I've been an IT professional for county government over 2 1/2 years and this problem has occurred 3 times. I can fix it by restarting the primary server, but I would like to fix it without having to take that route. Here's the situation. On our primary server (from here on out called Server1) we have software running called Springbrook (fund accounting and utility billing enterprise software). The users access Springbrook via mapped drives to Server1. I place shortcut on their desktops that pulls the software from the mapped drive. Sometimes, I don't know why, 3 or more users lose access to Server1, which causes them to lose access to Springbrook. The rest of us can still access Server1. By losing access to Server1 I mean PC A cannot ping, RD to, or access shares on Server1. Ping tells me the remote host is unreachable, RD gives the same message, and when I try to explore the mapped drive the message tells me the network path is not available. If I restart Server1 then those 3 users can suddenly access Server1 again.
I assume the only thing happening is that a network service is restarting, but I don't know if it's the NetLogon service, an AD service, or it may be something else I'm not aware of. Restarting the users' PCs doesn't solve the problem. Nor does rejoining the PC to the domain fix the issue; it's always restarting Server1 that fixes the issue.
This doesn't happen often. Like I said, in the 2 1/2 years I've been here it's happened 3 times. Out of those 3 times it hasn't been the same PCs either. I would like to know how to prevent it or at least how to fix it without restarting the server completely.
AD domain. Windows Server 2008 R2 server. Sonicwall TZ210 firewall. Netgear 24 port gig switch. PCs hook into Netgear gig 5 port switches.
Thanks.
EDIT: Thanks for the answers so far. Poor question writing on my part. I failed to mention that the affected PCs can communicate with other PCs on the network, even Server2 (we have to DCs). Server1 can't ping to the affected PCs either.
Best Answer
I found the answer to the problem! For this year anyway. :)
The problem occurred again yesterday morning and at lunch, but this time it was just one PC that wasn't in the affected group last week. During the problem I did the following:
The monster reared its ugly head again at lunch.
Went to the server, collected wireshark packets between the affected PC and the server. Then, I restarted the server because I know that works. That fixed the issue. I was only able to read through the collected data for a few minutes because other issues came up (I'm the only IT pro - one man crew) that occupied my time for the rest of the shift. Thought about it through the night. Came in this morning, collected network traffic just to see if there were any network process hogs and couldn't find anything bloating the "pipe." Then it hit me: check the kaspersky logs on the server. I checked the network attack blocker logs and found that last week Kaspersky detected dos.generic.synflood "attacks" from the 3 affected machines last week and the affected machine yesterday. When Kaspersky detects things like that, it will cut off communication with the attacking node for 60 minutes. The logs gave the exact time of the issue and the time matched up with the time affected users called me about the issue. I tracked the logs back 30 days and noticed those logs were clean of attacks.
I set the network attack blocker to only block the attacking node for 1 minute. I'm also going to investigate what the synflood attacks could be. At least for now I know why those machines were disconnected from the server. Of course now, I need to figure out the source of those dos.generic.synflood attacks.