Re: Several SBS services dead
- From: "Les Connor [SBS Community Member - SBS MVP]" <les.connor@xxxxxxxxxxxx>
- Date: Wed, 15 Nov 2006 17:10:59 -0600
That svchost.exe process dying was the killer.
I'd suspect wuauclt.exe, probably running in that process, memory leak,
crashed.
You can test this by watching the memory use of that svchost.exe. If it
grows with every detection, you need a hotfix. It's likely the workstations
are suffering from this as well - there are seperate hotfixes for Server
versus XP.
Backup running may or may not be related. That's one of the apps that talk
to the console session, and if your third party thingy doesn't connect to
that session, and backup has a window open, you'll never see it. Same thing
can happen with some of the consoles. Best bet, use native remote access
tools and go to session 0 to see what's going on.
--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
----------------------
"Tell me and I'll forget. Show me and I'll remember. Involve me and I'll
understand." - Confucius
"Gregg Hill" <bogus@xxxxxxxxxxx> wrote in message
news:uQzuJXPCHHA.3524@xxxxxxxxxxxxxxxxxxxxxxx
Hello!
I had a weird problem with a client's SBS 2003 R2 Standard on a three-week
old Dell PE 830 server with CERC SATA controller and RAID1 Seagate drives
(they are ST3160812AS drives, which I found out from Seagate's site are
desktop drives instead of being designed to run 24/7 in RAID as are their
Barracuda ES drives). The client called me this morning saying that they
had no Internet access and could not get to mapped drives or anything on
the server. Prior to this call, if had been working fine, or so I thought.
I got in with LogMeIn (LogMeIn gives me direct console access just as
though I were logged on locally at the console) and started looking at
logs and services. I found that the Workstation, Server, Computer Browser,
Logical Disk Manager, Shell Hardware Detection, and Automatic Updates
services were all stopped. Once I restarted those, everything was fine.
Before I restarted those services, I had used Remote Desktop to get to a
workstation. It could ping LAN and WAN by IP but not by name. After the
server's services were restarted, the workstations worked normally as
well.
I went to check their backups in Server Management, and they had all
failed, simply because they have not been putting in their tapes for a
week. That's another story. Anyway, when I went to view the backup
schedule, it said I could not do so, since "the backup was still running
or the backup application was in use" or words to that effect. I opened
Task Manager, and sure enough, ntbackup was running although it was
nowhere to be seen. I killed it.
A review of the Application Log showed that the WSUS started and finished
a scheduled synchronization, then started Content synchronization. About
14 minutes after that, I see the following error.
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 11/14/2006
Time: 10:10:32 PM
User: N/A
Computer: DC01
Description:
Faulting application svchost.exe, version 5.2.3790.1830, faulting module
kernel32.dll, version 5.2.3790.2756, fault address 0x00015e02.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 35 2e 32 2e 33 37 39 5.2.379
0028: 30 2e 31 38 33 30 20 69 0.1830 i
0030: 6e 20 6b 65 72 6e 65 6c n kernel
0038: 33 32 2e 64 6c 6c 20 35 32.dll 5
0040: 2e 32 2e 33 37 39 30 2e .2.3790.
0048: 32 37 35 36 20 61 74 20 2756 at
0050: 6f 66 66 73 65 74 20 30 offset 0
0058: 30 30 31 35 65 30 32 0015e02
That one is followed by
Event Type: Error
Event Source: ServerStatusReports
Event Category: None
Event ID: 1001
Date: 11/14/2006
Time: 10:11:00 PM
User: N/A
Computer: DC01
Description:
A fatal error occurred either while synchronizing the Update Services
computer groups with Group Policy or while moving the Unassigned Computers
group. To see a detailed log, create a file called SyncSecurity.Log in
%SBSProgramDir%\Support, and then run SyncSecurity.exe again. The error
returned was: The Workstation service has not been started.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Then all hell breaks loose with dozens of Userenv 1030 and 1058 errors.
The System Log shows a few errors almost immediately after the App Log
error. I assume these errors are because of the stopped services.
Event Type: Information
Event Source: AeLookupSvc
Event Category: None
Event ID: 3
Date: 11/14/2006
Time: 10:11:35 PM
User: N/A
Computer: DC01
Description:
The Application Experience Lookup service started successfully.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Then this one:
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7032
Date: 11/14/2006
Time: 10:11:35 PM
User: N/A
Computer: DC01
Description:
The Service Control Manager tried to take a corrective action (Restart the
service) after the unexpected termination of the Windows Management
Instrumentation service, but this action failed with the following error:
An instance of the service is already running.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Other than that error, the System Log is clean.
The only thing of interest in the Application Log is VSS errors.
Event Type: Error
Event Source: VSS
Event Category: None
Event ID: 12310
Date: 11/3/2006
Time: 7:20:00 AM
User: N/A
Computer: DC01
Description:
Volume Shadow Copy Service error: The shadow copy could not be committed -
operation timed out. Error context:
DeviceIoControl(\\?\Volume{eece32da-59a3-11db-bc1b-0010181c8064} -
00000130,0x0053c010,000378E0,0,000388E8,4096,[0]).
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 20 43 6f 64 65 3a 20 - Code:
0008: 49 4e 43 49 43 48 4c 48 INCICHLH
0010: 30 30 30 30 30 34 35 39 00000459
0018: 2d 20 43 61 6c 6c 3a 20 - Call:
0020: 53 50 52 51 53 4e 50 43 SPRQSNPC
0028: 30 30 30 30 30 32 33 36 00000236
0030: 2d 20 50 49 44 3a 20 20 - PID:
0038: 30 30 30 30 38 30 37 32 00008072
0040: 2d 20 54 49 44 3a 20 20 - TID:
0048: 30 30 30 30 36 32 32 34 00006224
0050: 2d 20 43 4d 44 3a 20 20 - CMD:
0058: 43 3a 5c 57 49 4e 44 4f C:\WINDO
0060: 57 53 5c 53 79 73 74 65 WS\Syste
0068: 6d 33 32 5c 73 76 63 68 m32\svch
0070: 6f 73 74 2e 65 78 65 20 ost.exe
0078: 2d 6b 20 73 77 70 72 76 -k swprv
0080: 2d 20 55 73 65 72 3a 20 - User:
0088: 4e 54 20 41 55 54 48 4f NT AUTHO
0090: 52 49 54 59 5c 53 59 53 RITY\SYS
0098: 54 45 4d 20 20 20 20 20 TEM
00a0: 2d 20 53 69 64 3a 20 20 - Sid:
00a8: 53 2d 31 2d 35 2d 31 38 S-1-5-18
I looked at the Shadow Copies, and there are several gaps in them. I am
wondering if they could be related to the Seagate desktop drives that Dell
sold to me in my "server." I understand that some drives can have timing
issues, but I thought those made the drives drop out of the RAID array.
Any ideas to get me started finding why that first error popped?
Thank you!
Gregg Hill
.
- Follow-Ups:
- Re: Several SBS services dead
- From: Gregg Hill
- Re: Several SBS services dead
- References:
- Several SBS services dead
- From: Gregg Hill
- Several SBS services dead
- Prev by Date: Re: share a network drive with clients
- Next by Date: Re: Is there a AntiGen/Forefront
- Previous by thread: Several SBS services dead
- Next by thread: Re: Several SBS services dead
- Index(es):
Relevant Pages
|
Loading
