tnguy
05-25-2002, 04:20 AM
I am seeing a very peculiar problem at our school.
A little background on the situation first. We have 700 Win98 identical (IBM 6574-80U) workstations on our network. I use ImageCast to create an image of one, then image all the others with that image. I change the background color each time I create a new image so that I can differentiate between machines that have received the new image, and those that have not. Therefore, other than the machine name (which I change after imaging) and the IP (DHCP) all machines are identical (registry, programs, everything).
The problem: About once or twice a week I will get a call from a teacher telling me that the background of a computer in their class has changed, and that no one can log in on it. This is happening all over the school, completely at random (it appears), to different teachers.
When I go check out the machine, it appears that the machine has been re-imaged to an old image. That image no longer exists on our network, is too large for a floppy, and could only be run using the Admin password with an ImageCast boot floppy. The machine name is the name I had on the previous image, and the background color matches that image as well. The reason no one can log in, is because somewhere else in the building another computer has had the same problem, but it hasn't been turned in yet. Since both of these computers have the same name, and since we use MustBeValidated, the second machine to try and log in with the same computer name cannot log in.
I have also noticed that the System.ini and Win.ini have changed. On one machine that I checked, Norton Antivirus (Enterprise edition, which cannot be modified by the workstation user) had been disabled completely.
My theory: The registry, the system.ini, or the win.ini is getting corrupted somehow, and is reverting back to a previously backed up copy. This backed up version contains the machine name, background color, etc. that was created from the old image.
I checked the STARTUP menu in MSCONFIG, and scanreg /auto was UNchecked. This would have prevented the registry from being backed up each time the machine is started, right? So possibly, the only backup of the registry is from the old image, right?
One more note: This has happened around the time of a power surge or outage, but also randomly.
Someone told me that they had seen this problem in another school that uses ImageCast. The problem was solved when they changed out the RAM in the machine. But, if I reimage the goofy machine, it runs fine.
This problem has only been going on for about two months. Could a virus be causing this problem? We use Norton Enterprise Edition throughout the network, and it is updated daily. Student machines do not get email, but I have seen (via Norton's logs and warnings) that student machines have been to sites that tried to infect a machine, but NAV caught it. Norton is configured to try and clean infected files first, then delete them if the clean is unsuccessful.
I know this is an enormous post, but I am trying to give enough info to answer any questions you might have.
I hope someone has seen similiar, or has any idea.
TNguy
Network Administrator
(I am looking for an employment change, see my BIO)
A little background on the situation first. We have 700 Win98 identical (IBM 6574-80U) workstations on our network. I use ImageCast to create an image of one, then image all the others with that image. I change the background color each time I create a new image so that I can differentiate between machines that have received the new image, and those that have not. Therefore, other than the machine name (which I change after imaging) and the IP (DHCP) all machines are identical (registry, programs, everything).
The problem: About once or twice a week I will get a call from a teacher telling me that the background of a computer in their class has changed, and that no one can log in on it. This is happening all over the school, completely at random (it appears), to different teachers.
When I go check out the machine, it appears that the machine has been re-imaged to an old image. That image no longer exists on our network, is too large for a floppy, and could only be run using the Admin password with an ImageCast boot floppy. The machine name is the name I had on the previous image, and the background color matches that image as well. The reason no one can log in, is because somewhere else in the building another computer has had the same problem, but it hasn't been turned in yet. Since both of these computers have the same name, and since we use MustBeValidated, the second machine to try and log in with the same computer name cannot log in.
I have also noticed that the System.ini and Win.ini have changed. On one machine that I checked, Norton Antivirus (Enterprise edition, which cannot be modified by the workstation user) had been disabled completely.
My theory: The registry, the system.ini, or the win.ini is getting corrupted somehow, and is reverting back to a previously backed up copy. This backed up version contains the machine name, background color, etc. that was created from the old image.
I checked the STARTUP menu in MSCONFIG, and scanreg /auto was UNchecked. This would have prevented the registry from being backed up each time the machine is started, right? So possibly, the only backup of the registry is from the old image, right?
One more note: This has happened around the time of a power surge or outage, but also randomly.
Someone told me that they had seen this problem in another school that uses ImageCast. The problem was solved when they changed out the RAM in the machine. But, if I reimage the goofy machine, it runs fine.
This problem has only been going on for about two months. Could a virus be causing this problem? We use Norton Enterprise Edition throughout the network, and it is updated daily. Student machines do not get email, but I have seen (via Norton's logs and warnings) that student machines have been to sites that tried to infect a machine, but NAV caught it. Norton is configured to try and clean infected files first, then delete them if the clean is unsuccessful.
I know this is an enormous post, but I am trying to give enough info to answer any questions you might have.
I hope someone has seen similiar, or has any idea.
TNguy
Network Administrator
(I am looking for an employment change, see my BIO)