Computer Browser services stopping

[Zucarita9000]

Hey everyone,

We're experiencing a strange problem with our domain server (Small Business Server 2003) in which the Computer Browser service stops and the entire network goes down until I restart it. Well, not entirely down but shared volumes and browsing is impossibly slow.

Has anyone else had a problem like this before?

 

[rasczak]

Originally posted by: Zucarita9000
Hey everyone,

We're experiencing a strange problem with our domain server (Small Business Server 2003) in which the Computer Browser service stops and the entire network goes down until I restart it. Well, not entirely down but shared volumes and browsing is impossibly slow.

Has anyone else had a problem like this before?

I really don't have an answer for you, but I came across this link.

http://support.microsoft.com/kb/188305

hope it helps.
good luck.

 

[Zucarita9000]

Thanks Rasczak, I've found the same article, looks like it's a bit more serious than I thought.

 

[redbeard1]

Is there a linux server lurking in your network anywhere? I've seen some odd things when someone was playing with Linux and they turned on LDAP connectors and caused grief in the MS domain.

 

[Zucarita9000]

No, no Linux serves. But running browstat status reveals some interesting details. The main browser is the server, but there's also a backup server which I never configured. This backup server is a random computer on the network.

 

[redbeard1]

While I do not think it would cause the issue you are experiencing, are any of the computers in the network XP home? A XP Home computer has a habit of claiming it is the master browser in the network. Normally a domain controller, like an SBS server, is the master browser.

In a workgroup only situation, any computer can claim the master browser. Normally it is the first computer turned on that day.

 

[Zucarita9000]

Yes, now that you mention it there is a computer running XP Home Premium, but it's not the one being assigned as a backup Master Browser. Is is strange in deed.

 

[Zucarita9000]

Ok, as of this morning I have two backup servers configured :S
Should I just disable the Computer Browser services on all clients?

 

[RebateMonger]

Do you have a functional DNS server? The network should go to the DNS server or a WINS server before it should ever use the network browser service.

But, yeah, the Server's Computer Browser service shouldn't be doing this. It should be on "Automatic" and should be listed as "Started" at all times. Since it's Server 2003, it should overrule any other PC on the network as the Browser Master (although that could take some negotiation time). Are there any other services that aren't starting correctly? Is the "Server" service running?

 

[Zucarita9000]

Yes, both the DNS and Server services are up and running.

 

[Zucarita9000]

The network was down a few seconds today. After resetting one of the switches I pinged a few machines and got <1ms times, which is just fine. However, I did a tracert to some other devices and got some interesting results. Although there's only one hop to every device, the packets are going through random computers and not the server (domain controller). Is this correct??

Pinging a device on the network results:

C:\Documents and Settings\Administrator>ping nas01

Pinging nas01 [192.168.1.58] with 32 bytes of data:

Reply from 192.168.1.58: bytes=32 time<1ms TTL=64
Reply from 192.168.1.58: bytes=32 time<1ms TTL=64
Reply from 192.168.1.58: bytes=32 time<1ms TTL=64
Reply from 192.168.1.58: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.1.58:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

A browstat status reports the following:

Status for domain EKAYMM on transport \Device\NetBT_Tcpip_{780F2886-CCEA-489D-A7
D6-3214602EC43D}
Browsing is active on domain.
Master browser name is: SERVERHP
Master browser is running build 3790
2 backup servers retrieved from master SERVERHP
\\COMPRAS01
\\SERVERHP
There are 18 servers in domain EKAYMM on transport \Device\NetBT_Tcpip_{780F
2886-CCEA-489D-A7D6-3214602EC43D}
There are 3 domains in domain EKAYMM on transport \Device\NetBT_Tcpip_{780F2
886-CCEA-489D-A7D6-3214602EC43D}

But at the same time, a tracert gives me:

C:\Documents and Settings\Administrator>tracert ingenieria07

Tracing route to nas01 [192.168.1.82]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms ventas01.ekaymm.local [192.168.1.82]

Trace complete.

Why is the packet going through ventas01.ekaymm.local?? This is driving me nuts.

Our domain server (SERVERHP) has DNS enabled and a static IP of 192.168.1.240.
Our DHCP server is a Linksys RV04 router, which passes the following DNS settings to every client:

Primary DNS server: 192.168.1.240
Secondary DNS server: 192.168.1.1 (itself).

It is my understanding that every request will go first to the primary DNS server, which is our local server. If the request is not located in that server, then it will go to the secondary DNS server (internet gateway).

 

[Cal166]

Depending how your Primary DNS server is configured. It may not configure to forward to the Secondary DNS server.

 

[Zucarita9000]

Originally posted by: Cal166
Depending how your Primary DNS server is configured. It may not configure to forward to the Secondary DNS server.

Well, I guess it's configured correctly:

Screenshot 1

Screenshot 2

 

[Cal166]

Can type ipconfig /all and post the results here.

 

[Crusty]

Try running a packet dump next time your network stops functioning. Since you seem to be putting a correlation between the browser services and the network going down I wouldn't be surprised if you have a network loop in your physical layer causing a broadcast storm. What kind of networking hardware are you running?

 

[Zucarita9000]

ipconfig /all for the domain controller:

ConfiguraciÛn IP de Windows

Nombre del host . . . . . . . : serverhp
Sufijo DNS principal . . . . : ekaymm.local
Tipo de nodo. . . . . . . . . : desconocido
Enrutamiento IP habilitado. . : SÌ
Proxy de WINS habilitado. . . : SÌ
Lista de b?squeda sufijo DNS : ekaymm.local

Adaptador Ethernet ConexiÛn de ·rea local del servidor:

Sufijo conexiÛn especÌfica DNS:
DescripciÛn . . . . . . . . . : Embedded Broadcom NetXtreme 5721 PCI-E Gigabit NIC
DirecciÛn fÌsica. . . . . . . : ------------------
DHCP habilitado . . . . . . . : No
DirecciÛn IP. . . . . . . . . : 192.168.1.240
M·scara de subred . . . . . . : 255.255.255.0
Puerta de enlace predet.. . . : 192.168.1.1
Servidores DNS. . . . . . . . : 192.168.1.240
192.168.1.1

 

[Zucarita9000]

Originally posted by: Crusty
Try running a packet dump next time your network stops functioning. Since you seem to be putting a correlation between the browser services and the network going down I wouldn't be surprised if you have a network loop in your physical layer causing a broadcast storm. What kind of networking hardware are you running?

How do I do that?
Our network equipment consist of a Linksys RV04 router/gateway, two SR224G switches (with gigabit uplink ports) an SLM2024 gigabit main switch and a couple of Linksys WAP200 APs.

 

[Crusty]

Originally posted by: Zucarita9000

Originally posted by: Crusty
Try running a packet dump next time your network stops functioning. Since you seem to be putting a correlation between the browser services and the network going down I wouldn't be surprised if you have a network loop in your physical layer causing a broadcast storm. What kind of networking hardware are you running?

How do I do that?
Our network equipment consist of a Linksys RV04 router/gateway, two SR224G switches (with gigabit uplink ports) an SLM2024 gigabit main switch and a couple of Linksys WAP200 APs.

There's a program called Wireshark that you can run on a desktop. If you know how to, you can mirror the port that the server is plugged into on the switch to another port on the switch and plug your computer into that port to capture all the traffic to/from the server. A quick look at the number of packets captured by type when you are experiencing the slowdown will show you the breakdown of what kind of traffic is hogging up the network(if it even is a network problem).

The server needs to be hooked into your SLM2024 though, as the other switches don't support port mirroring.

 

[Zucarita9000]

Thanks, I'll look into it.

 

[Zucarita9000]

Well, after a few hours I have discovered the problem. It wasn't DNS, it wasn't NetBIOS, not a hardware problem, it wasn't even a a domain configuration issue. It was a bloody as hell virus: Win32/Conficker.B worm

According to MS, this SOB does nasty stuff:

If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

* Account lockout policies are being tripped.
* Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
* Domain controllers respond slowly to client requests.
* The network is congested.
* Various security-related Web sites cannot be accessed.

So, after disconnecting the infected PCs from the network everything went back to normal. I'm running MS Removal Tool and it seems it was able to got rid of it.

 

[Crusty]

Originally posted by: Zucarita9000
Well, after a few hours I have discovered the problem. It wasn't DNS, it wasn't NetBIOS, not a hardware problem, it wasn't even a a domain configuration issue. It was a bloody as hell virus: Win32/Conficker.B worm

According to MS, this SOB does nasty stuff:

If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

* Account lockout policies are being tripped.
* Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
* Domain controllers respond slowly to client requests.
* The network is congested.
* Various security-related Web sites cannot be accessed.

So, after disconnecting the infected PCs from the network everything went back to normal. I'm running MS Removal Tool and it seems it was able to got rid of it.

A packet dump would have revealed that almost immediately

How did you end up discovering that the virus was the culprit?

 

[Zucarita9000]

Originally posted by: Crusty

Originally posted by: Zucarita9000
Well, after a few hours I have discovered the problem. It wasn't DNS, it wasn't NetBIOS, not a hardware problem, it wasn't even a a domain configuration issue. It was a bloody as hell virus: Win32/Conficker.B worm

According to MS, this SOB does nasty stuff:

If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

* Account lockout policies are being tripped.
* Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
* Domain controllers respond slowly to client requests.
* The network is congested.
* Various security-related Web sites cannot be accessed.

So, after disconnecting the infected PCs from the network everything went back to normal. I'm running MS Removal Tool and it seems it was able to got rid of it.

A packet dump would have revealed that almost immediately

How did you end up discovering that the virus was the culprit?

I was working on that particular PC and noticed that the network activity was going through the roof. I run TCPView and figured out the problem.

NOD32 detected the damn worm, a quick Google search revealed the solution ;-)