Services shut off with no warning, stops file sharing

funnymanmike
funnymanmike used Ask the Experts™
on
the following services periodically shut down on their own, i can't see anything in the event logs as to why.

these services once down, stop any file sharing going on.

Application Management
Computer Browser
Remote Access Connection Manager
Network Connections
Network Location Awareness (NLA)

Ive attached a list of services & setup. will attach event logs shortly.


services.xls
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
event logs
eventlogs.zip

Commented:
Are the workstation and Server services also shutting down? If not, it sounds like you have a browser conflict. I am currently rebuilding my main desktop for the administrtor, so I couldn't open up the zip file due to lack of a zip utility.

I'll bet you have event 8030 and 8021 that say something like, "xxxcomputer thinks it is the domain master browser. The browser service has been stopped and an election has been forced."

Author

Commented:
yeah workstation and server have also been known to shut down.

this server has a odd recent history (i was away)
the previous tech removed it from the domain forgot the password so we sent it into a password recovery shop.
once we got the password put it back on a domain, now its just a stand alone server. so i don't know if its creating a weird conflict.

i'll check for the events tomorow and update.
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

Commented:
So, many things may apply:

You may have this server tombstoned in AD, depending on how long it was in the "password recovery" shop. So, you may have AD metadata.

You may have AD Sites and Services told to replicate to this server, even though it is not just a "member server". So, there is probably FRS metadata.

You might also have DNS metadata of SRV records for this server being an AD server.


Author

Commented:
So what do you recommend doing?

Author

Commented:
this has also happened to another server (2) recently.

at the start of it, i thought it was just a problem with RPC an unable to RDP to the server (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23875203.html)

Commented:
For staters follow this: http://windowsitpro.com/article/articleid/80294/jsi-tip-7751-winmgmt-could-not-initialize-the-core-parts.html

Your getting that error several times in your application log.

All the services that are crashing except Computer Browser can be ignored. BUT, the fact that svchost.exe -k netsvcs is crashing is a bigger concern.

Also your getting an:
EventID 3095
This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.

To resolve this if it is in the domain:
change the local admin password, drop the computer from the domain, delete the computer in AD Users & Computers, DNS, and WINS if using wins. If you have more then one DC wait for replication, then rejoin the server to the domain.

Also looks like you may have an issue with your Dell RAID controller:
cercsr6
The description for Event ID ( 9 ) in Source ( cercsr6 ) cannot be found.
OR, this could be malware acting as the cercsr6.sys file if in windows, windows\system32

For this its possible you have an infection of sometype. I would run an antivirus scan using another vendor like www.trendmicro.com HouseCall (under Personal) or AVG or a trial of Mcaffe.

This event makes me think you have more of a RAID/disk issue then anything else:
Event ID 55
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:

In this case I'd make sure you have a good backup of the system, and if the system is under warranty call in a hardware tech to check out the controller. If not, rebuild on new hardware if possible, if not try to replace the controller (be sure to use the configuration from the drives when the controller detects them).

Author

Commented:
Thanks kg69:

I ran a virus scan on it today, looks clean

i will follow the procedure tonight as well as run the checkdsk hopefuly that fixes those problems.

do you feel that once i run (http://windowsitpro.com/article/articleid/80294/jsi-tip-7751-winmgmt-could-not-initialize-the-core-parts.html) the system will act normally?

Author

Commented:
- run http://windowsitpro.com/article/articleid/80294/jsi-tip-7751-winmgmt-could-not-initialize-the-core-parts.html

Commands i ran

C:\>winmgmt /clearadap
C:\>winmgmt /kill
C:\>winmgmt /unregserver
C:\>winmgmt /regserver
C:\>winmgmt /resyncperf
Generated following event errors

Event Type:      Error
Event Source:      WinMgmt
Event Category:      None
Event ID:      28
Date:            11/4/2008
Time:            11:06:18 PM
User:            N/A
Computer:      CBIZ_QB
Description:
WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      WinMgmt
Event Category:      None
Event ID:      43
Date:            11/4/2008
Time:            11:06:18 PM
User:            N/A
Computer:      CBIZ_QB
Description:
WMI ADAP failed to connect to namespace \\.\root\cimv2 with the following error: 0x80041002

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      WinMgmt
Event Category:      None
Event ID:      60
Date:            11/4/2008
Time:            11:06:18 PM
User:            N/A
Computer:      CBIZ_QB
Description:
WMI ADAP was unable to process the performance libraries: 0x80041001

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
- run chkdsk
Volume fragmentation
    Total fragmentation                        = 6 %
    File fragmentation                         = 12 %
    Free space fragmentation                   = 0 %
Not Recommended to defrag

Author

Commented:
applied 234474_ENU_i386 HF, this was from http://support.microsoft.com/kb/910666

services appear to be up on start up

received the following errors

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1090
Date:            11/5/2008
Time:            12:26:16 AM
User:            NT AUTHORITY\SYSTEM
Computer:      CBIZ_QB
Description:
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1090
Date:            11/5/2008
Time:            12:25:17 AM
User:            NT AUTHORITY\SYSTEM
Computer:      CBIZ_QB
Description:
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      WinMgmt
Event Category:      None
Event ID:      28
Date:            11/5/2008
Time:            12:25:17 AM
User:            N/A
Computer:      CBIZ_QB
Description:
WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

i will monitor this server for the next day, hopefully this resolved the problem
Commented:
I think you should look for metadata of an improperly demoted domain controller:

FRS, DNS and AD metadata is what you should look for.

This article explains the four stages of a deleted SID. It also has some information on how to look for certain metadata.
http://support.microsoft.com/kb/248047

This page is used to remove all that metadata of a domain controller:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Author

Commented:
but this was never a domain controller, it was just a server part of a domain.
Commented:
It could be bad data in the WMI file of your machine. You can rebuild the WMI files by:
1 Stop the Windows Management Instrumentation service (WMI service). (Do not disable it)
2 Go to the %SystemRoot%\System32\Wbem\Repository folder.
3. Delete all of the files in that file folder
4 Restart the computer. Restarting will start the WMI service and rebuild the WMI files.

Author

Commented:
Thanks ChiefIT

scheduled for after production tonight

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial