Re: Several SBS services dead

I know the svchost dying was what cascaded into everything else, but I don't
know what killed the svchost itself. I am not sure what you mean by "If it
grows with every detection,...." You wouldn't happen to have the KB of the
hotfix, would you?

LogMeIn remote access goes to the console, even on a 2000 system. It
actually works better than "mstsc /console" on 2003. I have had some apps
that still know they are in a session when using "mstsc /console" but work
fine when I use LogMeIn.

Thank you, Les!

Gregg Hill


"Les Connor [SBS Community Member - SBS MVP]" <les.connor@xxxxxxxxxxxx>
wrote in message news:%235teUtQCHHA.4404@xxxxxxxxxxxxxxxxxxxxxxx
That svchost.exe process dying was the killer.

I'd suspect wuauclt.exe, probably running in that process, memory leak,
crashed.

You can test this by watching the memory use of that svchost.exe. If it
grows with every detection, you need a hotfix. It's likely the
workstations are suffering from this as well - there are seperate hotfixes
for Server versus XP.

Backup running may or may not be related. That's one of the apps that talk
to the console session, and if your third party thingy doesn't connect to
that session, and backup has a window open, you'll never see it. Same
thing can happen with some of the consoles. Best bet, use native remote
access tools and go to session 0 to see what's going on.

--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
----------------------
"Tell me and I'll forget. Show me and I'll remember. Involve me and I'll
understand." - Confucius


"Gregg Hill" <bogus@xxxxxxxxxxx> wrote in message
news:uQzuJXPCHHA.3524@xxxxxxxxxxxxxxxxxxxxxxx
Hello!

I had a weird problem with a client's SBS 2003 R2 Standard on a
three-week old Dell PE 830 server with CERC SATA controller and RAID1
Seagate drives (they are ST3160812AS drives, which I found out from
Seagate's site are desktop drives instead of being designed to run 24/7
in RAID as are their Barracuda ES drives). The client called me this
morning saying that they had no Internet access and could not get to
mapped drives or anything on the server. Prior to this call, if had been
working fine, or so I thought.

I got in with LogMeIn (LogMeIn gives me direct console access just as
though I were logged on locally at the console) and started looking at
logs and services. I found that the Workstation, Server, Computer
Browser, Logical Disk Manager, Shell Hardware Detection, and Automatic
Updates services were all stopped. Once I restarted those, everything was
fine. Before I restarted those services, I had used Remote Desktop to get
to a workstation. It could ping LAN and WAN by IP but not by name. After
the server's services were restarted, the workstations worked normally as
well.

I went to check their backups in Server Management, and they had all
failed, simply because they have not been putting in their tapes for a
week. That's another story. Anyway, when I went to view the backup
schedule, it said I could not do so, since "the backup was still running
or the backup application was in use" or words to that effect. I opened
Task Manager, and sure enough, ntbackup was running although it was
nowhere to be seen. I killed it.

A review of the Application Log showed that the WSUS started and finished
a scheduled synchronization, then started Content synchronization. About
14 minutes after that, I see the following error.

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 11/14/2006
Time: 10:10:32 PM
User: N/A
Computer: DC01
Description:
Faulting application svchost.exe, version 5.2.3790.1830, faulting module
kernel32.dll, version 5.2.3790.2756, fault address 0x00015e02.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 35 2e 32 2e 33 37 39 5.2.379
0028: 30 2e 31 38 33 30 20 69 0.1830 i
0030: 6e 20 6b 65 72 6e 65 6c n kernel
0038: 33 32 2e 64 6c 6c 20 35 32.dll 5
0040: 2e 32 2e 33 37 39 30 2e .2.3790.
0048: 32 37 35 36 20 61 74 20 2756 at
0050: 6f 66 66 73 65 74 20 30 offset 0
0058: 30 30 31 35 65 30 32 0015e02



That one is followed by

Event Type: Error
Event Source: ServerStatusReports
Event Category: None
Event ID: 1001
Date: 11/14/2006
Time: 10:11:00 PM
User: N/A
Computer: DC01
Description:
A fatal error occurred either while synchronizing the Update Services
computer groups with Group Policy or while moving the Unassigned
Computers group. To see a detailed log, create a file called
SyncSecurity.Log in %SBSProgramDir%\Support, and then run
SyncSecurity.exe again. The error returned was: The Workstation service
has not been started.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



Then all hell breaks loose with dozens of Userenv 1030 and 1058 errors.
The System Log shows a few errors almost immediately after the App Log
error. I assume these errors are because of the stopped services.



Event Type: Information
Event Source: AeLookupSvc
Event Category: None
Event ID: 3
Date: 11/14/2006
Time: 10:11:35 PM
User: N/A
Computer: DC01
Description:
The Application Experience Lookup service started successfully.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.




Then this one:


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7032
Date: 11/14/2006
Time: 10:11:35 PM
User: N/A
Computer: DC01
Description:
The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management
Instrumentation service, but this action failed with the following error:
An instance of the service is already running.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Other than that error, the System Log is clean.


The only thing of interest in the Application Log is VSS errors.

Event Type: Error
Event Source: VSS
Event Category: None
Event ID: 12310
Date: 11/3/2006
Time: 7:20:00 AM
User: N/A
Computer: DC01
Description:
Volume Shadow Copy Service error: The shadow copy could not be
committed - operation timed out. Error context:
DeviceIoControl(\\?\Volume{eece32da-59a3-11db-bc1b-0010181c8064} -
00000130,0x0053c010,000378E0,0,000388E8,4096,[0]).

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 20 43 6f 64 65 3a 20 - Code:
0008: 49 4e 43 49 43 48 4c 48 INCICHLH
0010: 30 30 30 30 30 34 35 39 00000459
0018: 2d 20 43 61 6c 6c 3a 20 - Call:
0020: 53 50 52 51 53 4e 50 43 SPRQSNPC
0028: 30 30 30 30 30 32 33 36 00000236
0030: 2d 20 50 49 44 3a 20 20 - PID:
0038: 30 30 30 30 38 30 37 32 00008072
0040: 2d 20 54 49 44 3a 20 20 - TID:
0048: 30 30 30 30 36 32 32 34 00006224
0050: 2d 20 43 4d 44 3a 20 20 - CMD:
0058: 43 3a 5c 57 49 4e 44 4f C:\WINDO
0060: 57 53 5c 53 79 73 74 65 WS\Syste
0068: 6d 33 32 5c 73 76 63 68 m32\svch
0070: 6f 73 74 2e 65 78 65 20 ost.exe
0078: 2d 6b 20 73 77 70 72 76 -k swprv
0080: 2d 20 55 73 65 72 3a 20 - User:
0088: 4e 54 20 41 55 54 48 4f NT AUTHO
0090: 52 49 54 59 5c 53 59 53 RITY\SYS
0098: 54 45 4d 20 20 20 20 20 TEM
00a0: 2d 20 53 69 64 3a 20 20 - Sid:
00a8: 53 2d 31 2d 35 2d 31 38 S-1-5-18





I looked at the Shadow Copies, and there are several gaps in them. I am
wondering if they could be related to the Seagate desktop drives that
Dell sold to me in my "server." I understand that some drives can have
timing issues, but I thought those made the drives drop out of the RAID
array.

Any ideas to get me started finding why that first error popped?

Thank you!

Gregg Hill










.

Relevant Pages

  • Re: NAS or USB Backup?
    ... Has anyone tried putting a second NIC in the server and putting the NAS on ... If I wasn't so cheap, I'd buy boxed drives instead of OEM, and I'd learn ... What you do to restore individual files is to "mount" the ... ShadowProtect backup - any full or incremental backup you choose. ...
    (microsoft.public.windows.server.sbs)
  • Re: NAS or USB Backup?
    ... I have considered doing it with a member server. ... If I wasn't so cheap, I'd buy boxed drives instead of OEM, and I'd learn ... What you do to restore individual files is to "mount" the ... ShadowProtect backup - any full or incremental backup you choose. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2008 Backup - restore utility?
    ... If you've already installed a fresh copy of SBS 2008 on another server, ... the Recovery Wizard in Windows Server Backup to recover files and folders ... On the Specify location type window, choose "Local drives" and clik ...
    (microsoft.public.windows.server.sbs)
  • Re: Several SBS services dead
    ... Backup running may or may not be related. ... old Dell PE 830 server with CERC SATA controller and RAID1 Seagate drives ... Logical Disk Manager, Shell Hardware Detection, and Automatic Updates ...
    (microsoft.public.windows.server.sbs)
  • Re: NAS or USB Backup?
    ... If I wasn't so cheap, I'd buy boxed drives instead of OEM, and I'd learn ... any noticeable impact on server performance. ... What you do to restore individual files is to "mount" the ... ShadowProtect backup - any full or incremental backup you choose. ...
    (microsoft.public.windows.server.sbs)