Hi all, here's the dcdiag output:Domain Controller Diagnosis Performing initial setup: [wsm1.ICDL.local] LDAP bind failed with error 1323, Unable to update the password. The value provided as the current password is incorrect.. ***Error: The machine could not attach to the DC because the credentials were incorrect. Check your credentials or specify credentials with /u:<domain>\<user> & /p:[<password>|*|""] This is Server 2003 Standard, Logged in as Administrator (tried another user with same rights as Administrator too). I want to install Exchange on the box but want to get this fixed first. All that is installedis the OS, MS SQL, Sophos Antivirus andWSM (WYSE Streaming software for WYSE thin clients). Virusses found and files deleted,AV log:20090526 165909Virus/spyware 'Mal/Sality-C' has been detected in "D:\Wyse Software\SQL\x86\upgrade\loginsid.exe".20090526 165909Infected file "D:\Wyse Software\SQL\x86\upgrade\loginsid.exe" has been deleted.20090526 165912Virus/spyware 'Mal/Sality-C' has been detected in "D:\Wyse Software\SQL\x86\binn\sqlservr.exe".20090526 165912Infected file "D:\Wyse Software\SQL\x86\binn\sqlservr.exe" has been deleted.20090526 165913Virus/spyware 'Mal/Sality-C' has been detected in "D:\Wyse Software\SQL\x86\binn\remsetup.exe".20090526 165913Infected file "D:\Wyse Software\SQL\x86\binn\remsetup.exe" has been deleted.20090526 165914Virus/spyware 'Mal/Sality-C' has been detected in "D:\Wyse Software\SQL\x86\binn\qrdrsvc.exe".20090526 165914Infected file "D:\Wyse Software\SQL\x86\binn\qrdrsvc.exe" has been deleted.20090526 165915Virus/spyware 'Mal/Sality-C' has been detected in "C:\Program Files\Wyse\WSM\Java\jre1.5.0_04\bin\rmiregistry.exe".20090526 165915Infected file "C:\Program Files\Wyse\WSM\Java\jre1.5.0_04\bin\rmiregistry.exe" has been deleted.20090526 165916Virus/spyware 'Mal/Sality-C' has been detected in "C:\Program Files\Wyse\WSM\Java\jre1.5.0_04\bin\policytool.exe".20090526 165916Infected file "C:\Program Files\Wyse\WSM\Java\jre1.5.0_04\bin\policytool.exe" has been deleted.20090526 165917Virus/spyware 'Mal/Sality-C' has been detected in "C:\Program Files\Wyse\WSM\app\mkguid.exe".20090526 165917Infected file "C:\Program Files\Wyse\WSM\app\mkguid.exe" has been deleted.20090526 165918Virus/spyware 'Mal/Sality-C' has been detected in "C:\Program Files\Microsoft SQL Server\MSSQL\Upgrade\modify.exe".20090526 165918Infected file "C:\Program Files\Microsoft SQL Server\MSSQL\Upgrade\modify.exe" has been deleted.20090526 165919Virus/spyware 'Mal/Sality-C' has been detected in "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\svrnetcn.exe".20090526 165919Infected file "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\svrnetcn.exe" has been deleted.20090526 165920Virus/spyware 'Mal/Sality-C' has been detected in "C:\Program Files\Common Files\Microsoft Shared\Database Replication\Conflict Viewer\wzcnflct.exe".20090526 165920Infected file "C:\Program Files\Common Files\Microsoft Shared\Database Replication\Conflict Viewer\wzcnflct.exe" has been deleted.20090526 165921Virus/spyware 'Mal/Sality-C' has been detected in "C:\Documents and Settings\Administrator\Desktop\Microsoft Office Enterprise 2007 VLKR\Enterprise.WW\ose.exe".20090526 165921Infected file "C:\Documents and Settings\Administrator\Desktop\Microsoft Office Enterprise 2007 VLKR\Enterprise.WW\ose.exe" has been deleted.20090526 165922Virus/spyware 'Mal/Sality-C' has been detected in "C:\Program Files\InstallShield Installation Information\{9B94BE6F-7CA3-4C40-A266-62667FF746CC}\Setup.exe".20090526 165922Infected file "C:\Program Files\InstallShield Installation Information\{9B94BE6F-7CA3-4C40-A266-62667FF746CC}\Setup.exe" has been deleted.All the thin clients work 100%, so I imagine the core files for WSM and SQL are there and working. Administrator can create/delete users etc using AD Users and Computers.Further documentation form Microsoft's website includes a possible problem with the ADMIN$ andIPC$ shares but they do exist and I looked through the resolutions for this specific problem and all fixes were correct - so I don't think this is the same problem.Thank you for any help!Kind regards,Shawn

Hello Shawn, You server is compramised with the virus. Please run the Microsoft Windows Malicious Software Removal Tool from the safemode and see what happens. If you see this KB article it clearly mentions that the above error is due to a virus attack.Compromised systems show one or more of the following symptoms: http://support.microsoft.com/kb/328691 When you try to run DCDIAG on a domain controller, you may receive one or more of the following error messages: Performing initial setup: [sic1] LDAP bind failed with error 31, a device attached to the system is not functioning. Performing initial setup: [ServerName] LDAP bind failed with error 1323, unable to update the password. The value provided as the current password is incorrect. ***Error: The machine could not attach to the DC because the credentials were incorrect. Check your credentials or specify credentials with /u:<domain>\<user> & /p:[<password>|*|""] Note In this error message, ServerName is the name of the domain controller. Thanks http://technetfaqs.wordpress.com

Syed, Thanks for your help. I read the article and performed the steps but it was not relevant - i.e. no process by that name etc. Still stuck with same problem, Server 2003 with all the updates installed already.. Is there any info I can give you more? Regards, Shawn

Hi Shawn,Do you have a chance to perform a full virus scan on the server? Personally, I suspect that server may be affected by a virus or something like that. Thanks and regards, Scorprio MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin

Scorpio, yes indeed did a full scan with Sophos. Did pick up a few things.. No virus anymore.. you think it might have damaged the integrity of the OS? Thanks!

Hi Shawn,from my experience, the OS integration could be affected if it has been infected by virus.Please try to run "SFC /SCANNOW" on that server to check the system file intergrity.Meanwhile, if there was a backup of the DC, please consider restore the replica to try fixing the issue.Thanks and regards,ScorprioMCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin

Performed SFC /SCANNOW, no luck still the same problem. I'm thinking of repairing the OS from the CD, format is absolutely the last option. txSG

hi shawn, Just to follow up on the issue , did you had a chance to work on the issue, did you tried reparing / re-install the OS ? and after which are you experiencing any problems ?sainath !analyze

Hi all,The lab was closed for 3 week during holidays and I formatted the box. All running great now, I always feel more comfortable if I personally deployed the system.Verdict: Always load antivirus on the servereven if it's a server only hosting images for thin clients and even if the company installing it didn't recommend doing it. They actually said it's not necessary and would take up resources and the images are read only, and they never do it and never had a problem (the implementation team said this, not the sales guys). We have no antivirus on the thin clients because the image is read only, but I did install it on the server now, besides, I had to install Exchange on the server now as well anyway.Many thanks for all the help!Shawn