Chronic problem marked with Event ID 1015, source Perflib in the Application log in the Event Viewer
From: Nancy Folsom (nancy_folsom_at_hotmail.com)
Date: 05/19/04
- Previous message: Leif Pedersen [MVP]: "Re: Global address List"
- Next in thread: Nancy Folsom: "Re: Chronic problem marked with Event ID 1015, source Perflib in the Application log in the Event Viewer"
- Reply: Nancy Folsom: "Re: Chronic problem marked with Event ID 1015, source Perflib in the Application log in the Event Viewer"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 19 May 2004 15:13:34 -0700
A client is having some chronic, intractable problems on their network and
we're all about at the end of our Google-inspired ideas for correcting the
problem.
Nearly every evening, although never at exactly the same time, and never
during the day, their website stops responding -- at least, that is the
symptom we first notice. The occassions are uniformly marked by a pattern in
the Event Viewer. First, the event referenced in the subject is found in the
application log. Following that event, and until the server is rebooted, the
server log shows a pattern of error event IDs 7011 for each of the following
services: IISADMIN, IMAP4Svc, POP3Svc, RESvc, SMTPSVC, W3SVC -- in that
order.
Perhaps relevant is the fact that some time before the first real sign of
trouble in the application log is a series of events in the system log with
the source DhcpServer. The event IDs are 1037, 1038, 1039 (information) and
1020 (warning).
Once this happens, the server slows to a crawl for all applications, email
bounces (IIRC), and the website doesn't respond. No DNS error or page not
found.
I'm not a network professional, and my client doesn't have a full time
network pro on staff either, so your patience is appreciated. Here are as
many relevant facts as I can muster, altho' I'm afraid I'll have forgotten
something.
OS: W2K Server
SBS: 2000
Exchange: 5.0
ISA Server.
Hardware firewall: Symantec Firewall VPN 100
Router: Cisco 675
They are also using NAV for Exchange, as well as a Symantec virus checking
program that pushes updates out to workstations. My client has talked to
Symantec, who stepped her through correcting some issues with the NAV for
exchange, but it didn't correct our problem. The Exchange information store
(drive M: is NOT being scanned).
They are hosting a website on their server, which also is the corporate file
server. They are rigorous in applying patches. They are also hosting an
ASP.NET application over HTTPS, which is where I come in. That application
has been up since mid-March. This problem started at the end of April. At
the beginning of April, they were hit by a worm that had copied a rogue copy
of SVCHOST.DLL in c:\winnt\system32\wbem\mof\bad\usr32\backup. The rogue
copy was also in the root windows folder. The entire contents of the Backup
directory were deleted and the second bad copy of SVCHOST was deleted.
Within a couple of days of the worm being cleaned up (?), the server started
experiencing serious performance issues and their contract network support
person reinstalled IE. I don't know the details of what all happened during
this event.
As I write this I wonder if there could be a Denial of Service worm in the
works. However, we're now looking at more than month of serious network
outages, so I'd be grateful for specific suggestions. TIA.
-----------------
Nancy Folsom
- Previous message: Leif Pedersen [MVP]: "Re: Global address List"
- Next in thread: Nancy Folsom: "Re: Chronic problem marked with Event ID 1015, source Perflib in the Application log in the Event Viewer"
- Reply: Nancy Folsom: "Re: Chronic problem marked with Event ID 1015, source Perflib in the Application log in the Event Viewer"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
