Network Crashes 2

[lmoe]

We have a system running 1 Windows 2000 server 2 Windows 2000 (Terminal Server) server, 1 Inter 530T Managed Switch, 3 Intet 535T switches, a 3com firewall and two Cisco routers.

Recently, the system started crashing. By crashing I mean that no one could access the servers or the internet. When we reset ALL the above, the problem goes away for awhile.

We do not know if the system is just being brought to crawl or actually being brought down, however.

Does anyone have any input for us?


LMC
IT/MIS
"Never stop learning.

 

[gbaughma]

Could be a worm (blaster, sasser, etc.) When active, they will eat up your bandwidth, bringing things to a halt. They can even overflow buffers in your switches, causing them to die.



Just my $.02

"In order to start solving a problem, one must first identify it's owner." --Me
--Greg

 

[kixtart]

Bingo! I had that happen and tracked it down to my laptop users having viruses. Go to

http://www.trendmicro.com

and hit the drop down to do a "Housecall" and scan your pc's.

BNutz

 

[lmoe]

Will give that a try and get back.
However, with Corporate Antivirus running and updated on the whole system..shouldn't we be protected against that?

LMC
IT/MIS
"Never stop learning.

 

[GlenJohnson]

In theory only. How long has it been since your corporate anti-virus was updated? Plus,

I had that happen and tracked it down to my laptop users having viruses.

as kixtart pointed out, his problem was with laptop users. Do you have any laptops not using corporate anti-virus? Also, check your logs and see if there are any problems. Good luck.

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin feel free to join the Tek-Tips in Chicago, Illinois Forum.

TTinChicago
Johnson Computers

 

[lmoe]

From the Event Viewer Main Windows 2000 Server
It happened again.

Main Server System Log:
8 am this morining
Event ID 27 "Adapter Link Down"

Event ID 2510
"The server service was unable to map error code 1222"

DNS Log
Event ID 4015
"The DNS Server has encountered a critical error from the Active Directory. Check to see that the Active Directory is functioning properly. The event data contains the error"

==============
Norton Anti virus found repeated w32.beagle and w32.netsky worm threats which the Anti virus software seems to be taking care of.
=============
Should I be running a sniffer? If so, any recommendations?

LMC
IT/MIS
"Never stop learning.

 

[technome]

First I would check the DNS issue, run DCdiag.exe and NetDiag.exe, nslookup. Critical error in DNS can make everything crawl or crash. Turn on logging in the DNS MC temporarily.
concerning network errors....
The 535 switches are managed, you can check for machines creating network errors, and port utilization using the Deviceview utility. If you are not sure of the method, call Intel, their people are pretty good, and will take the time to tell you how to trouble shoot.

 

[lmoe]

Netdiag and dcdiag do not seem to be on the server. Do you know where I can find them?

We will be working with the 535 switches. Thanks.

LMC
IT/MIS
"Never stop learning.

 

[gbaughma]

Well, you can look in your port logs on your switch (assuming it's a managed switch), and see who has the most traffic... check their computer first.

Try re-setting your port counters, then watching... sounds like you'd see a port with a *lot* of traffic in a relatively short time.



Just my $.02

"In order to start solving a problem, one must first identify it's owner." --Me
--Greg

 

[technome]

DcDiag and netdiag should be in the downloadable Windows 20000 Administrative support pack at the MS site. Run both in the verbos mode, /v, output the results to files.

 

[technome]

Forgot...

update all the MS patches and you network card driver.

 

[beerhunter2]

Eventid.net, DNS event id 4015 see link

http://www.eventid.net/display.asp?eventid=4015&eventno=333&source=DNS&phase=1

This event has also been reported on DNS servers configured for Internet Connection Sharing (ICS). ICS installs its own DNS proxy service and that is in conflict with the DNS. ICS is not supposed to be used on servers thar run DNS or DHCP.


Help! I've fallen and I can't reach my beer.

 

[SGTRawlins]

If you dont have a managed switch thier are stacks of freeware sniffers on the maket you can install on systems, this should monitor thier network activaties, check show munching the bandwisth for lunch.

Again, it could be a DNS issue, i know we had come consultants that configuered our DNS right up shit creek, caused alot of slow down.

do you notice any local slowdown on the DNS/Internet server or is it just on the clients?

Have you tried connecting a client directly to the router, i know it poses slight security issues but could the internet slowdown be an ISP issue?

 

[lmoe]

Tons of great stuff here.

We "may" have found the culprit, will know next week.
A new software program that tracks internet usage was working fine when tracking on Windows XP PCs. We added Windows 98 PCs about the same time the above problems started.

We disabled the software and so far so good (24 hours).

I will keep you posted.

LMC
IT/MIS
"Never stop learning.

 

[dholbrook]

Just from my own experience, the firewalls, etc., are pretty much worthless when your lovely users bring their virus contaminated laptops and install them behind the firewall, and then fire them up. I had my firewall complaining so much that the inside traffic crashed the entire network. Users just do not remember to keep their antivirus up to date, or turn it off "because it slows them down too much".

I agree with the comments here, you need to check the traffic volume when the network appears to crawl or crash, and locate the system(s) that are causing the massive traffic.

Putting the DNS on the same server as the Active Directory might stop that DNS communication problems. Also, having multiple DNS servers might help if the load is too much or one gets swamped for any reason.

In any event, you know you have a problem, so put a good sniffer tool in place to monitor the net traffic to get a picture of what is happening on a regular basis.

Let us know if you pin it down.

David

 

[lmoe]

Beerhunter2 - Thanks for your comment, but ICS is not running on this server.

I will be running tests this week.

LMC
IT/MIS
"Never stop learning.

 

[GlenJohnson]

Are you monitoring anything on the server, such as good/bad packets recieved/sent. I had a network that kept going down and users couldn't log onto the domain. Turned out to be so simple I could have kicked myself. A brand new nic was going bad. When I re-booted the on DC with the bad nic, users authenticated through the other dc, and it took me a while to put 2 plus 2 together. (Funny thing though, it turned out to be 5.) Good luck.

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin feel free to join the Tek-Tips in Chicago, Illinois Forum.

TTinChicago
Johnson Computers

 

[lmoe]

We finally seemed to have found the culprit.
We replaced the switches about 36 hours ago and there have been no crashes since.

We did notice a "bad" port on one switch, but we had disabled it. Obviously, that was not sufficient.

Thanks everyone for all the input. It did help.

LMC
IT/MIS
"Never stop learning.