Hi All, This has got me astounded.
The presenting symptoms were the server slowing down, share access on client PC's were getting very slow. At the console I type ctrl-alt-del to log in to see what was going on, it never prompted for a password.
Looking from the network RDP would open but not request credentials, eventually DHCP stopped, server still pings, DNS still working for domain and public names. SMB file sharing was rejecting valid passwords.
Only option was to power down the server. On reboot in AD recovery mode the AD integrity checked out. No new updates installed this month.
On bringing the machine up again, no unusual messages in the log files, besides the expected complaint about the untidy shutdown. It ran for ~16 hours until it slowed down again. Again same symptoms as above. I was on site running AV scans and I was copying some large files over the network to stress the SMB server. One user was accessing some files that had originated in a zip file that had come from a Mac. The content was largely .doc files. I was logged in a admin on the console at the time and on typing ctrl-alt-del I got this message that I have never seen before. Photo of console below....
This seems very far fetched. I was looking for things that had changed in the last few days and clutching at straws I started to look at that new folder. The extracted files were maked in green, showing that they were encrypted. The content was clean of viri as far as E-Set would show me. But I have now deleted those files off the server and re-run the AV scan and the also the large file copy that I was doing to stress the SMB server previously and it has stayed up for ~ 2 hours now.
Is there some connection between the fact that those files were encrypted and the message above?
I've never seen anything like this before.
Any insight most welcome.
Thanks
Ken