I run Windows NT Server 4.0 with Service Pack 4 (SP4) on a Compaq ProLiant 1600 system with 512MB of RAM, a Compaq Smart Array 221 controller, and two mirrored Seagate Technology 10,000rpm 9.1GB hard disks. Everything was fine until Nimda hit. I cleaned out Nimda, but now I can't see my mirrored disk from the server system, although I can see the disk from any of my workstations. My primary application restricts me to NT 4.0 SP4. Do you know how I can fix this problem?
Nimda was one of the first so-called global threats and can do all types of system damage. Nimda characteristically creates open network shares on an infected computer and gives the guest account Admin privileges. Nimda also tries to exploit Microsoft IIS systems that the infamous CodeRed II threat had previously compromised. Furthermore, several new viruses can hide hardware exposure; in other words, the viruses can prevent you from seeing hardware. I recommend that you first boot to a CD-ROM or a series of 3.5" disks and run a complete virus scan of the server. All virus signatures must be up-to-date, and if the server connects to an IIS system, you need to disconnect it until you've fixed the problem.
If the problem persists after this thorough cleansing, open Disk Administrator on the server and determine whether both mirrored disks are present. If so, break the mirror, then reestablish it. If you can't see the mirrored disks in Disk Administrator, give the Microsoft Windows NT Server 4.0 Resource Kit Disksave utility a try. Boot to a 3.5" DOS disk, run Disksave from that disk, and press F6. This action overwrites the Fault Tolerant signature on the disks so that you can rebuild the mirror.
If Disksave fails (and you're adventurous), you can use a disk editor (I like Symantec's Norton Disk Editor 5.0 or later) to remove the mirrored byte. You'll need to change the mirror signature on the primary disk. Boot to a 3.5" DOS disk, run diskedit.exe from that disk, pick drive 1 (i.e., the primary disk), and look for the partition table. On an NTFS partition, you need to change the mirrored byte from 0x87 to 0x07. To do so, look at the partition entries; you'll see a question mark (?) that represents the mirror signature. Highlight that key, press the space bar, and change the signature to NTFS. Choose Edit, Write from the tool's menu bar to save the changes. You now can establish the NT system, then reestablish the mirror.
You might also consider moving the mirrored drive to the primary position to make sure the problem is with the system and not the drive. I'd also think about a new installation of NT 4.0 and SP4. I realize you won't be thrilled to read this, but you might need to perform a whole new installation. If your server connects to an IIS system, you also need to install all the most recent Microsoft patches on your IIS server. For IIS servers running NT 4.0 SP5 or later, see Microsoft Security Bulletin MS00-078 (Patch Available for "Web Server Folder Traversal" Vulnerability) at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp. Get an antivirus package that automatically updates its virus definitions, instruct users to turn off their message browsers (Nimda can spread when users simply view an infected file), and remind users never to open a message from an unknown sender.