[26835] in resnet
Re: Windows 7/2008 not connecting to network...
daemon@ATHENA.MIT.EDU (Adeel Siddiqui)
Wed Oct 12 17:03:23 2011
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_UmnWIuFIbJMeQ7GOvAVkIQ)"
Content-language: en-us
Message-ID: <04e101cc8922$0a54ba40$1efe2ec0$@edu>
Date: Wed, 12 Oct 2011 16:00:55 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Adeel Siddiqui <asiddiqui@usao.edu>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <022e01cc891a$e7f91ec0$b7eb5c40$@stmarys-ca.edu>
This is a multi-part message in MIME format.
--Boundary_(ID_UmnWIuFIbJMeQ7GOvAVkIQ)
Content-type: text/plain; CHARSET=US-ASCII
Content-transfer-encoding: 7BIT
Rob,
We had originally thought along the same lines as well (and in fact we
suspected that a variant of the Conficker worm might be the cause). But this
issue has happened on brand new installations of Windows 7/2008, and even
after a clean re-installation of Windows 7/2008 (all of our Windows XP
machines that are connected to the domain, seem to be immune to the issue).
As soon as the Windows 7/2008 computers gets joined to the domain, the
problem manifests itself. Running just about every
anti-malware/spyware/virus cleanup process on the computers and/or servers
has had no effect.
~ Adeel
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Rob Whalen
Sent: Wednesday, October 12, 2011 3:10 PM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Re: Windows 7/2008 not connecting to network...
Adeel,
This does not sound like it was due to an update. In fact all facts point to
a worm or virus. Windows update would not turn off the firewall, but a virus
can. Removing RDP access delays techs from troubleshooting the issue and
perhaps indicates a takeover, so others with that account would be able to
access the box. Modern worms can also use the domain info to direct attacks
or even the users email. This is where I would start hunting.
Rob
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Adeel
Siddiqui
Sent: Wednesday, October 12, 2011 12:50 PM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Windows 7/2008 not connecting to network...
We have a strange issue going on our campus that's causing our Windows 7
computers and Windows 2008 servers to completely lose network connectivity.
This is only happening to computers that are connected to the domain.
The issue seems to have started a few weeks ago after the last round of
Windows Updates were installed on those computers. As a result, the Windows
Firewall services and its dependency services all got turned off on those
computers and can't be re-enabled either. Also, RDP access to those
computers won't work either. I suspected a group policy of some sort might
be the cause but we use little to no group policy administration on our
campus at all. Upon further investigation, we found that there seems to be
some cause to this due to some registry permissions that seemed to have
changed after the aforementioned Windows Updates were installed. I have a
feeling that the problem lies with how the computers are authenticating to
the domain, but can't confirm that prognosis.
I've tried everything to fix this issue from changing group policy settings,
to removing/re-adding the computers to the domain. Nothing seems to have
worked permanently or at least completely. We have managed to do some on the
spot MacGyvering to fix the issue (i.e. manually applying administrative
permissions to certain keys in the registry on those computers as suggested
by a few online articles) but they are temporary band-aids at best.
Has anyone else run into this? Any permanent fixes/solutions that you can
suggest?
regards,
Adeel Siddiqui
Network Administrator <http://www.usao.edu/staff/adeel-siddiqui>
Information, Research and Network Services
University <http://www.usao.edu/> of Science and Arts of Oklahoma
Chickasha, OK 73018
(405) 574-1319
asiddiqui@usao.edu
___________________________________________________ You are subscribed to
the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to
http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
___________________________________________________ You are subscribed to
the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to
http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--Boundary_(ID_UmnWIuFIbJMeQ7GOvAVkIQ)
Content-type: text/html; CHARSET=US-ASCII
Content-transfer-encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" =
xmlns:odc=3D"urn:schemas-microsoft-com:office:odc" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:html=3D"http://www.w3.org/TR/REC-html40" =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" =
xmlns:rtc=3D"http://microsoft.com/officenet/conferencing" =
xmlns:D=3D"DAV:" xmlns:Repl=3D"http://schemas.microsoft.com/repl/" =
xmlns:mt=3D"http://schemas.microsoft.com/sharepoint/soap/meetings/" =
xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml" =
xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd" =
xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" =
xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/" =
xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#" =
xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp" =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc" =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema" =
xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"=
xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#" =
xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" =
xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/" =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" =
xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/soap" =
xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile" =
xmlns:udcp2p=3D"http://schemas.microsoft.com/data/udc/parttopart" =
xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/" =
xmlns:dsss=3D"http://schemas.microsoft.com/office/2006/digsig-setup" =
xmlns:dssi=3D"http://schemas.microsoft.com/office/2006/digsig" =
xmlns:mdssi=3D"http://schemas.openxmlformats.org/package/2006/digital-sig=
nature" =
xmlns:mver=3D"http://schemas.openxmlformats.org/markup-compatibility/2006=
" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns:mrels=3D"http://schemas.openxmlformats.org/package/2006/relationshi=
ps" xmlns:spwp=3D"http://microsoft.com/sharepoint/webpartpages" =
xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/types"=
=
xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/services/2006/messag=
es" =
xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/=
" =
xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPortalServer/Pub=
lishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" =
xmlns:st=3D"" xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 12 =
(filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue =
vlink=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span =
style=3D'color:#1F497D'>Rob,<o:p></o:p></span></p><p =
class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:#1F497D'>We had originally =
thought along the same lines as well (and in fact we suspected that a =
variant of the Conficker worm might be the cause). But this issue has =
happened on brand new installations of Windows 7/2008, and even after a =
clean re-installation of Windows 7/2008 (all of our Windows XP machines =
that are connected to the domain, seem to be immune to the issue). As =
soon as the Windows 7/2008 computers gets joined to the domain, the =
problem manifests itself. Running just about every =
anti-malware/spyware/virus cleanup process on the computers and/or =
servers has had no effect.<o:p></o:p></span></p><p =
class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:#1F497D'>~ =
Adeel<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p><div><div =
style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in'><p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> =
Resnet Forum <a =
href=3D"mailto:[mailto:RESNET-L@LISTSERV.ND.EDU]">[mailto:RESNET-L@LISTSE=
RV.ND.EDU]</a> <b>On Behalf Of </b>Rob Whalen<br><b>Sent:</b> Wednesday, =
October 12, 2011 3:10 PM<br><b>To:</b> <a =
href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESNET-L@LISTSERV.ND.EDU</a><br>=
<b>Subject:</b> Re: Windows 7/2008 not connecting to =
network...<o:p></o:p></span></p></div></div><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal><span =
style=3D'color:#1F497D'>Adeel,<o:p></o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:#1F497D'>This does not sound like =
it was due to an update. In fact all facts point to a worm or virus. =
Windows update would not turn off the firewall, but a virus can. =
Removing RDP access delays techs from troubleshooting the issue and =
perhaps indicates a takeover, so others with that account would be able =
to access the box. Modern worms can also use the domain info to direct =
attacks or even the users email. This is where I would start =
hunting.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:#1F497D'>Rob<o:p></o:p></span></p><p =
class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p><div><div =
style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in'><p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> =
Resnet Forum <a =
href=3D"mailto:[mailto:RESNET-L@LISTSERV.ND.EDU]">[mailto:RESNET-L@LISTSE=
RV.ND.EDU]</a> <b>On Behalf Of </b>Adeel Siddiqui<br><b>Sent:</b> =
Wednesday, October 12, 2011 12:50 PM<br><b>To:</b> <a =
href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESNET-L@LISTSERV.ND.EDU</a><br>=
<b>Subject:</b> Windows 7/2008 not connecting to =
network...<o:p></o:p></span></p></div></div><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>We have a =
strange issue going on our campus that’s causing our Windows 7 =
computers and Windows 2008 servers to completely lose network =
connectivity. <o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>This is only =
happening to computers that are connected to the domain. =
<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>The issue seems to have started a few weeks ago after =
the last round of Windows Updates were installed on those computers. As =
a result, the Windows Firewall services and its dependency services all =
got turned off on those computers and can’t be re-enabled either. =
Also, RDP access to those computers won’t work either. I suspected =
a group policy of some sort might be the cause but we use little to no =
group policy administration on our campus at all. Upon further =
investigation, we found that there seems to be some cause to this due to =
some registry permissions that seemed to have changed after the =
aforementioned Windows Updates were installed. I have a feeling that the =
problem lies with how the computers are authenticating to the domain, =
but can’t confirm that prognosis.<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>I’ve =
tried everything to fix this issue from changing group policy settings, =
to removing/re-adding the computers to the domain. Nothing seems to have =
worked permanently or at least completely. We have managed to do some on =
the spot <i>MacGyvering</i> to fix the issue (i.e. manually applying =
administrative permissions to certain keys in the registry on those =
computers as suggested by a few online articles) but they are temporary =
band-aids at best. <o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>Has anyone =
else run into this? Any permanent fixes/solutions that you can =
suggest?<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'><br></span>re=
gards,<span style=3D'font-size:10.0pt'><br></span><i><span =
style=3D'font-size:12.0pt;color:black'>Adeel =
Siddiqui</span></i><b><i><span =
style=3D'font-size:14.0pt;color:black'><br></span></i></b><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'><br></span><i=
><span style=3D'font-size:8.0pt;font-family:"Arial","sans-serif"'><a =
href=3D"http://www.usao.edu/staff/adeel-siddiqui">Network =
Administrator</a><br></span></i><span =
style=3D'font-size:8.0pt;font-family:"Arial","sans-serif"'>Information, =
Research and Network Services<br><b><a =
href=3D"http://www.usao.edu/">University of Science and Arts of =
Oklahoma</a></b><br>Chickasha, OK 73018</span><span =
style=3D'font-size:8.0pt'> <span =
style=3D'color:#1F497D'><br></span></span><span =
style=3D'font-size:8.0pt;font-family:"Arial","sans-serif"'>(405) =
574-1319<br><u><span style=3D'color:black'><a =
href=3D"mailto:asiddiqui@usao.edu">asiddiqui@usao.edu</a></span></u></spa=
n><span style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'> =
<o:p></o:p></span></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal><span =
style=3D'font-size:12.0pt;font-family:"Times New =
Roman","serif"'>___________________________________________________ You =
are subscribed to the ResNet-L mailing list. <o:p></o:p></span></p><p>To =
subscribe, unsubscribe or search the archives, go to <a =
href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html">http://LISTSERV.ND=
.EDU/archives/resnet-l.html</a> =
___________________________________________________ <o:p></o:p></p><p =
class=3DMsoNormal><span style=3D'font-size:12.0pt;font-family:"Times New =
Roman","serif"'>___________________________________________________ You =
are subscribed to the ResNet-L mailing list. <o:p></o:p></span></p><p>To =
subscribe, unsubscribe or search the archives, go to <a =
href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html">http://LISTSERV.ND=
.EDU/archives/resnet-l.html</a> =
___________________________________________________<o:p></o:p></p></div><=
/body></html>=
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--Boundary_(ID_UmnWIuFIbJMeQ7GOvAVkIQ)--
