Solved

Very strange problem...

Posted on 2006-06-16
16
2,069 Views
Last Modified: 2012-06-21
I have an exchange server with the following Hardware parameters:

DL380G3 X3.06 512KB/533 1GB 1P RCK US
1GB REG PC2100 2X512 ALL (DL380 G3)
HP 36GB 15K U320 Pluggable Hard Drive
Battery Backed Write Cache Enabler WW
HP RPS W/NEMA 5-15 Cord DL380G3 US
HP DL380G3 Hot-Plug x3 Axial Fan Kit WW
X3.06/533-512 350/70/80G3 Proc.Option WW
Modular Smart Array 30 Dual Bus Ultra320 SCSI Enclosure
VHDCI 2.0M SHLD CBL US Cable SHLD, VHDCI,  2 m
72GB 15K U320 Pluggable Hard Drive WW
Smart Array 5304/256 Controller WW
 
Sorry for enumerating everything but I might need to give you as many info as I can.

This is the third time when the server somehow restarted itself. Without any reason...
The incident is as shocking as the operation system CANNOT produce a minidump/kerneldump
There is nothing in the event log, and there is nothing in the HP Insite manager's event log.

Where do you think I can start the error searching...

:(

Best regards,

DV

PS: If you need any other details please let me know. There were nothing effection, overdrive, or anything what should point to anything.
0
Comment
Question by:domokosvarga
16 Comments
 

Author Comment

by:domokosvarga
ID: 16918603
Other comment:

After the restart everything is up and running again. The recovery processes are completing successfully, stores seems not been corrupted...
0
 
LVL 7

Expert Comment

by:xpsavy
ID: 16918726
Hi domokosvarga

Have you installed any windows or exchange updates recently


0
 
LVL 12

Expert Comment

by:aa230002
ID: 16918754
What version of OS and service packs and Exchange verision and service packs on this server?
0
 

Author Comment

by:domokosvarga
ID: 16918786
Hi...

Answers>

All recent windows security patches, and exchange upgrades are recently installed... except the last one which will kill the BB server is not...

OS> Windows 2003 SP1, and Exchange SP2

Installed upgrades>

KB909565
KB819696
KB823182
KB23559
KB824146
KB825119
KB828035
KB828750
KB831464
KB890046
KB893756
KB896358
KB896422
KB896424
KB896242_0
KB896428
KB896688
KB896688_0
KB896727
KB898060
KB899587
KB899588
KB899588_0
KB899589
KB899589_0
KB900725
KB900725_0
KB901017
KB901017_0
KB91190
KB91190_0
KB91214
KB91214_0
KB902400
KB902400_0
KB904706
KB904706_0
KB906414
KB906414_0
KB905495
KB905915
KB908519
KB908519_0
KB911564
KB911565
KB911927
KB911927_0
KB912919
KB912919_0
KB913446
KB913446_0

rgrds,

DV
0
 
LVL 12

Expert Comment

by:aa230002
ID: 16918797
Do you see anything in your System Logs? any memory leaks or anything else?

what is the version of store.exe ?

Thanks,
Amit Aggarwal
0
 

Author Comment

by:domokosvarga
ID: 16918851
The "nothing" in the event log>

System:

Event Type:      Error
Event Source:      EventLog
Event Category:      None
Event ID:      6008
Date:            2006.06.16.
Time:            9:59:07
User:            N/A
Computer:      EXCH
Description:
The previous system shutdown at 9:55:59 AM on 6/16/2006 was unexpected.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: d6 07 06 00 05 00 10 00   Ö.......
0008: 09 00 37 00 3b 00 56 03   ..7.;.V.
0010: d6 07 06 00 05 00 10 00   Ö.......
0018: 07 00 37 00 3b 00 56 03   ..7.;.V.

--

Event Type:      Information
Event Source:      DCOM
Event Category:      None
Event ID:      10026
Date:            2006.06.16.
Time:            9:59:08
User:            N/A
Computer:      EXCH
Description:
The COM sub system is suppressing duplicate event log entries for a duration of 86400 seconds.  The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\Ole\EventLog.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

--

Application>

Symantec client started

Event Type:      Information
Event Source:      MSDTC
Event Category:      TM
Event ID:      4193
Date:            2006.06.16.
Time:            10:00:18
User:            N/A
Computer:      EXC
Description:
MS DTC started with the following settings (OFF = 0 and ON = 1):

  Security Configuration:
      Network Administration of Transactions = 0,
      Network Clients = 0,
      Inbound Distributed Transactions using Native MSDTC Protocol = 0,
      Outbound Distributed Transactions using Native MSDTC Protocol = 0,
      Transaction Internet Protocol (TIP) = 0,
      XA Transactions = 1
  Filtering Duplicate events = 1

--

Event Type:      Information
Event Source:      MSExchangeSA
Event Category:      General
Event ID:      1000
Date:            2006.06.16.
Time:            10:00:30
User:            N/A
Computer:      EXCH
Description:
Microsoft Exchange System Attendant is starting. Microsoft Exchange Server System Attendant, service startup complete, version 6.5 (build 7638.1).

--

Event Type:      Warning
Event Source:      WinMgmt
Event Category:      None
Event ID:      5603
Date:            2006.06.16.
Time:            10:01:02
User:            NT AUTHORITY\SYSTEM
Computer: EXH
Description:
A provider, PerfProv, has been registered in the WMI namespace, Root\default, but did not specify the HostingModel property.  This provider will be run using the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.  Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.  

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

--

Event Type:      Warning
Event Source:      MSExchangeMTA
Event Category:      Field Engineering
Event ID:      2219
Date:            2006.06.16.
Time:            10:01:10
User:            N/A
Computer:      EXC
Description:
The MTA is running recovery on the internal message database because the MTA was not shut down cleanly. This operation may take some time.  Status updates will be written to the Windows 2000 Event Log. [DB Server MAIN BASE 1 0] (14)

For more information, click http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

--

Event Type:      Information
Event Source:      ESE BACKUP
Event Category:      General
Event ID:      905
Date:            2006.06.16.
Time:            10:01:29
User:            N/A
Computer:      EXC
Description:
Information Store (5996) Server registered: Microsoft Exchange Server / Microsoft Information Store (callback DLL mdbrest.dll, flags 0x103).

--

Event Type:      Information
Event Source:      ESE
Event Category:      General
Event ID:      100
Date:            2006.06.16.
Time:            10:01:29
User:            N/A
Computer:      EXC
Description:
Information Store (5996) The database engine 6.05.7638.0002 started.

--

Event Type:      Information
Event Source:      ESE
Event Category:      Logging/Recovery
Event ID:      302
Date:            2006.06.16.
Time:            10:01:36
User:            N/A
Computer:      EXC
Description:
Information Store (5996) SG1-EXC: The database engine has successfully completed recovery steps.

--

Event Type:      Information
Event Source:      MSExchangeIS
Event Category:      General
Event ID:      1001
Date:            2006.06.16.
Time:            10:04:51
User:            N/A
Computer:      EXC
Description:
The Microsoft Exchange Information Store has started. Service startup complete, version 6.5 (build 7638.2).

---

There were no problem with the memory or CPU usage...

DV
0
 
LVL 35

Expert Comment

by:rakeshmiglani
ID: 16918900
Check if following is the case

An access violation occurs in Lsass.exe and event IDs 1015 and 1000 are logged in the application log on a Windows Server 2003 domain controller
http://support.microsoft.com/kb/818080/en-us
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:domokosvarga
ID: 16918931
rakeshmiglani > hi... no... DC were not harmed... It is separated from the exchange...
0
 
LVL 12

Expert Comment

by:aa230002
ID: 16919084
The event ID - 6008 is showing that last reboot was unexpected. Please check the System log before 6008. I mean when it went down. It might be an information but can give us some information why it triggered the reboot.

Thanks,
Amit Aggarwal
0
 

Author Comment

by:domokosvarga
ID: 16919098
This is the last log before 6008... It's from yesterday...

Event Type:      Information
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7036
Date:            2006.06.15.
Time:            18:11:12
User:            N/A
Computer:      EXC
Description:
The Logical Disk Manager Administrative Service service entered the stopped state.
0
 
LVL 12

Expert Comment

by:aa230002
ID: 16919128
Please check all 30-40 events before 6008 in details. I am expecting an exception in one of the processes or dlls. Also check about 30-40 events in the application log at the sametime, Please check all warnings, informations and errors.


Thanks,
Amit Aggarwal.
0
 

Author Comment

by:domokosvarga
ID: 16919299
Dear Amit Aggarwal

The previous 30-40 system events>

Brightstore agent were restarted by me.
Domain controller symantec client patched (thatshy smtp service were uncontactable)
Logical disk administrative service entered stopped or started state

These are for around 2 weeks

The previous 30-40 application events>

Zombie users disabled user account event 9548.
Symantec live update
ESE util onlie defrag
And some EXCDO error

Event Type:      Error
Event Source:      EXCDO
Event Category:      General
Event ID:      8206
Date:            2006.06.16.
Time:            11:31:25
User:            N/A
Computer:      EXC
Description:
Calendaring agent failed with error code 0x8004010f while saving appointment.

For more information, click http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 48 72 53 61 76 69 6e 67   HrSaving
0008: 41 70 70 74 3a 3a 48 72   Appt::Hr
0010: 43 68 65 63 6b 50 61 74   CheckPat
0018: 74 65 72 6e 20 66 61 69   tern fai

Nothing else... :(
0
 
LVL 8

Expert Comment

by:ksearch
ID: 16921479
what about the power supply?  Can you put a different one to test?  Sometimes just a tiny little "underage" is all it takes.
0
 

Author Comment

by:domokosvarga
ID: 16958364
Power suppy was OK, and it is redundant...

Anyway...

The provider got the box, and got an exactly same here...

Only the HDDs and the Smart Array card was changed back...

Now everything is ok..................................

I really wish to know what happened 72 hours of power testing... no result...

Suspicious HW problem....

0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 17241159
PAQed with points refunded (500)

DarthMod
Community Support Moderator
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now