grexx
asked on
How does the Windows Event Log know the time of a crash?
I have the following problem. Three of our servers (Windows 2000) that were attached to a ups crashed on a set time on a regular basis. The crashes are 99.9% sure caused by a dead battery in the ups, and a 2-weekly test by the ups. Still one thing puzzles me, and that is the difference in time in the event logs of the three servers. I don't know how these crash-logs work, but I assume the system can't write anything after power went down, so it has to look back the next time it starts.
Can it be that the system makes a entry in an uptime-logfile (or something like this) with the current time? And that this logfile is only updated once every four or five minutes? And those three servers don't update the uptime-logfile at the same time, which would explain the time difference.
We probably have found the cause of the crashes, but I just want to understand how this works.
Can it be that the system makes a entry in an uptime-logfile (or something like this) with the current time? And that this logfile is only updated once every four or five minutes? And those three servers don't update the uptime-logfile at the same time, which would explain the time difference.
We probably have found the cause of the crashes, but I just want to understand how this works.
ASKER
I don't know exactly how it works, but I believe they are. They are all part of the same domain, and all have always the same time as my laptop, so I suppose they are time synced.
on your dc goto run type cmd and <enter> you get the os prompt type net time /setsntp:(the name of your dc) <enter> you will see the message operation completed sucessfully.
then do this on the machines that you are having the time difference on, it may also be that the reboot sequence on the individual machines is not the same, i.e. one may be set to reboot automatic, and one not or if they are all set the same, then they won't boot at exactly the same time.
that's all i can think off.
good luck
then do this on the machines that you are having the time difference on, it may also be that the reboot sequence on the individual machines is not the same, i.e. one may be set to reboot automatic, and one not or if they are all set the same, then they won't boot at exactly the same time.
that's all i can think off.
good luck
ASKER
All servers have exactly the same time. All servers have a service running called Windows Time. All machines reboot automatically. It's not a problem that they don't reboot at exactly the same time, and even minutes apart is not a problem. But you probably don't understand what I mean...
The problem is that in the Event Log the *time of the crash* is different. To be clear, this is not the time of the restart, it's the time the server went down. See the following example:
Event Type: Error
Event Source: EventLog
Event Category: None
Event ID: 6008
Date: 17/12/2004
Time: 18:11:23
The previous system shutdown at 5:29:39 PM on 12/17/2004 was unexpected.
That time (5:29:39 PM) is different for the three servers. The difference is not one or two seconds, but up to four minutes!
My question is whether this is due to the fact that the servers went down on a different time, or is it because Windows doesn't record every second or minute that it's up and running, and thus is unable to tell the exact time of the crash. So is this time the exact time of the crash, or is it the time of the last log entry?
The problem is that in the Event Log the *time of the crash* is different. To be clear, this is not the time of the restart, it's the time the server went down. See the following example:
Event Type: Error
Event Source: EventLog
Event Category: None
Event ID: 6008
Date: 17/12/2004
Time: 18:11:23
The previous system shutdown at 5:29:39 PM on 12/17/2004 was unexpected.
That time (5:29:39 PM) is different for the three servers. The difference is not one or two seconds, but up to four minutes!
My question is whether this is due to the fact that the servers went down on a different time, or is it because Windows doesn't record every second or minute that it's up and running, and thus is unable to tell the exact time of the crash. So is this time the exact time of the crash, or is it the time of the last log entry?
now with that you'v got me, i'll continue to look, though
merry xmas
merry xmas
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent!
how do you have these machines time-synced?