# Malformed Packets



## nutbunny (Oct 8, 2010)

Good Day, hope someone can help.


We recently upgraded to Server 2008 64bit.
Roles include: File Server, DHCP and DNS
Clients are Win7 (DHCP)
We use admin software called Edupac (stores a database on the server which all clients use - accounts, receipts, learners, marks, reports etc)
Edupac claim that server 2008 64bit and windows 7 are supported.
Network running at 1Gps
Problem

Edupac is slow
At times it takes so long to print a receipt, it appears to hang.

Other

permissions are set correctly, all admin users can read/write to the share
share has been set to _offline files - optimize for performance_
other shares such as documents appear to work correctly
My Network places on clients and server seem to take long to display other connected users.
pings don't time out using _ping server -t -n 64500_

Wireshark produces malformed packets

we changed network card on server, replaced ethernet with crossover and added a new switch, connected only one user. Wireshark still produces malformed packets especially when a user opens Edupac.

I would sincerely appreciate some suggestions
Thank you


----------



## Wand3r3r (Sep 17, 2010)

what are the workstations pointed to for dns?
the switch is it a managed switch?


----------



## nutbunny (Oct 8, 2010)

All clients and the server use DNS addresses supplied by our ISP, Internet usage
Primary:196.43.42.190
Secondary:196.43.38.190

The switch is unmanaged.

Another symptom
Today I was informed that while trying to browse the server an admin user was asked for her username & password. I suggested she fill it in and select remember credentials however this has happened on her PC twice despite checking remember credentials. The user on the server hasn't been tampered with and no permissions have been changed.

I'm missing something here

Thanks for your time


----------



## Wand3r3r (Sep 17, 2010)

Your dns is misconfigured. 
It is incorrect to point to the isp dns servers from either the workstations or the server.

Proper config is as follows;

dhcp provides the workstations with the ip address of the dc for dns
the dns servers tcp/ip dns properties point to itself for dns
in the forwarders tab [not forward lookup zone] you put the isp's dns server ips in.

The way ms dns resolution works it the workstation make a request to resolve say a name like yahoo.com. The MS dns server looks at its host records and doesn't find a record so it forwards the request to the isp's dns server which returns the results which in turn are given to the workstation.

All sorts of things don't work with misconfigured dns. Slow logon times, authenication issues, etc because they aren't finding the local server except by broadcasts which is the last resort.


----------



## nutbunny (Oct 8, 2010)

Thanks, here's what I've done. I'm not sure when what you mean by 'forwarding tab'

Settings under Network adapter, tcp/ip

All clients are dhcp, automatically assigned ips
All clients have the servers address as the primary dns.
clients do not have anything under alternate dns
I want to change the server to use it's own address as the dns, but i can only do that once everyone goes home

On the server under admin tools-->dhcp-->ipv4-->scope-->server options

I changed dns to the server address first and then the two addresses supplied by my isp (it _was_ on 127.0.0.1 and then the isp address)

Is this correct? Hope so...:smile:


----------



## Wand3r3r (Sep 17, 2010)

"then the two addresses supplied by my isp "

That would be incorrect. Perhaps one of the isp ips as backup but I have found Microsoft doesn't always check the 2nd entry when primary dns fails.

If you open up the DNS MMC and in the left column click on your dns server you will see in the right column the following;
Root Hints
Forwarders <----- this is what you want
Event Viewer
Forward lookup zone
Reverse lookup zone

Double click on the Forwarders
Under Selected domains forwarder ip address list you enter the isp's dns servers ip and click add. Do this for the two ips.


----------



## nutbunny (Oct 8, 2010)

Your help is really appreciated - I'll do this when I get back to work on Monday and let you know how it goes.

Thanks again for your time


----------



## nutbunny (Oct 8, 2010)

I've made the changes you have recommended. Thank you for your help in the DNS area.

Sadly this has not solved the problem, the admin software, Edupac, still seems to be slow on client computers. I have spoken to a few people from this side and based on their suggestions I will do the following:

1. Load an FTP Server software on server and use a 1Gig file in a shared folder, from the workstations I'll use an FTP Client to download the file. If transfer speeds are high and the file downloads quick then the physical network should be fine.

2. Once I've done that I will try to use a Virtual Machine on the server, something that runs at 32bit if this is possible. Share the data folder from the 32bit VM and see if this helps. I was told that 64 bit can have an impact on share folders..not sure how, but I'll try it.

Any thoughts?:sigh:


----------



## Wand3r3r (Sep 17, 2010)

Can you post the results of an ipconfig /all from a workstation for review?

How much ram in the server?

This the software?
http://www.edupac.co.za/s_requirements.php

Nonesense that sharing is different in x64 compared to x32. Not sure what the ftp will do for you.


----------



## nutbunny (Oct 8, 2010)

No problem, I'll try post those ipconfig results tomorrow.

Server 2008 64bit
12G Ram
Dual Xeons not sure on the processors, I'll check

Yes that is the correct link and software.

Thanks again


----------



## nutbunny (Oct 8, 2010)

Haven't posted ipconfig results yet but I have a feeling this is a problem with the software or the way the software is installed.

I received an edupac install disk today and installed the software on a test server 64bit server and my XP workstation. Now that I've actually installed it there are a number of settings inside of BDEEngine.exe (control panel) which could affect network performance by the looks of it. Edupac uses this exe

It isn't just a share folder, the program does install other components on the server. I never realized this as I was told it was simply a shared database. I'll get edupac registered on the test server, hopefully tomorrow, then I can check program compatibility. 

I'll dual-boot Server 2008 64bit and XP Pro and check on my XP workstation performance gains / loss to rule out a compatibility problem with 64bit OS.

Will let you know how it goes. If I don't come right I will post the ipconfig results. Cheers.


----------



## Wand3r3r (Sep 17, 2010)

Thanks for the update netbunny.


----------



## nutbunny (Oct 8, 2010)

Hi Wand3r3r

Sorry for the delay. I tested the database on server 2003 32bit and there was no marked improvement so it can't be a 64bit problem. Here are the results of _ipconfig /all _on one of the clients (all clients are the same apart from the ip) I blocked out some stuff hope it's ok. The IP addresses are all in the same subnet and range, router, clients and server.










I'm reformatting one of the clients and reloading it with XP Pro SP3 to check it isn't windows 7 causing the problems.

Thanks for your patience.


----------



## Wand3r3r (Sep 17, 2010)

You didn't need to blank anything out.  Looks good.

from a workstation do a nslookup of your server name and a workstation name. What are the results?


----------



## djaburg (May 15, 2008)

As I see it, if sharing files works fine and dns is functioning as it should, then likely the issue is with the DB software on the server. I'd be curious what happens when people are using the DB on the server and you watch event viewer. I have a client that uses a software package for property management and when people would run certain reports and/or queries, there were major performance issues. When watching event viewer the CPU utilization would go to 100% across the board until the query/report was done. If the user cancelled the process it would take several minutes for things to settle down. It ended up being the DB itself.


----------



## nutbunny (Oct 8, 2010)

I will do the nslookup and watch event viewer based on your suggestions.



> When watching event viewer the CPU utilization would go to 100% across the board until the query/report was done


The CPU on the server obviously? I'll check it.

Thanks


----------



## nutbunny (Oct 8, 2010)

After watching Event Viewer and the resource monitor for a few minutes I didn't notice any major hits on the CPUs. The CPU barley touched 2%, even when doing one of the more intensive tasks.

Below: an example of some of the files users use over the network inside the red frame, sorry it's so small.










Below: found many of these in event viewer under DNS (we've set clients to obtain an address above 192.168.1.10, could this cause this error)










Results of nslookup:










If I've misunderstood or done something wrong just let me know.

Thank you again for the assistance, as nobody from my side seems to be able to fix this.


----------



## Wand3r3r (Sep 17, 2010)

You didn't include the workstation name nslookup as requested.

You still have a dns problem.

You do understand your dns internal name and the ip addresses being used are not accessable via the the internet? There is no need to mask anything except your public wan port ip address which isn't be asked for or listed.

I take it from the nslookup you have two dns servers one at .5 and one at .22?
What is at .3? Appears its a server?

How about a post of an ipconfig /all from .3 for review?


----------



## nutbunny (Oct 8, 2010)

nslookup










I understand that all clients go through the server for internet access, if the server is down users can't access the internet unless I change the preferred dns server from their tcp/ip properties.

We only have one DNS server .5
.22 is another onboard card not being utilized. I've posted an ipconfig from the server and renamed the NICs so you can see. Notice there is a D-link, onboard, faulty onboard card and a connection which was automatically setup after installing the Hyper-V role.

Server ipconfig /all


















I have no idea where .3 is coming from or why its there. We setup a scope for clients to use addresses higher than .10. Anything under .10 was for the server and office printer and any future static servers, printers etc.

Closer inspection of the DNS Event log show numerous errors with addresses not used within our network all starting with 169, example below. This looks like it could be the faulty card which is strange because it's disabled. These are errors from this morning.


----------



## Wand3r3r (Sep 17, 2010)

What is up with FaultyCard? If builtin this should be disabled in the bios.

Why do you have Onboard Working as well as the dlink add in card?
What is the "virtual" network? Are you running a VM on this server in addtion to the server?

You don't mention RRAS but you are set to route [ip routing set to yes] between the cards which you can't do since they are both in the same subnet.

You list the same machine via its two nics as dns server at .5 and .22. Eh?

What in the world is going on?


----------



## nutbunny (Oct 8, 2010)

lol - "what in the world is going on?" Good Question. 

I will disable all the onboard cards from bios, we are not using RRAS
I will remove Hyper-V role (VM machine)

I'll Let you know if this makes any difference and post another ipconfig /all from server. Please don't give up on me yet....


----------



## Wand3r3r (Sep 17, 2010)

long ways from giving up 

did you add the dlink after the server was setup? if so I would not disable the onboard nic [just the faulty one] but I would remove the dlink.

concern here is the primary ip dns binds to.


----------



## nutbunny (Oct 8, 2010)

Unfortunately I can only get to restart the server again on Monday. They were using it the whole day today. I'll disable the faulty card from the bios and remove the D-Link.

The server will go back to the suppliers on Friday (next week) because of the Faulty Card.
I'll let you know as soon as I get it done - Thanks again


----------



## Wand3r3r (Sep 17, 2010)

Surprised they aren't just coming out and replacing the mainboard.

What are you doing to do with the server down????


----------



## nutbunny (Oct 8, 2010)

Thankfully the school closes on Friday. I'll move the files to an external drive so anybody who needs them can get them off that, just in the mean time.


----------



## Wand3r3r (Sep 17, 2010)

Good plan and lucky timing! Thanks for the update.


----------



## nutbunny (Oct 8, 2010)

I finally got to the server today to unplug the D-Link, uninstall Hyper-V and disable faulty NIC in bios.


Removed the Hyper-V role, restarted
after restart, no Internet on either clients or server, clients experienced network problems, timeouts etc.
restarted, checked in Bios but was unable to find anywhere I could disable the faulty onboard NIC
shutdown server, removed D-Link PCI card
started server normally
Within network connections I set both onboard cards to automatic for all tcp/ip settings
disabled faulty card then restarted server
set tcp/ip settings on working onboard card, restarted
after restart network was working but still no internet access for server or clients
changed preferred DNS server on clients and server to our isp ips.
Internet is now working as well as network

This is the only way I could get users back on the web so I've left all settings because it's working now. Most recent ipconfig /all of server is below










The server still goes back to the suppliers on Friday or Monday - I think this is a fault on the mobo, problems are too intermittent and don't follow a logical pattern of errors - I really think that half of the problems could be caused by faulty hardware. &@!!***@#!:upset:


----------



## Wand3r3r (Sep 17, 2010)

Did you put the isp dns entries in the forwarders tab?

Without these entries the ms dns server has no where to send the name resolution requests from the clients. This makes it appear internet isn't working.

Since you are pointing workstations to the isp for dns, and that server has no knowledge of your lan devices, you will find logons slow, you won't be able to join a pc to the domain, and you will have drive mapping/server access issues.

Bummer about the hardware.


----------



## nutbunny (Oct 8, 2010)

Thanks for the help I'll wait until we get the server back and then if everything is better / worse / same I'll let you know. 

So for now I'd like to thank you for your help. I'll post back probably only at the start of school next year. All the best and thanks again - until next year, Merry Christmas!


----------



## nutbunny (Oct 8, 2010)

Good Day Wand3r3r

Here's the update I promised. Got server back on Tuesday and the NIC driver supplied with the drivers CD was faulty! Can you believe it, one would think they would supply the correct driver for their own products.

Anyway plugged it in and my mirrors were all screwed so we imported the foreign disks, deleted the volume and re-setup the mirrors for all the drives.

I'm now waiting for the mirrored drives to re-sync. At the moment all the services are not running DHCP, DNS, Active Directory and File Services are not running for whatever reason. As soon as the mirrors are finished I'll re-enter the ip addresses for the internet and the domain and let you know how it goes.


----------



## nutbunny (Oct 8, 2010)

OK so I spent the day trying to figure out why all my installed roles just were not working correctly. I even got someone out to have a look but now for some unknown reason when you start the server up you need to manually start the DNS service. You physically have to go to DNS (Server Manager) and click Start.

Under "Services" in Admin tools the DNS service is set to start automatically but it doesn't seem to make a difference. 

They broke it more than they fixed it! I really don't think us setting up mirrors would cause the AD, DHCP, DNS to break we never touched the C drive. *[email protected]#! Anyway I'm thinking of backing up AD and reformatting the server - do you think this is a good idea or will i encounter problems restoring AD? School starts on Monday...eeek!


----------



## Wand3r3r (Sep 17, 2010)

Oh fudge! Not even going to inquire what clowns are doing your hardware.

At this point everything is suspect. How many users/groups are we talking here?


----------



## nutbunny (Oct 8, 2010)

Thanks again for the reply your help is really appreciated. I never reformatted because I was worried about getting things up in time so I know this may not be strictly speaking "correct" but these settings worked so I did this.

From Server

Re-installed DNS, DHCP and file services with a restart after each role installed
Added my ISP ips to the forwarders tab of DNS again
Went to setup scope for dhcp but it was already there, i thought that removing dhcp would remove everything but the scope was still there, so I left it.
DNS was not automatically starting, I think because the NIC was not ready, So I set _DNS Server_ in services to "_Automatic (delayed start)_" which takes longer on startup but at least I don't have to physically click "start"
File Services still gives me the error DfsSvc failed or something along those lines.

Server ip settings
192.168.1.5
255.255.255.0
192.168.1.1 (router)

dns
127.0.0.1
196.43.42.190(isp ips) (...don't shout at me lol, it's working so i left it...)

From the clients

I switched off Network Discovery because of the delay in windows explorer when looking for other PC's connected to the network
I mapped all drives using the server ip address and not the name i.e. \\192.168.1.5\programs\edupac _instead of_ \\server-school\program\edupac
I set all ip addresses to automatic for both ips and dns

Something else
I mapped drives, lets call them:
\\192.168.1.5\programs\edupac
\\192.168.1.5\documents

the documents work fine but the edupac map asks for a password after every restart, despite checking remember my credentials. permissions are set to the entire office group able to read/write in the edupac folder and subfolders. I can create files in this folder and delete them from clients. If when creating the mapped drive i choose "use different credentials" and then type the username and password it seems fine after a restart - huh? The credentials are exactly the same and the client is setup as a local admin user. 

Anyway, sluggish performance is still present when using Edupac over the network. I will try export the log files of all the errors on Monday and let you have a link to them. Maybe you can see something if you have the logs. 
Thanks again, you're a legend!


----------



## Wand3r3r (Sep 17, 2010)

You should be using GPO's for your mappings.
Perhaps this will help
Using Group Policy Preferences to Map Drives Based on Group Membership - Ask the Directory Services Team - Site Home - TechNet Blogs

If you do the drive mapping with the server name instead of ip does it work? If not dns is corrupt.

I am concerned your install is corrupted concerning its history. You will spend more time working on it than what a new install would take.


----------



## nutbunny (Oct 8, 2010)

Both ways of mapping drives work. Thanks for the link I'm reading it now. I'll see next week how bad things get then I may reinstall.


----------



## Wand3r3r (Sep 17, 2010)

"Both ways of mapping drives work. "

Then it may not be a bad as I thought. That is good news. Keep us posted. Thx


----------



## nutbunny (Oct 8, 2010)

I exported the eventlog, I'm not sure if you can view it though. Otherwise I may have to take screenshots rather of the various errors. It doesn't look like anything major but maybe there is something in the log which would give you a clue as to whether or not there is still a DNS problem.

These other errors only popped up when I received the server back after they "fixed" it.

Here's the link - I think you'll need server 2003 / 2008 to open it. I cleared the log on, I think Thursday, when I was reinstalling dns and dhcp.


----------



## Wand3r3r (Sep 17, 2010)

Any reason why you are running active directory web services?


----------



## nutbunny (Oct 8, 2010)

No, I never manually installed it. It appears to install automatically? This is an excerpt from technet.microsoft

_"ADWS is installed automatically when you add the AD DS or AD LDS server roles to your Windows Server 2008 R2 server. ADWS is configured to run if you make this Windows Server 2008 R2 server a domain controller by running Dcpromo.exe or if you create an AD LDS instance on this Windows Server 2008 R2 server"_

What would be the easiest way to remove it? If it was installed by me I'm not really sure how...I don't remember using Dcpromo..mmm:4-dontkno


----------



## Wand3r3r (Sep 17, 2010)

I find it disturbing that the error says "either the component that raises this event is not installed on the local computer or the installation is corrupt".


----------



## nutbunny (Oct 8, 2010)

I'm going to reformat the server (myself) and re-setup everything. I also will be contacting the company with regards to the admin software to discuss moving to an alternate solution. Probably only next week or the week after. I have a question maybe you can help with.

Why, when I do this on a client PC:
start-->run-->\\192.168.1.5-->enter
I can see the shares on the server appear but when I
open explorer-->click network-->click servername it asks for a password?

What is the difference? The one is using the ip and the other is using the NetBios name which should be the same, yes? The clients are windows 7.


----------



## nutbunny (Oct 8, 2010)

Thanks for your help, it's appreciated. 

To anyone else viewing this thread you won't learn too much from this. I think all the backwards and forwards didn't help because it was a combination of driver and hardware problems and software (database) which simply isn't meant to work quickly over a network.

The software is largely at fault, as the network works fine and is only sitting at 2% load.

Once again thank you for your help, keep up the great work
Cheers


----------



## Wand3r3r (Sep 17, 2010)

Thanks for posting your results nutbunny.


----------

