Domain members dropping after virus attack 1

[ColinC77]

I have a small network (70 users) Win NT 4.0 Primary domain server - 1 backup domain controller - main work is thru SQL 7.0 using tcp/ip - Cisco 2524 for internet - Cisco pix-515 firewall. All workstations are thru tcp/ip (most by DHCP) with an ODBC connection to the SQL server. Apologies for my inexperience, by the way if I have not correctly named or described something.) Now - my problem: We were recently infected by the Win32/Nimda .E.Email.Worm virus. Our AV package was insufficient to deal with it initially but I think we have a handle on it now. I re-formatted both the PDC & the BDC along with 75% of the workstations. However,I have been losing stations from the domain slowly but surely. I now show only about 15 out of 75 in my network neighborhood. When I go to Server Manager, all stations appear but many are greyed out yet they continue to function thru the ODBC connection with the SQL server. What can I do to get the network connected back in the domain ? I have tried to switch some to workgroup then back to domain member & it works but then they leave the domain again. Any suggestions ?? I can handle anything except reformatting the SQL server.
Any assistance will be appreciated.
Colin C.

 

[dvd1234]

Remove them from the domain using the server manager. Then add them to the domain. Try this with one or 2 workstations. It should work. I had the same problem once, but not on such a great scale

Ta

 

[ColinC77]

Thanks I'll try this & let you know what happened.
CC

 

[ColinC77]

Using Server Manager does not work. The domain membership is unchanged. I have had to go to each machine & remove it from the domain then bring it back in - it then remains in Network Neighborhood for a few hours then disappears. It can be contacted thru Server manager but if I want to map a drive, I cannot. No access - I now show only 14 machines in the network out of 70 in Network Neighborhood.
Can this be a side effect of using Computer Associates eTrust InoculateIT? The administrator's view shows the network almost as a domain of its own working independently of the home domain.
Thanks to anyone taking time to read all this & for any comments.
CC

 

[gjw12]

Try removing one client from domain and running ghostwalker or similar then reintroduce client to domain. I am wondering if multiple sids for one client are causing problems. Probably not, but it is a try. It can't hurt. Also what happens if you disable InoculateIt?

 

[dvd1234]

I think that gjw12 is correct..you have the same sids on all machines...

ta

 

[kalpeshh]

Hi Colinc77,
Try to apply SP 6.0. We had similar problem and it worked for us.

--admin

 

[gconlon]

we had a similar problem and it turned out to be the wins database. You say you are using mostly DHCP. Are the workstations which do not use DHCP remaining on your domain?
You probably have a corrupt WINS database. Try rebuilding the database on the backup controller and pointing workstations to this. If your workstations continue to function on the network but drop off the domain a new WINS should solve it for you