Windows Server 2003 killing adsl router on startup

I've just reinstalled my 2003 server after yet another AD corruption. 
Booting the fresh install was fine. I performed a Windows Update, 
rebooted, installed AD and rebooted again.

Now, every time my server starts up, it causes my adsl router to stop 
responding to any network requests. Can't even ping it. If I shut the 
server down and power-cycle the router, all is fine again, and will 
remain so until I start the server up again.

The only things different about this install to the last are:

- using different FQDN
- using 2000 mixed mode instead of 2003 native, to ease SAMBA issues

The router is set as the server's default gateway.

Things I've tried so far are:

- verified that they're both using valid, distinct IP addresses
- confirmed that DHCP server isn't running, to avoid IP# conflicts
- rebooted in Safe Mode with Networking, problem still occurs

I'm about to try in Safe Mode (no networking) to see if that causes the 
problem too. As it kills my internet connection, I wanted to post this 
first ;)

Any ideas what I'm doing wrong? I can't think of any legitimate network 
operation that causes complete death to another device.

Many thanks,

Drew

Hello,

Is it possible that you are infected by a virus that floods the network?

-- 
Regards,
Kristofer Gafvert - IIS MVP
Reply to newsgroup only. Remove NEWS if you must reply by email, but please
do not.
www.ilopia.com - FAQ and Tutorials for Windows Server 2003

I certainly couldn't rule that out 100%. Although I'd class it as 
unlikely. I'll run a scan.

Booting into Safe Mode with no networking doesn't cause a problem (as 
expected).

After running some tests, I can't find anything to support that hypothesis.

Any other suggestions?

I would boot the server up with the Ethrnet cable disconnected, connect it
and then monitor the Nic status that shows sent and received packets. If
your server starts sending out high volums of traffic for no reason you are
infected. Just because a scan comes up neg dosn't mean that your server
CAN'T be infected. If you just rebuilt your server and connected to the
internet to apply the patches, you'll never make it. Your server will become
infected before you get the patches applied. And once infected the patches
don't do anything.

I tried monitoring this from the router, and could see no unusual 
increase in traffic before the router died.

Other than the test described, is there a reliable way to detect whether 
the machine is infected?


This may sound stupid, but how can I patch the server without going to 
get the patches? The only approach I can think of is to install linux on 
the server first, download the patches somehow, burn them onto a CD, 
reinstall with Windows and install the patches. Not ideal.

Also, whatever it is that is infecting the machine would have to get 
through a hardwire filewall (on total lock-down) and router, and be 
totally dependent on Active Directory. When I uninstall AD, the problem 
vanishes.

drew.

In item <%23gg3zD4$ XXXX@XXXXX.COM >,
DrewM says...




Does the router have logging? Also is your FQDN the same as a registered one on
the internet? Is you AD server also the DNS server for itself?
The router log should show you the traffic attempting to pass through it. You
said you only have the issue when you install AD. Just for clairity are you
using a FQDN like mydomain.domain or something someone else may own like
microsoft.com. Is your DNS server for the domain external to you? If so you will
have issues with srv records AD needs.

-- 
Regards,

Michael Holzemer
No email replies please - reply in newsgroup

Learn script faster by searching here
 http://www.**--****.com/ 

Unfortunately, no.


Yes, I'm using office.company.net, where company.net is registered and 
under my control at our ISP. I've set up an A record for 'office' within 
that zone to point to the IP address our adsl uses


Yes. With forwarders to our ISPs DNS servers.


office.company.net, registered to us.


Yup, it's at our ISP, on the other side of a locked-down firewall, and 
is running linux.

... so, how *should* I do this? To be honest, I'd be happy using an old 
NT4 style single word domain name, but the installer gives dire warnings 
against this. I assume it should be possible to run as 
office.company.net without needing to host our own public DNS servers.

thanks for your time.


drew

I think it is the combination of patches installed via Windows Update.  It
wouldn't be the first time I have seen a combination of patches{*filter*}things
up,...for that matter I have seen plenty screwed up by just one patch, let
alone a combination of them. Those fairly recent RPC patches for example
stop the older MS Proxy2 dead in its tracks, the solution is to not install
those patches and to take other measures to protect the machine from the RPC
worms.

I never use Windows Update, I don't trust dumping all those patches on a
machine. I always have the SPs and patches that I have "hand picked" burned
onto a CD, then when I build the machine I apply the patches from a the CD
before I expose the machine to the Internet.  After that I apply only
patches that I trust and feel that they are "must-haves" and I don't worry
about the rest,...it is better to wait until a full Service Pack comes out.

If you read the "mitigating circumstances" listed for the different
vulnerabilities you will find that the situation doesn't apply to most
machines on a private network behind a firewall or proxy that isn't exposed
directly to the Internet.  You just have to decide which applies to your
situation.

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com








it. You
you

<snip detailed instructions>

Sharad - thanks ever so much. That's going to be really helpful.

drew