0

We have a Windows Server 2008 R2 machine that is connected to our LAN. We inherited this machine, meaning that we didn't set it up ourselves and may not be aware of everything about it. However we know that W2k8 is installed as a VMware guest.
This machine doesn't have a video card and doesn't allow to plug a keyboard or a mouse, additionally its USB ports have been disabled, it is thus a headless server (of course, it has a CD/DVD reader.) All this means that we always connect via the Ethernet port (using Remote Desktop Connection.)

We mistakenly set Network Discovery to off, and since then this machine appears to be unreachable. Indeed it doesn't allow RDC anymore and the only thing we can manage to do successfully is to ping it. Note that this machine is not a domain controller, it's just part of 'Workgroup'. Obviously its name doesn't appear anymore if we do a network scan, but, as I said, we can ping it.

We have tried three things so far to reestablish some form of control over that machine:

  1. Microsoft Management Console (MMC) snap-ins
    This initially was producing a RPC server is unavailable error message. After a while this turned into access denied.
    My guess here is that turning Network Discovery to off disabled some key services required to make the snap-in to work. And, after a while, perhaps our attempts started to be perceived by the firewall as attacks, that could be why the error message changed into 'access denied'.

  2. PsTools
    Basically giving the same results as above. First getting the complaints about the RPC server being unavailable and then the 'access denied' one.

  3. Push VNC
    I had never used Push VNC before so I'm not too sure what should be the expected output when all goes well. But it just doesn't seem to "push" it... Anyway, maybe it wasn't even intended to push VNC on Windows Server 2008.

So here we are with this "remote server", in fact physically just next to us and reachable by hand, but with no way to get it to "talk" to us...

What steps could we take to get this machine back up and running on our LAN ?

mks-d
  • 7
  • 7
  • tried remote registry? or even remote access to services? – BoyMars Oct 13 '11 at 10:23
  • boot the drive in another machine in safemode and reenable it? I think all the standard tools use RPC so if you've blocked that and have no other 3rd party tools on there you might be out of luck. Being headless is there any management console on the network interface that you could see if you boot in a CLI mode? – JamesRyan Oct 13 '11 at 11:22
  • Have you tried connecting by IP address? – John Gardeniers Oct 13 '11 at 11:28
  • @BoyMars Remote registry produces the same sort of reponse: access denied. – mks-d Oct 13 '11 at 12:16
  • @JamesRyan Well, of course I'm very tempted to go down that path and I'm happy that you mention it. I was just worried about somehow harming the drive's data by booting it in another hardware environment. Do you think it's ok to try that ? Maybe it doesn't matter at all but remember that it's a Win 2008 set up as a VMWare host. – mks-d Oct 13 '11 at 12:27
  • @John Gardeniers Yes of course, I have tried each time IP address and computer name where possible when going through the various methods that I mentioned. – mks-d Oct 13 '11 at 12:27
  • @dindeman, don't say "of course". Unless you tell us what you've tried we have no way of knowing. – John Gardeniers Oct 13 '11 at 20:43
  • @John Gardeniers Sure, so I have tried both IP address and computer name when using PsTools, MMC and Push VNC. MMC allows to check the computer name and was able to come up with the correct one (WORKGROUP\) although this name doesn't appear anymore when scanning the network. – mks-d Oct 14 '11 at 02:11
  • @JamesRyan "is there any management console on the network interface that you could see if you boot in a CLI mode?" Ok could I boot it in CLI mode though ? – mks-d Oct 14 '11 at 09:43
  • "Windows Server 2008 is installed as a VMWare host": by host, do you mean guest? – Skyhawk Oct 15 '11 at 05:41
  • If it is a guest, then the solution is as follows: -> Install VMWare on a normal system, a laptop with a USB2 or USB3 port will suffice. -> Procure a USB Hard Drive Connector kit, which will have a USB cable that has a combination SCSI, SATA, and EIDE dongle at the other end. It should also come with a power brick with molex and SATA-power connectors. -> remove the hard drive, connect it to your laptop with the external HD USB dongle, connect power, and browse for the Windows 2008 virtual hard drive. -. Define a new "guest" in VMWare using the hardware specs and the VHD. – George Erhard Apr 05 '17 at 21:03

1 Answers1

4

Turning off Network Discovery doesn't disable TS/RDS and doesn't prohibit RPC communications, that I'm aware of. Network Discovery (by and large) is exactly what it sounds like; discovery. Not accessibility or communication but simply discovery. You can generally turn Network Discovery off on any server with any role and still have the server function in that role. My guess is that the server is in a wonky state. I would reboot it and see if that resolves the problem.

How did you "inherit" this machine? Where did you "inherit" it from? What is it's purpose? This sounds like an unsustainable situation. You have a server but don't have full controll of it's hardware and software resources, that's not something I'd allow on my network.

Here's a rundown of Network Discovery with some detail:

http://blogs.technet.com/b/networking/archive/2010/12/06/disabling-network-discovery-network-resources.aspx

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • 4
    Wonky - word of the day – squillman Oct 13 '11 at 11:39
  • I've been waiting to use that all week. :) – joeqwerty Oct 13 '11 at 11:57
  • Ok this is very interesting, I have been scratching my head since it happened about the incredible consequences of turning Network Discovery to off... and your comment somehow relieves me (altho it doesn't solve my problem yet.) I can only tell you that it is really the only thing that was (mistakenly) done, and as soon as the button got clicked we lost the RDC and the problems started. Please allow me come back to you on the rest of your post later on. I will definitely have a look at the link you provided. Thanks! (annoyingly I need to run out now, sorry.) – mks-d Oct 13 '11 at 12:37
  • 1
    on 2008/win7 turning off network discovery blocks a bunch of things at the firewall (including rpc) in *both* directions – JamesRyan Oct 13 '11 at 14:57
  • 1
    This is hardly scientific, but in WFAS on a W2K8 server I counted 62 rules blocking inbound traffic with Network discovery on and 62 with it off. I counted 34 rules blocking outbound traffic with Network Discovery on and 22 with it off. It looks to me like WFAS blocks outbound but not inbound traffic based on the state of Network Discovery, which makes sense as Network Discovery is intended to enable or disable the discovery of shared resources to and from the host, not block access to shared resources to and from the host. – joeqwerty Oct 13 '11 at 15:50
  • @JamesRyan Does that mean that the main issue at this juncture is the firewall? And if yes would there be any way to turn it off for the sake of the current troubleshooting? – mks-d Oct 14 '11 at 02:17
  • @joeqwerty I inherited this machine as it was sold and configured by a third-party before I joined. It manages and gather data from a finger print device on the network and is not yet, at this stage, used as a domain controller. – mks-d Oct 14 '11 at 08:17
  • @dindeman: It's going to be a domain controller? I certainly hope you're going to be able to get full access and control of the hardware as well as the server. What's the situation that you don't control the hardware? Why are you going to make it a DC? – joeqwerty Oct 14 '11 at 10:50
  • @joeqwerty Well yeah first thing first, I need to get it up and running again before anything else. The current domain controller is quite old and running under W2k3, and here we have this brand new server that is only used to access the finger print device... so I was aiming at turning it into the main domain controller later on, but that's another topic. I am still not sure as what to do right now, the only option I seem to have is to boot its drive in another hardware environment as JamesRyan suggested. I was hoping there could be another solution via the LAN connection... – mks-d Oct 14 '11 at 11:32
  • As far as I can see the Network Discovery option just controls a bunch of firewall settings however I can't see any way of changing this over the network (it would be a pretty bad firewall if you could :) ) – JamesRyan Oct 14 '11 at 12:31
  • @JamesRyan I came here to know what other people, certainly more knowledgeable than me on these topics, would do. So far the only practical suggestion I got was yours: boot that drive in another computer. Is there anyone else endorsing this suggestion? Or alternatively wouldn't there be a way to create a bootable CD that could restore the options and services that got turned off? – mks-d Oct 14 '11 at 13:23
  • @joeqwerty I didn't check on the firewall rules specifically but if you change the option on a 2008r2 server it blocks rpc and if you google 'network discovery rpc unavailable' there are several people mentioning that it does – JamesRyan Oct 14 '11 at 16:12
  • @dindeman It might be possible to boot with a linux cd with network console for headless devices but I'm not sure where you would go from there. In terms of windows they usually expect you to have a screen. – JamesRyan Oct 14 '11 at 16:16
  • @JamesRyan And what about VMWare, doesn't it let you "see" the hosted operating systems in order to configure them? Isn't it how W2k8 r2 was initially installed and configured on this headless machine anyway? – mks-d Oct 15 '11 at 01:22
  • Ah well that edit changes everything! If you can get onto vmware via web access then you can open a console for that machine as if you were seeing it locally. – JamesRyan Oct 17 '11 at 08:47
  • @JamesRyan Ok first of all sorry for the confusion there (host->guest). Ok cool, that's sounds very good news. I have never used VMWare myself and (obviously) I know little about it. I'm reading about the VMware Guest Console to control the guest OS remotely... sounds very promising. Unfortunately I don't have the credentials to log onto ESXi and I need to find out how to reset the root password on a headless ESX host. Any idea? We'll get there, we'll get there... Thank you! – mks-d Oct 17 '11 at 11:48
  • I thought I could use the VMware Guest Console as described here http://www.instantfundas.com/2010/06/how-to-use-vmware-guest-console-to.html . It seems that in this example one doesn't even need to log onto the host to access its guests. It doesn't work for me as the only computer I can connect to with the host type set as 'Workstation' is localhost. Also, what do you mean "get onto VMware via web access"? The host's web page suggests to use vSphere, is that what you mean? Good news, I found out what the ESXi root password is! – mks-d Oct 17 '11 at 13:53
  • Download and install the VI client from the ip address of the host machine (http://), then connect to the ip address of the host machine using the VI client with the root user and password, this will give you console access to the guest VM on the host. – joeqwerty Oct 17 '11 at 13:56
  • @joeqwerty From the web page of the host machine it's suggested to either download vSphere or vCenter, I downloaded vSphere and will give it a try. Is vSphere the VI client? In fact the VMware Guest Console could have done the job, but I just discovered that it doesn't handle the free version of ESXi which is the one that has been setup on our server. More tomorrow on this... Thanks for your message. – mks-d Oct 17 '11 at 16:54
  • Yes, the vSphere client is what you want. I'm not sure what you mean regarding the "VMware Guest Console". The only way to access the console of a VMware guest is with the VMware client, which in your case is called the vSphere client. – joeqwerty Oct 17 '11 at 17:05
  • Totally, it worked very smoothly. Very easy to even visualize the guest and re-enable Network Discovery. I would like to thank both joeqwerty and JamesRyan for the continuous support over the past few days. Not sure which answer to validate tho, how can I reward both of you? – mks-d Oct 18 '11 at 06:06
  • There's actually only one answer. JamesRyan posted comments. You can ask him to post an answer and accept it. – joeqwerty Oct 18 '11 at 11:32
  • @JamesRyan If you can be bothered to summarize your advices in one answer I'll be happy to validate it. Thanks for your help. – mks-d Oct 19 '11 at 04:55
  • Thats ok, accept Joes, I'm not too fussed about points. It doesn't really make sense to have different answers for different parts, ordinarily if your question veers too far it might be better to branch off into a new question. – JamesRyan Oct 19 '11 at 12:08
  • @JamesRyan: I.R. Baboon :) – joeqwerty Oct 19 '11 at 12:28