Jump to content
Forum²

Recommended Posts

Posted

System Issue- Server goes into an unknown state where domain users cannot log off, explorer.exe becomes unresponsive, and some users can continue working, while others are not.- Domain Administrators cannot get into Control Panel/Administrative Tools- Icon that network cable is disconnected is seen in the notification area by administrators- Server still responds to ping requests- Server is located in a DC, no physical access to the server, only RDP- Only thing I could do is comb through the event log looking for something

System Outline- 2 terminal servers running off a load balancer, both exibiting same issues at approx the same timeline- Windows Server Enterprise 2008 SP2 32bit, 16GB Ram- Both running same applications and patch level

- Server is patched for most important updates up to date

- Terminal servers had been running for 26 days stable, weeks since their last reboot- No new software was installed/configured since then

 

Things I FoundA pattern of Event ID: 1530 Application Log:

 

Log Name: Application

Source: Microsoft-Windows-User Profiles Service

Date: 21/2/2012 10:54:46 AM

Event ID: 1530

Task Category: None

Level: Warning

Keywords: Classic

User: SYSTEM

Computer: SVR-TS03.Star.County

Description:

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -

25 user registry handles leaked from \Registry\User\S-1-5-21-3206598590-745459590-3389446312-1463:

Process 33704 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3206598590-745459590-3389446312-1463

Process 33704 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3206598590-745459590-3389446312-1463\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7257ddb5-5a29-11df-975c-002219af9615}

Process 33704 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3206598590-745459590-3389446312-1463\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\KnownFolder\{4BD8D571-6D19-48D3-BE97-422220080E43}

** I had to shorten how much of this event to paste due to its length **

 

A second example of a pattern is seen in the System Log Event ID 7011 :: netprofm and fdPHost service

 

LOG EXAMPLE 1

Log Name: System

Source: Service Control Manager

Date: 21/2/2012 10:55:16 AM

Event ID: 7011

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Computer: SVR-TS03.Star.County

Description:

A timeout (30000 milliseconds) was reached while waiting for a transaction response from the netprofm service.

 

LOG EXAMPLE 2

Log Name: System

Source: Service Control Manager

Date: 21/2/2012 10:55:53 AM

Event ID: 7011

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Computer: SVR-TS03.Star.County

Description:

A timeout (30000 milliseconds) was reached while waiting for a transaction response from the fdPHost service.

 

Actions Taken To Resolve- Only action I could do was attempt to restart the servers- The first reboot took approx. 10 minutes to process before it actually went down and reboot- After server came back up same issues were seen (administrator users could not get into Control Panel or any Administrative Tools)- A second reboot was performed, and then the servers started to operate correctly- The servers continued to operate correctly since (this happened yesterday)

Any thoughts as to why these events happened which ended up loss of work for almost 100 users that connect to this environment? Any additional diagnostic work I should be performing?

Posted
Resolve this sid S-1-5-21-3206598590-745459590-3389446312-1463 to a username and forbid to this user the access to the server for one day (create another user) it looks like this user is causing problem. Anyway I don't understand why some services are not responding in time...

--------------------------------------------------------

Tu peux aussi crire en franais.

Du kannst auch auf Deutsch schreiben.

Puoi scrivere anche in italiano.

--------------------------------------------------------

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...