Daily BSOD on all three Windows Server 2003 boxes

Posted on 2007-10-10
Last Modified: 2008-01-11
Hello Experts,

I've been scrathing my head on this one and could really use some help.  I have three new HP DL385 boxes and BSOD at least once a day each.  I even rebuilt one of the boxes and it still does the same thing.

The BSODs come up with the following types of messages (two examples for each server):
Server 1:
Error code 100000d1, parameter1 00000000, parameter2 d0000002, parameter3 00000001, parameter4 b9aaafd0.
Error code 100000d1, parameter1 0000000c, parameter2 d0000002, parameter3 00000000, parameter4 f7a1afb3.

Server 2:
Error code 100000d1, parameter1 000000e8, parameter2 d0000002, parameter3 00000000, parameter4 f70f8fda.
Error code 1000008e, parameter1 c0000005, parameter2 f70f8d9b, parameter3 f4d91a70, parameter4 00000000.

Server 3:
Error code 1000000a, parameter1 00000014, parameter2 d0000002, parameter3 00000000, parameter4 80813e87.
Error code 1000008e, parameter1 c0000005, parameter2 f76d2d35, parameter3 b76c094c, parameter4 00000000.

Windows help and support calls the crashes are due to a driver error, but does not give any indication of which driver or device is causing the crashes.  All three boxes are identical in build (all purchased at the same time.)  All have Windows Server 2003 with all of the latest patches / service packs.  The NIC driver has been updated on all three servers but the other drivers of the version provided by the copy of smart start that came with the servers.

Could someone offer help in finding out how to figure out which driver is causing these crashes?

Question by:cfetzer
    LVL 1

    Expert Comment

    Are you using Windows Update to download and install drivers?  If so, I suggest obtaining the drivers directly from the manufacturer instead and installing those.  In my experience, Windows Update sometimes prescribes generic or incorrect drivers for your hardware.

    If you look in the Windows Event Viewer, do you see any errors/warnings listed around the same time that the BSOD occurred?  Anything revealing in there?
    LVL 1

    Author Comment

    Hi, thanks for the comment.

    Yeah, I've combed through the logs numerous times and can't find anything fishy before the crashes happen.  I also don't use Windows updates to update the drivers.  All three boxes are new HP DL385 boxes and all of the hardware drivers are from HP.  Yup, I've had issues with MS's recommended driver updates so I don't use them.

    However, configured the servers to create minidumps and since they crashed as usual since yesterday, I was able to open one of them up (downloaded symbols and debugging tools.)  Here is the output from one of the minidumps.  It references TDI.SYS and I can't seem to find anything helpful after looking through the knowledgebase and googling:

    Microsoft (R) Windows Debugger  Version 6.7.0005.1
    Copyright (c) Microsoft Corporation. All rights reserved.

    Loading Dump File [c:\windows\minidump\Mini101007-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: srv*c:\windows\symbols*
    Executable search path is: c:\windows\i386
    Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
    Product: LanManNt, suite: TerminalServer SingleUserTS
    Built by: 3790.srv03_sp2_gdr.070304-2240
    Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
    Debug session time: Wed Oct 10 10:49:12.062 2007 (GMT-5)
    System Uptime: 1 days 2:31:56.736
    Loading Kernel Symbols
    Loading User Symbols
    Loading unloaded module list
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *

    Use !analyze -v to get detailed debugging information.
    BugCheck 100000D1, {0, d0000002, 1, b9aaafd0}
    Probably caused by : TDI.SYS ( TDI!CTEpEventHandler+32 )
    Followup: MachineOwner

    1: kd> !analyze -v
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *

    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arg1: 00000000, memory referenced
    Arg2: d0000002, IRQL
    Arg3: 00000001, value 0 = read operation, 1 = write operation
    Arg4: b9aaafd0, address which referenced memory

    Debugging Details:

    WRITE_ADDRESS:  00000000

    b9aaafd0 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

    PROCESS_NAME:  System
    LAST_CONTROL_TRANSFER:  from b9b0c5fd to b9aaafd0

    f78eea38 b9b0c5fd 847ba7d0 84703848 00000e20 afd!AfdBReceiveEventHandler+0x358
    f78eeaa0 b9b0a4c5 006365c0 00001850 894af118 tcpip!IndicateData+0x300
    f78eeaec b9b09c21 1d54c1b5 1d54c1b5 894af118 tcpip!TcpFastReceive+0x301
    f78eebc8 b9b06236 8a64b1d0 0400000a 0400000a tcpip!TCPRcv+0x723
    f78eec28 b9b0445e 00000024 8a800840 b9b099d2 tcpip!DeliverToUser+0x189
    f78eecb8 b9b10251 8a64b1d0 894bfa10 00000030 tcpip!IPRcvPacket+0x686
    f78eed64 baf71064 b9b44e60 8a64b1d0 8b37a8d0 tcpip!LoopXmitRtn+0x195
    f78eed80 8088043d 8a64b1d0 00000000 8b37a8d0 TDI!CTEpEventHandler+0x32
    f78eedac 80949b7c b9b44e60 00000000 00000000 nt!ExpWorkerThread+0xeb
    f78eeddc 8088e062 80880352 00000001 00000000 nt!PspSystemThreadStartup+0x2e
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


    baf71064 5f              pop     edi

    SYMBOL_NAME:  TDI!CTEpEventHandler+32
    FOLLOWUP_NAME:  MachineOwner
    FAILURE_BUCKET_ID:  0xD1_W_TDI!CTEpEventHandler+32
    BUCKET_ID:  0xD1_W_TDI!CTEpEventHandler+32
    Followup: MachineOwner
    LVL 66

    Expert Comment

    Where is the TDI.sys file it is referencing?

    Just fyi, if it is not in c:\windows\system32\drivers


    LVL 1

    Author Comment

    Thanks John,

    Although I checked the location of the TDI.SYS files and they are located in c:\windows\system32\drivers where they belong.  No other copies exits directly under c:\windows as the article states.
    LVL 66

    Expert Comment

    Might try resetting TCPIP...

    netsh int ip reset reset.log

    Then erboot and hope for the best?

    Also, in the debugger, run the following with oneof those dumps...

    LVL 1

    Author Comment

    Yea, i'll try that, but I actually rebuilt one of the servers completely and even the new build gets bsods.

    I really wish there was more information in that dump to figure out which piece of hardware is causing this!
    LVL 66

    Expert Comment

    Yea, the dumps are great, when you find an answer out of them....

    Did you use the same drivers for this one as was already installed?
    LVL 1

    Author Comment

    Yea, exact same drivers...except I tried upgrading the NIC driver with the latest version to see if that helped (it's a dual port nic, load-balanced) and that didn't seem to fix it.
    LVL 66

    Expert Comment

    Might try an older one than the original even?
    LVL 1

    Accepted Solution

    HP finally came back and said it was a RAID driver.  They provided the driver and this fixed the problem.  Thanks for the suggestions anyway.  I appreciate it.
    LVL 66

    Expert Comment

    Your honor, I object!!!

    Just kidding....No obj. by me.....

    LVL 1

    Expert Comment

    Closed, 500 points refunded.
    Community Support Moderator

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now