touchstone_81

yeah i suppose that could happen to people but in m case the exchange is in a seperate domain seperate subnet so we can safely rule that out.Its just that i am finding it difficult to identify whats calling this "svchost - network service" . i mean something i sobviously telling it to go out on the network and do something just cannot figure out what.

For the last couple of weeks my domain account is constantly getting locked out. I used eventcombe and found the source to be a standalone server not part of the domain. after looking at the security event logs on source server " serverA" i found numerous "552 event ID's" these messages suggest process with PID 712 is making several connections to all member servers in the domain. 712 in taskmgr corresponds to "svchost /Network Service" with remote procedure call as its sole child process i have tried numerous things to figure out what is calling this process but no luck so far.Recreated my profile unmapped all network drives checked scheduled tasks, scripts etc. This is really driving me nuts so if somebody can help me out with this i would be eternally gratefull! Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 552 Date: 1/20/2010 Time: 6:04:33 AM User: NT AUTHORITY\SYSTEM Computer: ServerA Description: Logon attempt using explicit credentials: Logged on user: User Name: ServerA$ Domain: WORKGROUP Logon ID: (0x0,0x3E7) Logon GUID: - User whose credentials were used: Target User Name: "my username" Target Domain: "Domain Name" Target Logon GUID: - Target Server Name: Member Server Target Server Info: Member server Caller Process ID: 712 Source Network Address: - Source Port: -

It does but i didnt see any disk errors. These are Dell poweredge 2950 servers.

Recently we had this server that started logging Event ID 55 :" file system corrupt/unusable.please run chkdsk on volume *" well we did run chkdsk and it came back and said corrections were made but only after a day the errors came back. Contacted Dell and they typically suggested that we upgrade the firmware of RAID scsi and whatnot.Since there was nothing else to try we agreed to this but then i noticed that 3 other servers were logging the same event.This led me to belive that it isn't actually a filesystem problem but some process thats setting the corrupt flag. Any thoughts on how to go about this would be appreciated.

Due to shortage of time we have decided not to use any 3rd party software in our DR test.But now the problem is that we are using 64bit win2003 R2 and this is not supported by the dumpcfg.exe (used to change the disk signatures) tool. Read somewhere that the registry can be modified to point to new disk signature .If Cluberti or someone knows which keys to change i would be grateful.

Hi Cluberti thanks for the reply. There are 2 clusters each with 2 nodes and it is in active/active mode because thats a client requirement.The applications are SAP management apps supported on an Oracle database which are administered by the client.

Hi all, As you know in most environments, clusters operate in an active/passive mode – the passive server providing hardware redundancy. In a DR situation, generally only one of the two servers are restored. However, since we operate in active/active mode, required to support the work load, both servers must be recovered. Restoring to unlike hardware (Dell to HP) presents some additional challenges. The recommended approach is to build the systems from scratch. However, based on comments during our weekly meeting that installing the application from scratch would take days, and so is not feasible. Currently we are looking at a software known as Double-Take which is mighty expensive and not sure if this would overcome the disk signature problem. If anybody has any ideas or has been in a similar situation please share your ideas. Thanks in advance.

The problem that you have is related to one client, the server itself or all clients in the domain? you said you could ping the IP address. so if you type the ip into the browser instead of name can you get to the URL? Plus what about host files have you checked them for static entries.? you could also add Internet domain mapping to iP in the host file of a client and see if that works. If your dns server supports insecure dynamic updates from clients try the name from a system thats in workgroup.

hey thats great cluberti.Thank you for sharing your views;and no although netapps support was very helpful their efforts were pretty much centered around proving that DNS was the culprit, and what's more some of our own people were convinced that it was indeed dns.this made it all the more frustrating. Anyways i had told netapps to put the issue on hold so will go back to them with the new findings thanks to you and see what they say about that.

Try changing the file association in explorer tools --> Folder options--> file types

Hi Cluberti find the link for the trace below.The info you asked has been enclosed. http://www.2shared.com/file/3380022/70dc1f...work_trace.html Please do look at it when you get the time and lend your thoughts on the same.

Hi Cluberti i captured two sets of trace's. each set included,one with IP and another with name. The second set was captured in a new logon session. I have never used wireshark before so maybe i am not looking for the correct info.But here is what i did: in wireshark there is an option "analyze" under that went to expert info and there i could see that: 1. when accessed using IP There were no connections to the DC from the client 2. when accessed using name there was a connection to the DC from the client. Not sure if that is significant though. There was mention of NTLM in both.Apart from that couldnt notice much difference. Hey Cluberti do you think you have the time to look at the trace?

Great let me get the trace. & Thanks for the quick response.

Hi been having an issue thats driving me crazy.hopefully i am addressing this in the right forum. Problem: Share access to a netapp storage box is fast when accessed by name i.e., \\netapps but takes a long time when accessed by ip i.e., \\10.*.*.* Netapps OS: Unix Windows DC OS: win2003 DNS: active directory integrated. Netapps support say the issue is with windows DNS, which i cannot agree because the name is being resolved and the host records are properly set up, verified this with nslookup. If i am not mistaken when i use \\ip dns should not come into the picture right? Also when the share is accessed by \\ip it opens up after like 20 seconds,and clicking on a share gives a system busy cursor symbol after which it eventually does open the share. This does not happen when share is accessed by name. This is seen to be happening across all clients in our domain. Somebody please help.

hi the link that i gave you covers all your questions.just need to have the patience to read through the mammoth but very comprehensive document.

Sit down grab a cup of coffee and then begin with the link below: http://technet2.microsoft.com/windowsserve...3.mspx?mfr=true

Although none of our clients are running legacy systems at the moment, i think working with them at some point will be inevitable; just wanted to get the doubt cleared.

Hi i came across this question recently and since it was interesting wanted to make sure i had the right answer. The scenario: I have a AD domain, DNS and WINS servers setup. i go to the command prompt on a windows 2000 machine and type ping "server1" Based on the above scenario the question is as follows: How do i know which service has resolved the name WINS or DNS? Now from what i know the name resolution process is follows: The machine will check 1. Local cache. 2. HOSTS file 3. It will then use the dns Suffix configured & query DNS 5. WINS 6. Broadcast 7. LMHOSTS based on this it seems as long as the DNS server is working DNS is always resolving the name. and if instead of the win2k machine i type the ping command on a WIN 98 client then would it be right to assume that WINS always resolve's the name due to fact that Legacy machines use NetBIOS ? would appreciate any info on this topic

Try this on your PC on Command Prompt: netstat -an |find "3389" if RDP is enabled and running you should get : TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING Are you able to RD from the server to another machine say an XP client that has rd enabled? what antivirus software are you running? what happens when you try to RD while server is in safe mode with networking mode? what about vnc does that work? may not solve your problem but might give you some clues

there may probably be an entry in the hosts file either on the server or on the client pointing to the wrong ip. however on the xp client when you do nslookup does the primary DC show up as the default server and resolve names?

1.Can none of the clients RD to the server or is it only one client? If the problem is with only one client then tshoot the client if not then 2.Are terminal services running on server?if yes 3.Is remote desktop enabled on server? if yes 4.can the client telnet to the RDP port 3389? if not 5.check windows firewall or any third party firewall settings on server May also be worth be checking the IP address and subnet mask of the server and client(s).

http://support.microsoft.com/kb/307545 The article applies to xp but you can get the system to a state when the os was first installed.but because there is no system restore in win2003 you cannot complete the second part of the article.

hmm not sure about the power but what i would do here is to uncheck the "Automatically Restart" on system failure option and run the memory dump through a debugger.

Thanks for the explanation Cluberti.Well now i know that on those occasions when the kernel tries but dosen't succeed to map all 256 MB of NNP into RAM some variation shall we say, from the default is possible. Anyway MCrocker -- you could open msconfig, uncheck any startup items and 3rd party services that are not absolutely necessary, reboot and see how things go.

Hi Cluberti i am a little confused by what you said about non-paged pool not fluctuating with RAM. According to this link it does seem to fluctuate. http://blogs.technet.com/askperf/archive/2...-resources.aspx