Admin$ and IPC$ shares disappear repeatedly

[Guest]

Our sister company at a remote location has a single domain controller. That
one DC is now having a problem where the Admin$ and IPC$ shares disappear
within seconds of creating them.
IE. I can type "net share admin$"
followed by "net share" and see admin$ listed. If I type "net share" fast
enough. Within 10-15 seconds later, I can type net share again and the
admin$ is no longer listed. The same happens with IPC$.
The client stations are now getting an error when trying to get to shared
network drives ("no logon server is currently available") and I can not
promote another server to be a DC. If I type the "net share admin$" and "net
share IPC$" and have the dcpromo on the second server ready to go, I can
sometimes get partway through starting the promotion before it loses the
share again.
This computer recently had files infected with W32.Spybot.Worm and
Backdoor.Sdbot. However, it showed no (other) signs of the computer itself
being infected (none of the registry changes, etc listed for those viruses).
And the files were cleaned. One of the files it said was infected was
"c:\win2000\system32\spool\drivers\svhost.exe". Others were two files in the
same dir (fwr.exe and msgfix.exe).

I'd like to 1) get the admin$ and ipc$ shares to stick so that the users can
access the network again or 2) get another DC and trash this one without
losing all the user accounts and other AD information. Any suggestions?

 

[Pegasus \(MVP\)]

Our sister company at a remote location has a single domain controller. That
one DC is now having a problem where the Admin$ and IPC$ shares disappear
within seconds of creating them.
IE. I can type "net share admin$"
followed by "net share" and see admin$ listed. If I type "net share" fast
enough. Within 10-15 seconds later, I can type net share again and the
admin$ is no longer listed. The same happens with IPC$.
The client stations are now getting an error when trying to get to shared
network drives ("no logon server is currently available") and I can not
promote another server to be a DC. If I type the "net share admin$" and "net
share IPC$" and have the dcpromo on the second server ready to go, I can
sometimes get partway through starting the promotion before it loses the
share again.
This computer recently had files infected with W32.Spybot.Worm and
Backdoor.Sdbot. However, it showed no (other) signs of the computer itself
being infected (none of the registry changes, etc listed for those viruses).
And the files were cleaned. One of the files it said was infected was
"c:\win2000\system32\spool\drivers\svhost.exe". Others were two files in the
same dir (fwr.exe and msgfix.exe).

I'd like to 1) get the admin$ and ipc$ shares to stick so that the users can
access the network again or 2) get another DC and trash this one without
losing all the user accounts and other AD information. Any suggestions?

I thought the default administrative shares were C$, D$ etc?

 

[Steve Duff [MVP]]

My guess is that you still have something. Try another scanner
with current signatures first, or something like the online
scanner at pandasoftware.com which I've found is very good.

After that, I think going directly to an install-mode repair is the
best choice. Do a system backup, put in the Server CD and
click "upgrade". This will rebuild the hardware tree, missing
or corrupt system registry values, corrupt files, security and rights
problems, etc. and may fix the issue.

Note if your CD is an older service pack from what you are using,
you will have to boot from the CD and take the >second< repair choice,
then you'll need to reapply service packs and updates as your server
will be back at that level after the "upgrade." Or you can slipstream
your own SP4 CD -- detailed information on doing this is all over
the Internet and it is not difficult to do.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

 

[Guest]

http://support.microsoft.com/default.aspx?scid=kb;en-us;842715
"Overview of Problems that may occur when administrative shares are missing"
Administrative shares then being listed as IPC$, ADMIN$, or C$.
The article then mentions several of the problems I am having.
1. No logon server is available to service the logon request when trying to
map network drives.
2. netdiag.exe failing to list DCs.
All of the users are using cached credentials, except for logging on locally
to the DC. Mapping to network drives works, IF you do not specify a domain
and you are connecting to a network drive shared by the DC. (IE, it can look
up logons itself).
The DC is not showing any errors in Event Viewer that appear to have
anything to do with this.
I've done the registry edit listed to supposedly create the administrative
shares on startup. They are not there by the time I log in to the server.
And when I manually create them via "net share IPC$" or "net share ADMIN$"
they only exist for seconds.
I've also checked PoleEdit and SecEdit and both had the administrative
shares turned on.

 

[Guest]

I've run the pandasoftware scan on the c: drive and it came up blank. I'm
having it run on the other hard drives now, just to make sure. But Symantec
v9 (local install), microtrend's online and now pandasoftware's online are
saying it's clean. We've tried a repair of the install previously. Going to
try an upgrade to Windows 2003 tomorrow. (We're retiring this server for a
new 2003 server anyway, I just don't want to lose the active directory
domain).

 

[Steve Duff [MVP]]

I have seen this problem several times. In every single
instance it has been either a malware infection or something
left behind by a malware infection.

That isn't to say your situation isn't something else, but I
can think of nothing in any standard Windows thread that
would act this way without leaving a slew of events. So I
am of the belief that it is some third-party thread, wanted
or otherwise.

You can always find some machine to put Server on,
make it a DC, and dump AD to that. Reinstall on your
main server and then bring it back up as a DC. This
kills a day, but would also kill this problem.

Or you can do a system state backup, reinstall and restore, which
would be much faster; the main issue with that of course being that
you may just carry over your problem too.

You should try posting this to the .active_directory group, somebody
there could very well have a better idea.

Good luck. Post back if you find out the cause.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

 

[Guest]

We did the upgrade to Windows 2000 SP4 (from Windows 2000 SP4) two nights
ago. It locked up on detecting devices (about an hour) and the local tech
restarted the computer. After that, it could not boot. Bad or missing
SYSTEM.SAVartup. We booted to recovery console and the file did exist.
Eventually we loaded from backup from before the upgrade to get it to boot.
We're going to try and do an upgrade to Windows 2003 Server later (still
scheduling), but is there an option to recover the AD domain if we cannot get
the admin$ and ipc$ shares back? Right now, if I try to promote another
server to DC, it can't because of the missing shares? IE. how do i "dump AD
to that [a new DC]"?

 

[Guest]

We did the upgrade to Windows 2000 SP4 (from Windows 2000 SP4) two nights
ago. It locked up on detecting devices (about an hour) and the local tech
restarted the computer. After that, it could not boot. Bad or missing
SYSTEM.SAVartup. We booted to recovery console and the file did exist.
Eventually we loaded from backup from before the upgrade to get it to boot.
We're going to try and do an upgrade to Windows 2003 Server later (still
scheduling), but is there an option to recover the AD domain if we cannot get
the admin$ and ipc$ shares back? Right now, if I try to promote another
server to DC, it can't because of the missing shares? IE. how do i "dump AD
to that [a new DC]"?