Sysinternals to the rescue

  • Article

This is a quick post to get me back into the spirit of blogging. Some time back I was onsite performing an ADRAP to assist the customer with some issues they were having with their AD. Among the many issues we found was one DC reporting the following in its system/DS and FRS event logs.

  1. “Registration of the DNS record '_kpasswd._tcp.domain.com. 600 IN SRV 0 100 464 DC1.adatum.com.' failed with the following error: %An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.”
  2. “No Windows NT or Windows 2000 Domain Controller is available for domain adatum. The following error occurred: %Not enough storage is available to process this command.”
  3. “The attempt to establish a replication link with parameters.

Partition: CN=Configuration,DC=adatum,DC=com

Source DSA DN: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Branch1,CN=Sites,CN=Configuration,DC=adatum,DC=com

Source DSA Address: 5bbb4c2b-47bf-4593-b0dc-460ea4916d49._msdcs.adatum.com

Inter-site Transport (if any): CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=adatum,DC=com

failed with the following status:

Not enough storage is available to complete this operation.

The record data is the status code.  This operation will be retried.”

 

4.  Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller dc1.adatum.com for FRS replica set configuration information.

 Could not bind to a Domain Controller. Will try again at next polling cycle.

 

Realising we had a network issue I used “netstat –an” on the DC1 to see the network connections it had established. Output similar to below was

Proto  Local Address          Foreign Address        State
TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
TCP    0.0.0.0:990            0.0.0.0:0              LISTENING
<snip>
TCP    0.0.0.0:1025          0.0.0.0:0              LISTENING
TCP    0.0.0.0:1026          0.0.0.0:0              LISTENING
TCP    0.0.0.0:1027          0.0.0.0:0              LISTENING
<snip>
TCP    0.0.0.0:4998          0.0.0.0:0              LISTENING
TCP    0.0.0.0:4999          0.0.0.0:0              LISTENING
TCP    0.0.0.0:5000          0.0.0.0:0              LISTENING

As this was a Windows 2000 Server I did not have the “-o”option of neststat to print out the process ID that was listening on the ports. But you will note that in the above output all ports between 1024-5000 were in use. This is the ephemeral port range. I was pretty certain that the server was infected by now. I wanted to know what the process was so I used TCPView from Sysinternals. TCPview revaled the process name and a quick search on the Malware Protection Center revealed it to be an IRC Bot. Further investigation revealed the DC did not have any anti-virus software and was missing many critical and important security updates. Unfortunately I don’t recall the exact name of the worm.

This was the first time I’d come across a real production DC that was infected. This particular server had replication issues because it did not have any free ports available for use for replication. AD and FRS replication was affected as a result.

HTH

M