computers are restarted after joining to domain

after I've joined clients to domain, they restarted randomly without any blue screen or s.th else. sometime they restarted after logging in, and sometimes during work.
after restart just a savedump error message shows up in event viewer and some error numbers.
My clients, as servers, using ipsec policies using preshared keys and I don't deploy ipsec policies with active directory.
I've activated them manually on every client computer.
what the reason of restarts could be?
LVL 4
majidhajaliAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rindiCommented:
Right Click "My Computer", select "Properties", "Advanced", Startup and recovery "Settings", and disable "Auto restart" on system error. You should then get Bluescreens instead of restarts. Post the Stop codes you get. Also upload some minidumps to here (in the Windows\minidump directory).
0
majidhajaliAuthor Commented:
I did what you said. Blue screen with random files and random errors appeared.
Sometimes it shows errors for some files like sysaudio.sys or win32k.exe and ..., but some times without file names and has errors like page in nonepaged area or some other errors.
These problems didn't appear before joining clients to domain. I examine domain and local policies thoroughly and didn't find any setting.
I attached 2 minidump files, but please rename those extensions to .dmp if you want examine them.
Mini012908-02.txt
Mini012908-03.txt
0
majidhajaliAuthor Commented:
This is memory dump analyze:

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e289b533, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf8ade90, If non-zero, the instruction address which referenced the bad memory
      address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------


Could not read faulting driver name
Image at f793c000 had size 0

Image at f793c000 had size 0


READ_ADDRESS:  e289b533

FAULTING_IP:
win32k!ReadLayoutFile+22c
bf8ade90 397808          cmp     dword ptr [eax+8],edi

MM_INTERNAL_CODE:  1

CUSTOMER_CRASH_COUNT:  3

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  winlogon.exe

LAST_CONTROL_TRANSFER:  from bf8adc34 to bf8ade90

STACK_TEXT:  
f6e5f944 bf8adc34 e16eafa0 01580178 00000888 win32k!ReadLayoutFile+0x22c
f6e5f964 bf8d1b3b 00000938 000017f0 00007523 win32k!LoadKeyboardLayoutFile+0x6a
f6e5f9f0 bf8d163d 842bf138 00000938 00000000 win32k!xxxLoadKeyboardLayoutEx+0x1be
f6e5fd40 8053c808 00000938 752317f0 0006e1b4 win32k!NtUserLoadKeyboardLayoutEx+0x152
f6e5fd40 7c90eb94 00000938 752317f0 0006e1b4 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0006e17c 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND:  kb

FOLLOWUP_IP:
win32k!ReadLayoutFile+22c
bf8ade90 397808          cmp     dword ptr [eax+8],edi

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  win32k!ReadLayoutFile+22c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  41107f7a

FAILURE_BUCKET_ID:  0x50_win32k!ReadLayoutFile+22c

BUCKET_ID:  0x50_win32k!ReadLayoutFile+22c

Followup: MachineOwner
---------
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

rindiCommented:
One of the crashes you got points to a "sysaudio.sys" driver. Try uninstalling audio drivers and get updates.
0
majidhajaliAuthor Commented:
You were right, but on the same computer, the bug check which I posted here shows that win32k.sys is the point of failure.
It's the dump analyze on the same computer,
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: bf8485a4, The address that the exception occurred at
Arg3: f6fa0914, Trap Frame
Arg4: 00000000

Debugging Details:
------------------




EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
win32k!xxxKENLSProcs+2f
bf8485a4 3816            cmp     byte ptr [esi],dl

TRAP_FRAME:  f6fa0914 -- (.trap 0xfffffffff6fa0914)
ErrCode = 00000000
eax=15954800 ebx=00008000 ecx=159548e1 edx=0000004c esi=368e685d edi=f6fa09d0
eip=bf8485a4 esp=f6fa0988 ebp=f6fa0990 iopl=0         ov up ei pl nz na pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010a07
win32k!xxxKENLSProcs+0x2f:
bf8485a4 3816            cmp     byte ptr [esi],dl          ds:0023:368e685d=??
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  csrss.exe

LAST_CONTROL_TRANSFER:  from bf849a3a to bf8485a4

STACK_TEXT:  
f6fa0990 bf849a3a f6fa09d0 00000000 f6fa09e8 win32k!xxxKENLSProcs+0x2f
f6fa09ac bf8c2afe f6fa094c 00000000 00000000 win32k!xxxProcessKeyEvent+0x1f9
f6fa09ec bf8c3607 e1b39a00 4cb39a68 00000001 win32k!ProcessKeyboardInputWorker+0x24d
f6fa0a0c bf85e489 e1b39a68 8433ab18 f6fa0a64 win32k!ProcessKeyboardInput+0x68
f6fa0a1c 804fd030 e1b39a68 e1b39a90 00000000 win32k!InputApc+0x4e
f6fa0a64 80500198 00000000 00000000 00000000 nt!KiDeliverApc+0x124
f6fa0a7c 804f973e 804fd79c 00000001 00000000 nt!KiSwapThread+0x64
f6fa0ab4 bf8aec51 00000007 8456bdc0 00000001 nt!KeWaitForMultipleObjects+0x284
f6fa0d30 bf8c8594 f76cb4a8 00000002 f6fa0d54 win32k!RawInputThread+0x4f3
f6fa0d40 bf800ff4 f76cb4a8 f6fa0d64 0075fff4 win32k!xxxCreateSystemThreads+0x60
f6fa0d54 8053c808 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23
f6fa0d54 7c90eb94 00000000 00000022 00000000 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND:  kb

FOLLOWUP_IP:
win32k!xxxKENLSProcs+2f
bf8485a4 3816            cmp     byte ptr [esi],dl

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  win32k!xxxKENLSProcs+2f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  41107f7a

FAILURE_BUCKET_ID:  0x8E_win32k!xxxKENLSProcs+2f

BUCKET_ID:  0x8E_win32k!xxxKENLSProcs+2f

Followup: MachineOwner
---------






and it's dump analyze on another computer in the network.

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: a9c618e4, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf8485a4, If non-zero, the instruction address which referenced the bad memory
      address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!KPRCB                                      ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!KPRCB                                      ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************



MODULE_NAME: win32k

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP:  41107f7a

READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
 a9c618e4

FAULTING_IP:
win32k!xxxKENLSProcs+2f
bf8485a4 3816            cmp     byte ptr [esi],dl

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  3

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

BUGCHECK_STR:  0x50

LAST_CONTROL_TRANSFER:  from bf849a3a to bf8485a4

STACK_TEXT:  
f965b990 bf849a3a f965b9d0 00000000 f965b9e8 win32k!xxxKENLSProcs+0x2f
f965b9ac bf8c2afe f965b933 00000000 00000000 win32k!xxxProcessKeyEvent+0x1f9
f965b9ec bf8c3607 e1c7cb00 33c7cb58 00000001 win32k!ProcessKeyboardInputWorker+0x24d
f965ba0c bf85e489 e1c7cb58 82659a50 f965ba64 win32k!ProcessKeyboardInput+0x68
f965ba1c 804f1dd8 e1c7cb58 e1c7cb80 00000000 win32k!InputApc+0x4e
WARNING: Stack unwind information not available. Following frames may be wrong.
f965ba64 804ed199 00000000 00000000 00000000 nt!PsGetProcessJob+0xe8
f965bab4 bf8aec51 00000007 826667f0 00000001 nt!KeSaveFloatingPointState+0x363
f965bd30 bf8c8594 f966b4a8 00000002 f965bd54 win32k!RawInputThread+0x4f3
f965bd40 bf800ff4 f966b4a8 f965bd64 0075fff4 win32k!xxxCreateSystemThreads+0x60
f965bd54 804df06b 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23
f965bddc 804fa477 805bcbff 00000001 00000000 nt!ZwYieldExecution+0xb96
00000000 00000000 00000000 00000000 00000000 nt!KeInitializeTimer+0x10c


STACK_COMMAND:  kb

FOLLOWUP_IP:
win32k!xxxKENLSProcs+2f
bf8485a4 3816            cmp     byte ptr [esi],dl

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  win32k!xxxKENLSProcs+2f

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  win32k.sys

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner
---------


Both computers and other computers on the network, got same errors.
what is win32k.sys? I think all errors initiated by  this file.

0
majidhajaliAuthor Commented:
I've find a solution by myself, I replaced a Language dll with original dll, and that dll was the probelm,
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.