NTLDR error on Computers on a Domain within a Corporate Network

[andyjames75]

Hello
I wonder if anybody can help. We have a corporate network running 4 domains. Computers on one of these domains keep switching themselves off mid-use and when rebooted come up with the NTLDR missing error. When the ntldr and ntdetect files are reinstalled from the source cd's the computers work again for up to a month, before being struck down again!! we use CA eTrust which is at the latest version and has the latest file definitions and have downloaded the free trial of kaspersky v7.0.1.325, both of which find nothing on the PC's. The server they connect to is up to date and has had a full system scan, again which has found nothing.
Machines are a mixture of Win2k and WinXP, with Office2k or 2k3 installed. There is no other software installed. I have checked recently accessed files in Word, Excel etc. to see if a certain file is the root cause but there is no pattern.
This is the 3rd time this has happened in 3 months and is starting to cause major issues, so any assistance would be grateful

[Spoiler]

Is this a stand alone domain or is it a child domain? Does this domain have its own DNS server? Do you use DHCP in this domain?

How many machines are there in the domain with this problem?

Do you know if the shut down happens on or around the same day for the last 3 months?

[andyjames75]

hi, it is a child domain. machines on the root domain or other 3 child domains are unaffected. The domain does have its own DNS server and DHCP is used in this domain. The domain in question has approx 200 machines spread over 3 buildings. However the error only occurs in one of the buildings. We have done a full system scan on the machines, file server and domain controller and nothing has been found!!! The shutdown has happened on Tues 8th April,  Wed 7th May and Mon 16th June

[Spoiler]

this happen at night? Or during the day?

Also do you run any jobs across the building's machines...ie. virus sweep...updates...etc.

How are the machines connected...cisco switch?

One more thing, are the users admins on the local workstation?

[andyjames75]

machines are switched off at night, and when turned on in the morning we have had 16 occurrances of this issue. However, we have also had 1 occurrrance of this issue during the day whilst an end user was in the middle of composing an email.
I have just taken over the management of the IT Helpdesk here, and it would appear that the W-SUS server has been taken down in the last couple of months so no updates are being deployed. It would also appear that users are not only local admins on the machines but also that a very unsecure local admin username and password is in effect!! (previous mis-management!). The machines are connected via cisco switches on site.

[Spoiler]

I would start by first looking at the servers for a scheduled job or any batch programs that can be made to shut the machines down. I would setup a group policy to change the local admin account name and password.

I would suggest getting the WSUS server up and running.

Start to spot check machines for a scheduled task that may have already been setup from a power user who maybe friends with the old admin.

Setup a group policy to audit the security on the workstations for things like logins and use of admin rights.

Make sure your DNS and DHCP servers are not on the same machine.

Start to look up stream to your root domain and see what they are forcing to your child domain. Something maybe set wrong or they maybe friends with the old admin and messing with you.

As far as protecting the machines change the local security policy to allow admins only to access them remotely.

Force a password change to all users. This will clear out anyone who maybe running a job under someone else's account.

Check the servers services and see if you have any old user accounts running the service as them.

In general it sounds to me that you have someone who is making your life as the new admin crappy. I would go though everything and clean up as much of things as fast as you can to help prevent the next black out and run the audit logs on all the machines to track and maybe catch who is doing this...

Take nothing for granted and check with the building people to rule out a power outage.

Going forward I would take a few machines, if you have the hardware, and image them. Than the next time, if it happens again, you can swap out the machine and get the user running. This will look a lot better for you than having someone sitting around until you fix the machine.