Re: Windows Server 2003 Sharing Problem

Simon Poulton · ‎11-14-2006

Hi All
I'm having this strange issue with Windows Server 2003. If I stick with the basic 2003 without SP1 all works great but as soon as I upgrade to SP1 clients get the error:
"The system detected a possible attempt to compromise security"
This happens every time they try to access shares, it even appears when logging on.
This server is the only one on the network, Active Directory, DNS, DHCP and WINS are all installed and running. It also acts as a print server.
I recently upgraded it from Windows 2000 Advanced Server.
Without Fail SP1 always breaks this.
Any suggestions?

Steven Clementi · ‎11-14-2006

Simon:

Is thee any issue preventing you from using the server?

Is the system "on the internet"?

I no... then just disbale your audit logging, unless you want it on for some reason.

With SP1, a lot of security enhancements were put into place and therefore the system generates a lot more audits to the logs and such. Your particular message might not mean anything except that things are normal.

Steven

Steven Clementi
HP Master ASE, Storage, Servers, and Clustering
MCSE (NT 4.0, W2K, W2K3)
VCP (ESX2, Vi3, vSphere4, vSphere5, vSphere 6.x)
RHCE
NPP3 (Nutanix Platform Professional)

Jon Finley · ‎11-14-2006

From what I can find on the internet, the problem has to do with your DNS settings.

If you're including DNS settings with your DHCP subscription, make sure that you are NOT including an outside ISP in your DNS entries (set the ISP in as a DNS forwarder within your DNS server properties).

If these are all correct, check your DNS entries at the server.

The problem has to do with a "referencing" change that MS did in SP1 to make resource request more secure. The Client and the Server need to be able to securely exchange a token. Without the exchange, the server declares the transaction to be a possible security breach attempt.

If your subnet mask is incorrect, it can also affect this, so double-check your DHCP setting.

Make sure afterwards, that your Server is FULLY patched. There's some VERY nasty "bots" out loose that can and will compromise your Server quickly.

Jon

"Do or do not. There is no try!" - Yoda

Simon Poulton · ‎11-14-2006

DNS Settings are all correct, Server is the Internet Server and uses ICS to deliver internet access. This breaks the shares this message always appears on clients after installing SP1.
I dont know where to find audit logging could you please point me to the settings page?

Chucka Eya · ‎11-14-2006

I am thinking DNS issues but can you look in the Event's log and see what the error messages are, as I'm sure they would be reporting this...

Simon Poulton · ‎11-15-2006

I have attached the event log.

Chucka Eya · ‎11-21-2006

Hello Sorry - had IT issues of my own so disappeared. still in the middle of it, but not as bad as last week.
has this been resolved?

I've just looked at your logs - and there are rampant dns messages going on there, especially the last bit e.g

The description for Event ID ( 40961 ) in Source ( LSASRV ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: DNS/auth1.dns.gxn.net, "The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.
(0xc000018b)".

I will look into this today and come back to you.

Simon Poulton · ‎12-09-2006

Still the same issue when I install SP1. So i'm having to live without it for now.

James Kavanagh · ‎03-15-2007

Hi,

I had this at work and resolved using the article from MS (http://support.microsoft.com/kb/889031/en-us). It is to do with the fact that VPN users don't have a valid site IP address and therefore can connect to any DC within the Site list. This was causing us some strange problems where people could and couldn't connect to certain servers and also would only affect certain machines. Very random and difficult to track down!

Thanks,

James.