIC instead of rebooting?

Multiple copies of the same process running can be normal.

Multuiple conhost.exe is "normal".   These are typically what people call "dos command windows", but it can be any task that needs a "command" window.

fdhost seems to be a SQL "command" session, I don't run MSSQL server, but I would assume this is normal.
0
 

Author Comment

by:MarcusN
Comment Utility
Configuration is as follows.

Internet - ISP DSL Router - Unmanaged Switch - SBS 2011
                                                                                 - LAN

So no switch logs.

Have disabled NIC and enabled it. Stays offline.

Server has no cmd.exe command windows up yet there are more than 6 conhost.exe processes. Only windows are Server Manager and Windows Firewall with Advanced Security.

Happy to look in Event Logs. Where would be a good place to start, please?
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
conhost is more than just cmd.exe window. there are other process that use it "under the covers."  Example:  I run Cygwin and X-Windows.  The root x-window runs under a conhost process, each shell window runs under a conhost process. So with one root, and 3 shells I have 4 conhost process.

Based on the description of the fdhost process in your screen shot, my guess is each one of those runs under a conhost process.

I would start in System event log.

Also, if you don't need IPv6, I would disable it.  There are some things that have problems when IPv6 is enabled.   Example: With IPv6 enabled using RPC over HTTP with Outlook 2003 breaks certain tasks dealing with directory/contact information.  E-mail works, but directory stuff does not.  You disable IPv6 and directory works without any issues.
0
 

Author Comment

by:MarcusN
Comment Utility
Disabling IPv6 is definitely not recommended for SBS 2011. At least, according to Microsoft.

I get the error:
Unable to add the interface {855B4C44-6B13-4CB1-B00D-AE4878C786B4} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.

Source RemoteAccess
EventID 20106

Same again with interface {3BD9F7B3-16B0-472C-B873-BFD8674323B2}

Also

The dynamic registration of the DNS record 'ForestDnsZones.<domain>.local. 600 IN A 192.168.x.y' failed on the following DNS server

Source NETLOGON
EventID 5774
0
 

Author Comment

by:MarcusN
Comment Utility
By the way I have run the following command

dcdiag.exe /test:DNS

and it comes back with

TEST: Basic (Basc)
Warning: The AAAA record from this DC was not found

TEST: Records Registration (RReg)
Network Adapter [000000010] adapter type
Warning: Missing AAAA record at DNS server 192.168.x.y

Warning: Record Registrations not found in some network adapters
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
IPv4 DNS uses "A" records for host to IP address resolution.  IPv6 uses "AAAA" for the same thing.

If SBS says not to disable IPv6, then I would have to say don't do it.  However, you should setup the required "AAAA" records then.

However, I doubt very much that IPv6 DNS issues is causing a NIC to be disabled, however it could be something weird within SBS.
0
 
LVL 22

Accepted Solution

by:
Olaf De Ceuster earned 500 total points
Comment Utility
1: Run the HP diagnostics at startup to see if you have any issues with the NICS.
2: If this was a migration please do the following:(delete all ghost adapters)
Click Start, point to All Programs, point to Accessories, and then click Command Prompt.
At a command prompt, type the following command , and then press ENTER:
set devmgr_show_nonpresent_devices=1
 
Type the following command a command prompt, and then press ENTER:
start devmgmt.msc
Show hidden devices in Meu.
See if there are any greyed out network cards and if so delete them please.
3: Remove  your second nic in the Bios. Start machine. Rerun the coneect to the internet wizard in the console. It will create your IPV6 address too.
4: In an admin command run the following commands:
netsh int ip set global taskoffload=disabled
netsh int tcp set global congestion=none
netsh int tcp set global autotuning=disabled
netsh int tcp set global rss=disabled
5: Uninstall Symantec to see if it fixes the issue. Its a dog of a program.
Good luck and hope that helps,
Olaf
0
 

Author Comment

by:MarcusN
Comment Utility
OK, but is it OK to do the following?
a) in DNS management console delete the IPv6 scope (i.e. have no IPv6 scope), then
b) in DNS management console delete all the AAAA records in the Forward Lookup Zones
c) make sure that the NIC IPv6 settings are set to automatic (should get nothing)
d) net stop dns
e) ipconfig /flushdns
e) net start dns
f) ipconfig /registerdns

Is there a way to delete and regenerate all the AAAA records from DNS management console?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 22

Expert Comment

by:Olaf De Ceuster
Comment Utility
Just need to run in an admin command prompt:
e and f.
Olaf
0
 

Author Comment

by:MarcusN
Comment Utility
OK I'll try this when I get back to the office in the morning. Thanks.
0
 
LVL 12

Expert Comment

by:Gary Coltharp
Comment Utility
If you want to see things break, disable IPv6. SBS needs it for service to service communications among its many integrated packages.

Was this a fresh install or a migration?

How did the server get viruses? Were they in redirected user files or was the server itself infected?
0
 

Author Comment

by:MarcusN
Comment Utility
I've no intention of disabling IPv6 - I have read that SBS needs this so it will stay enabled. I haven't given it a scope though....

The SBS was a fresh install on new hardware. Worked fine for months until just recently.

I had problems with Symantec SBS AV and although Symantec tried to fix it they never did. There was a brief period between when I completely wiped Symantec off the server and then reinstalled it when there was no AV installed.

I had to download the latest version of Symantec AV from their website and when IE was fired up it presents a stack of questions about whether this and that are OK. I guess I just clicked OK to some things that were not. However, the Wajam and Dealply were successfully cleaned off. Apparently they are not viruses but I had no wish for them to get onto the server so they are nasty regardless.

Question from me is; should I create an IPv6 scope and, if so, how to I find out what that is for an ip range of 192.168.54.1 to ...54.255 ?
0
 

Author Comment

by:MarcusN
Comment Utility
By the way, I have a static IPv6 address on the NIC. I have not created and enabled an IPv6 scope in DHCP, although IPv6 is enabled.

When I type ipconfig /all I get;

3 x IPv6 addresses all marked as (preferred) one of which is the static NIC address the other two are from nothing I have done. I also have 1x link-local IPv6 address which is sort of similar to one of the IPv6 addresses but not the static NIC one.

I am convinced that my loss of LAN / WAN connectivity is related to some DNS or IPv6 issue....
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
-->  I have not created and  enabled an IPv6 scope in DHCP, although IPv6 is enabled.

--> Question from me is; should I create an IPv6 scope and, if so, how to I find out what that is for an ip range of 192.168.54.1 to ...54.255 ?

First You only need to do this if you plan to hand out IPv6 addresses via DHCP.  If you don't plan on using DHCP for IPv6 addresses, you don't need to create a scope.

Second there is no relationship between IPv6 and IPv4 addresses.  So even if you were to create a DHCP IPv6 scope, what you are using for IPv4 does not matter.  If you mean what is a "private" DHCP IPv6 subnet, that is fc00::/7.

I don't think DNS has to do with this.  DNS does not disable a NIC.

Did you check to see if anything was in any of the event logs?
0
 

Author Comment

by:MarcusN
Comment Utility
Thanks for clarifying the IPv6 matter. Over the weekend I installed a new (Adaptec) NIC adapter and disabled the old (Broadcom) one. Since then I haven't yet had a WAN connectivity issue. I'll wait another week to see if the original problem returns. I'll post an update on Saturday.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
Comment Utility
1: Run the HP diagnostics at startup to see if you have any issues with the NICS.
Didn't diagnostics pick up the issue?
Olaf
0
 

Author Comment

by:MarcusN
Comment Utility
The HP diagnostics complains that there is more than one NIC adapter.

The problem with the Broadcom (on-board) NIC was that it was in "power saving mode" and it powered down and could not be revived without a reboot. This appears to be a problem with the latest driver. I have rolled back the driver to the previous one and the problem has gone away.

However, since installing the Adaptec NIC adapter, with more options for network traffic control, I have gone on to disable the Broadcom NIC completely.

So far I have several days of continuous connectivity. When a week is up I will report whether the original problem has been resolved.

Thank you for continuing to take an interest in this matter.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
That is one heck of a bug.  I'm surprised there isn't a new version of the drive to solve that problem.  I would have assumed one would have come out REAL quick.
0
 

Author Comment

by:MarcusN
Comment Utility
OK, the end result is that the Broadcom driver caused the problems. The server network connectivity is fine now. I'm using an Adaptec NIC and that seems to be doing fine.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now