HELP- Big issue

When I got to work this morning, the server was fine. Then starting a little while ago this error popped up in the event log over and over and nothing is working....AD, mapped drives won't connect, etc.

Event ID 2019

The server was unable to allocate from the system nonpaged pool because the pool was empty.

This is a windows 2003 DC.   The only recent changes made were the installation of microsoft updates yesterday and a reboot of the server yesterday afternoon....but the server rebooted and was fine all night (we have people using it 24/7).
LVL 18
luv2smileAsked:
Who is Participating?
 
Nirmal SharmaSolution ArchitectCommented:
Event ID 2019 and 2020 are logged for any source. It doesn't mean that the problem is only with the Antivirus product. I have found in many cases that Antivirus service will try to interact with Kernel Mode components (Memory Manager)  and will drop this log in Event Viewer.

Could you do one thing...reset the Pagefile from System Applet? means just move the pagefile on different partition and then reset it again on original partition.
0
 
luv2smileAuthor Commented:
I'm just beginning to troubleshoot now, but I wanted to go ahead and post this question....
0
 
Chris DentPowerShell DeveloperCommented:
McAfee VirusScan on there by any chance?

HTH

Chris
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
Nirmal SharmaSolution ArchitectCommented:
You need to use poolmon.exe to troubleshoot this issue.
0
 
Nirmal SharmaSolution ArchitectCommented:
Reasons so far: -

A Nonpaged Memory Leak Occurs in Tcpip.sys

Denial-of-Service Attack on Port 1720 May Cause a Memory Leak in Conf.exe

DNS Service Memory Leak

Dismounting an NTFS Volume May Cause Nonpaged Pool Memory Leak

Kernel Mode Memory Leak Caused by Invalid TCP Checksums on Port 3389

LSA Memory Leak Due to SetPassword Call

Malformed Request to Domain Controller Can Cause Memory Exhaustion

Mapping Shared Local Printers to Central Share Causes Server to Crash, Generates Event ID 2020 from SRV

Memory and Critical Section Leak in CExpire::GetExpireBlockProperties

Memory Leak in Atmuni.sys in Windows 2000

Memory Leak in Internet Explorer When Background Image Is Resized

Memory Leak in Keyboard and Mouse Class Drivers When You Unplug and Plug In USB Keyboard or Mouse

Memory Leak in Lsass.exe with Large Built-in Groups

Memory Leak in Pdh.dll Querying Performance Counters That Do Not Exist

Memory Leak When Deleting File Control Blocks

Memory Leak When You Gather Performance Counter Information on a Remote Server

Memory Leak When You Search for Group Policy Object Links

Memory Manager Allocates Paged Pool Before it Is Needed

Multiple LDAP Binds to the Same Connection Cause Memory Leak

Network Load Balancing WMI Provider Memory Leak

NNTP Service in Windows 2000 Contains a Memory Leak

Non-Paged Pool Memory Leak on Master Browser

OHCI1394 Driver May Cause a Memory Leak During Asynchronous Write Operation

How to Use Poolmon to Troubleshoot Kernel Mode Memory Leaks
http://support.microsoft.com/?kbid=177415

Microsoft Knowledge Base Article: 177415 - This article describes how to use the Windows NT 4.0 utility, Poolmon.exe, as a troubleshooting tool to monitor memory tags. This information can be used by Microsoft Technical Support to find kernel mode memory leaks.

Umdhtools.exe: How to Use Umdh.exe to Find Memory Leaks

Microsoft Knowledge Base Article: 268343 - The user-mode dump heap (UMDH) utility works with the operating system to analyze Windows heap allocations for a specific process. This utility, and the other tools associated with it, are primarily targeted for Windows 2000 and Windows XP.
      Click here to find out more!

Using Performance Monitor To Identify A Pool Leak

Microsoft Knowledge Base Article: 130926 A memory leak occurs when a memory pool allocates some of its memory to a process and the process does not return the memory. When this happens repeatedly, the memory pool is depleted.
Sources of Memory Leaks

Which one applies to your problem? Check the Source in Event Log.
0
 
luv2smileAuthor Commented:
Thanks guys...

No MacAfee...we run symantec corp. 9

The source is SRV.....
0
 
Chris DentPowerShell DeveloperCommented:

AV is always a popular one for causing that error (from the Server).. might be worth disabling it and seeing if it still comes up.
0
 
Nirmal SharmaSolution ArchitectCommented:
So M$ says: -

To resolve this behavior, either delete the print shares on the server and print directly to shared printers, or configure a network printer and print server.

Is that solve the problem?
0
 
luv2smileAuthor Commented:
I found this microsoft kb...it is for 2000 and up to norton 8, but I'm wondering if its the same with 9....

http://support.microsoft.com/?id=272568

Is it the weekend yet? This has been some week......
0
 
Chris DentPowerShell DeveloperCommented:

There's a known issue with a version of McAfee and 2003 Server, hence the original question. It could even be something as useless as AV definitions... I don't suppose the last update was fairly recent?

As for the weekend... It's getting there... but they never seem to last long enough ;)
0
 
luv2smileAuthor Commented:
Thanks guys....I'm running a virus scan now just as a precaution. Once that is finished, I'll disable symantec and see if that helps.

I've got 2 shared printers on the server, but those have been there for about 6 months or so with no problems, but if the AV thing doesn't work, I can try deleting them.
0
 
Chris DentPowerShell DeveloperCommented:

Did the first instance of the error happen to coincide with any scheduled tasks on the server at all?
0
 
luv2smileAuthor Commented:
I uninstalled Symantec, rebooted, and the problem went away.....go figure....

So, do you all think that was the root of the problem or do you think it is relating to something else? Symantec has been running since the server was built a year ago, updated it to 9 a few months ago, but no problems until now. Also, updates were last downloaded last week...

SystmProg,

Could you give me a quick lesson on the page file? It is currently on my root drive and is set at custom of 2046-4092.   To move, I would set it to 0 on my root drive, and then set it up on another partition?

Is it best to have this on a different partition or can you have multiples?  

0
 
Chris DentPowerShell DeveloperCommented:

It could be anything as simply (and annoying) as a virus definition file causing an error in the scanning engine. Not too helpful, but it may be worth reinstalling Symantec and seeing if the problem comes back.

But then, AV and MS patch compatibility is sometimes a little dubious.

Yes that's how to moving the Page File. One disadvantage of moving the page file from the system drive is that it disables application debugging (I think).

Generally I leave it where it is unless there's a lot of activity in the file (a seperate physical disk is nice for that) or there's no space on the system disk.
0
 
luv2smileAuthor Commented:
I reinstalled Symantec with no problems...everything still seems to be working fine.
0
 
Chris DentPowerShell DeveloperCommented:

Excellent news :)
0
 
luv2smileAuthor Commented:
BACK AGAIN!!

4:36 this morning....same error popped up again and all connections to the server stopped working!

Grrrrrrrrr..........
0
 
Richard QuadlingSenior Software DeveloperCommented:
0
 
Nirmal SharmaSolution ArchitectCommented:
AS suggested by Chris.
0
 
Chris DentPowerShell DeveloperCommented:

Aside from uninstalling AV again, or going through some of the monitoring programs SystmProg suggested I'm not quite sure what to suggest.

That software is causing the failure remains the most likely - but that's not too helpful when the suggested causes are really important.

I don't suppose it's creating any kind of dump file when it crashes is it?
0
 
Nirmal SharmaSolution ArchitectCommented:
I am not talking about any monitoring program here. I am talking about the pagefile moving and an answer to my question has been answered by you in this thread.

****Quote***
Yes that's how to moving the Page File. One disadvantage of moving the page file from the system drive is that it disables application debugging (I think).

Generally I leave it where it is unless there's a lot of activity in the file (a seperate physical disk is nice for that) or there's no space on the system disk.
***End Quote***
0
 
Nirmal SharmaSolution ArchitectCommented:
>>>Is it best to have this on a different partition or can you have multiples?  

Did you install the Symentac on the same drive where pagefile resides?

Let me know.
0
 
luv2smileAuthor Commented:
Well......I uninstalled AV and then reinstalled it and again...that seemed to fix the problem for the *moment*.

Although I got to thinking and I don't think I rebooted before I uninstalled AV so maybe just a simple reboot is what fixed it and not the actual AV uninstall.

I moved the pagefile to a different partition.....symantec was on the same drive orginially as the pagefile.

I updated the symantec file that was reference in the above kb article I found....the latest version of the file was from a week ago so I figured an update would be good.

I guess now it is a wait and see game to see if it happens again and IF it does...if I can get anymore info. out of it.....
0
 
Nirmal SharmaSolution ArchitectCommented:
Let us know.

Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.