Network unreachable multiple processes in SBS 2011 why?

Configuration is SBS 2011 on HP Proliant ML330.

Issue is after a few hours I loose LAN connectivity. Server NIC shows little yellow warning triangle. Have to reboot server to recover LAN (and WAN/Internet).

Ran BPA on DNS and that's fine. Ran Fix my Network and get message about no static IPv6 but not using IPv6 (although it is enabled Out of the Box).

Looked at running processes and I seem to get duplicates (see picture e.g. conhost.exe and fdhost.exe and fdlauncher.exe and csrss.exe).

Need to stop LAN NIC from dropping connectivity and multiple daily reboots. Need to understand the reason for duplicate processes.

Running Symantec SBS AV. Still had infection from Wajam and Dealply. Cleaned from system but not fixed problem. Ran full AV scan. No issues or problems.
Marcus NTechnical SpecialistAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andy MIT Systems ManagerCommented:
When you say you're not using IPv6 have you disabled it on the NIC or just left it as-is?
Marcus NTechnical SpecialistAuthor Commented:
The NIC has IPv6 enabled and the IP address, subnet, gateway and DNS are automatically allocated.

IPv6 is enabled in SBS DHCP management console. It has a scope which is:
2002:c0a8:101:: to 2002:c0a8:101::

Oddly, however, when I type ipconfig /all into a cmd.exe it reports

IPv6 Address......................: 2002:5221:416d:0:35f4:69de:276f:7cca(Preferred)
IPv6 Address......................: 2005:123:456:789::2(Preferred)
Link-local IPv6 Address.....: fe80::35f4:69de:276f:7cca%11(preferred)

In the DNS Management Console under Forward Lookup Zones -> Domain there are AAAA records for both these IPv6 Addresses (see attachment).

I have no idea about IPv6 nor whether these are right nor (to be frank) how they were set!
Do you have managed switches?  Do their logs show anything?

Does any of the Windows Event logs show anything?

Have you tried just to disable and enable the NIC instead of rebooting?

Multiple copies of the same process running can be normal.

Multuiple conhost.exe is "normal".   These are typically what people call "dos command windows", but it can be any task that needs a "command" window.

fdhost seems to be a SQL "command" session, I don't run MSSQL server, but I would assume this is normal.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Marcus NTechnical SpecialistAuthor Commented:
Configuration is as follows.

Internet - ISP DSL Router - Unmanaged Switch - SBS 2011
                                                                                 - LAN

So no switch logs.

Have disabled NIC and enabled it. Stays offline.

Server has no cmd.exe command windows up yet there are more than 6 conhost.exe processes. Only windows are Server Manager and Windows Firewall with Advanced Security.

Happy to look in Event Logs. Where would be a good place to start, please?
conhost is more than just cmd.exe window. there are other process that use it "under the covers."  Example:  I run Cygwin and X-Windows.  The root x-window runs under a conhost process, each shell window runs under a conhost process. So with one root, and 3 shells I have 4 conhost process.

Based on the description of the fdhost process in your screen shot, my guess is each one of those runs under a conhost process.

I would start in System event log.

Also, if you don't need IPv6, I would disable it.  There are some things that have problems when IPv6 is enabled.   Example: With IPv6 enabled using RPC over HTTP with Outlook 2003 breaks certain tasks dealing with directory/contact information.  E-mail works, but directory stuff does not.  You disable IPv6 and directory works without any issues.
Marcus NTechnical SpecialistAuthor Commented:
Disabling IPv6 is definitely not recommended for SBS 2011. At least, according to Microsoft.

I get the error:
Unable to add the interface {855B4C44-6B13-4CB1-B00D-AE4878C786B4} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.

Source RemoteAccess
EventID 20106

Same again with interface {3BD9F7B3-16B0-472C-B873-BFD8674323B2}


The dynamic registration of the DNS record 'ForestDnsZones.<domain>.local. 600 IN A 192.168.x.y' failed on the following DNS server

EventID 5774
Marcus NTechnical SpecialistAuthor Commented:
By the way I have run the following command

dcdiag.exe /test:DNS

and it comes back with

TEST: Basic (Basc)
Warning: The AAAA record from this DC was not found

TEST: Records Registration (RReg)
Network Adapter [000000010] adapter type
Warning: Missing AAAA record at DNS server 192.168.x.y

Warning: Record Registrations not found in some network adapters
IPv4 DNS uses "A" records for host to IP address resolution.  IPv6 uses "AAAA" for the same thing.

If SBS says not to disable IPv6, then I would have to say don't do it.  However, you should setup the required "AAAA" records then.

However, I doubt very much that IPv6 DNS issues is causing a NIC to be disabled, however it could be something weird within SBS.
Olaf De CeusterCommented:
1: Run the HP diagnostics at startup to see if you have any issues with the NICS.
2: If this was a migration please do the following:(delete all ghost adapters)
Click Start, point to All Programs, point to Accessories, and then click Command Prompt.
At a command prompt, type the following command , and then press ENTER:
set devmgr_show_nonpresent_devices=1
Type the following command a command prompt, and then press ENTER:
start devmgmt.msc
Show hidden devices in Meu.
See if there are any greyed out network cards and if so delete them please.
3: Remove  your second nic in the Bios. Start machine. Rerun the coneect to the internet wizard in the console. It will create your IPV6 address too.
4: In an admin command run the following commands:
netsh int ip set global taskoffload=disabled
netsh int tcp set global congestion=none
netsh int tcp set global autotuning=disabled
netsh int tcp set global rss=disabled
5: Uninstall Symantec to see if it fixes the issue. Its a dog of a program.
Good luck and hope that helps,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Marcus NTechnical SpecialistAuthor Commented:
OK, but is it OK to do the following?
a) in DNS management console delete the IPv6 scope (i.e. have no IPv6 scope), then
b) in DNS management console delete all the AAAA records in the Forward Lookup Zones
c) make sure that the NIC IPv6 settings are set to automatic (should get nothing)
d) net stop dns
e) ipconfig /flushdns
e) net start dns
f) ipconfig /registerdns

Is there a way to delete and regenerate all the AAAA records from DNS management console?
Olaf De CeusterCommented:
Just need to run in an admin command prompt:
e and f.
Marcus NTechnical SpecialistAuthor Commented:
OK I'll try this when I get back to the office in the morning. Thanks.
Gary ColtharpSr. Systems EngineerCommented:
If you want to see things break, disable IPv6. SBS needs it for service to service communications among its many integrated packages.

Was this a fresh install or a migration?

How did the server get viruses? Were they in redirected user files or was the server itself infected?
Marcus NTechnical SpecialistAuthor Commented:
I've no intention of disabling IPv6 - I have read that SBS needs this so it will stay enabled. I haven't given it a scope though....

The SBS was a fresh install on new hardware. Worked fine for months until just recently.

I had problems with Symantec SBS AV and although Symantec tried to fix it they never did. There was a brief period between when I completely wiped Symantec off the server and then reinstalled it when there was no AV installed.

I had to download the latest version of Symantec AV from their website and when IE was fired up it presents a stack of questions about whether this and that are OK. I guess I just clicked OK to some things that were not. However, the Wajam and Dealply were successfully cleaned off. Apparently they are not viruses but I had no wish for them to get onto the server so they are nasty regardless.

Question from me is; should I create an IPv6 scope and, if so, how to I find out what that is for an ip range of to ...54.255 ?
Marcus NTechnical SpecialistAuthor Commented:
By the way, I have a static IPv6 address on the NIC. I have not created and enabled an IPv6 scope in DHCP, although IPv6 is enabled.

When I type ipconfig /all I get;

3 x IPv6 addresses all marked as (preferred) one of which is the static NIC address the other two are from nothing I have done. I also have 1x link-local IPv6 address which is sort of similar to one of the IPv6 addresses but not the static NIC one.

I am convinced that my loss of LAN / WAN connectivity is related to some DNS or IPv6 issue....
-->  I have not created and  enabled an IPv6 scope in DHCP, although IPv6 is enabled.

--> Question from me is; should I create an IPv6 scope and, if so, how to I find out what that is for an ip range of to ...54.255 ?

First You only need to do this if you plan to hand out IPv6 addresses via DHCP.  If you don't plan on using DHCP for IPv6 addresses, you don't need to create a scope.

Second there is no relationship between IPv6 and IPv4 addresses.  So even if you were to create a DHCP IPv6 scope, what you are using for IPv4 does not matter.  If you mean what is a "private" DHCP IPv6 subnet, that is fc00::/7.

I don't think DNS has to do with this.  DNS does not disable a NIC.

Did you check to see if anything was in any of the event logs?
Marcus NTechnical SpecialistAuthor Commented:
Thanks for clarifying the IPv6 matter. Over the weekend I installed a new (Adaptec) NIC adapter and disabled the old (Broadcom) one. Since then I haven't yet had a WAN connectivity issue. I'll wait another week to see if the original problem returns. I'll post an update on Saturday.
Olaf De CeusterCommented:
1: Run the HP diagnostics at startup to see if you have any issues with the NICS.
Didn't diagnostics pick up the issue?
Marcus NTechnical SpecialistAuthor Commented:
The HP diagnostics complains that there is more than one NIC adapter.

The problem with the Broadcom (on-board) NIC was that it was in "power saving mode" and it powered down and could not be revived without a reboot. This appears to be a problem with the latest driver. I have rolled back the driver to the previous one and the problem has gone away.

However, since installing the Adaptec NIC adapter, with more options for network traffic control, I have gone on to disable the Broadcom NIC completely.

So far I have several days of continuous connectivity. When a week is up I will report whether the original problem has been resolved.

Thank you for continuing to take an interest in this matter.
That is one heck of a bug.  I'm surprised there isn't a new version of the drive to solve that problem.  I would have assumed one would have come out REAL quick.
Marcus NTechnical SpecialistAuthor Commented:
OK, the end result is that the Broadcom driver caused the problems. The server network connectivity is fine now. I'm using an Adaptec NIC and that seems to be doing fine.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.