SBS 2003 system with Windows 2003 server SP2 and Exchange 2003 SP2.
When someone comes into the office first thing, they find they cannot log on to the domain, and on checking the server they find that it has a light grey or black screen, with a mouse cursor showing, but the server appears to be unresponsive, and the mouse doesn't move. To get things happening again the server is manually rebooted around 8 am.
The last application log before the freeze is informational from WBLOGSVC, at 4:30:10 am and says
"The description for Event ID ( 2004 ) in Source ( WBLOGSVC ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: ." (and there's no following information)
The last few system log entries shown that
3:59:00 am "The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state" (after being idle for 15 minutes and being suspended)
4:51:34 am "The WinHTTP Web Proxy Auto-Discovery Service service was successfully sent a start control."
4:51:34 am "The WinHTTP Web Proxy Auto-Discovery Service service entered the running state."
-these seem innocent enough.
The last security log entry is a 5:05 am and there's no errors or warnings, but looking back to 4:30 am there's quite a bit of Account Management activity related to sbsmonacct.
Server status and usage reports are set to run at 6 am and 6:30 am respectively.
The collect usage data task is set to start at 4:30 am.
Exchange server database management is set to run from 1 am to 5:00 am
After the server is rebooted there is a problem with the Exchange E00.log file which prevents the exchange databases mounting.
(Application log error from ESE, event 465)
"Information Store (2828) First Storage Group: Corruption was detected during soft recovery in logfile C:\Program Files\Exchsrvr\mdbdata\E00.log. The failing checksum record is located at position END. Data not matching the log-file fill pattern first appeared in sector 5128 (0x00001408). This logfile has been damaged and is unusable. "
CA Etrust Threat Management with antivirus signature 31.6.6497.0 dated 11 May 09
APC Back-UPS ES550 running APC Powerchute personal edition 2.0. It shows no blackout, overvoltage, undervoltage or electrical noise events in the last 4 weeks.
Adaptec card with RAID1 showing healthy.