[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1603
  • Last Modified:

Domain Controller Crashing

I am hoping someone could help troubleshoot an issue thats been plaguing one of my Windows 2003 x86 Domain Controller servers for a few months.

The server has been blue screening about once a month, I receive errors that the Print Spooler Service has crashes weekly, and it doesnt seem to be communicating with the other domain controllers anymore. I am thinking it might be a DNS issue, as I receive many DNS errors, but cannot track down the actual problem.

This server is named Server-AP01. Other domain controllers in this domain are Server-DC01 (located in same server rack) and Server-DC02 (located in another building connected via VPN tunnel).

From my last crash, Ive copied below the MiniDump:
*****************************************************************************************************************
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: LanManNt, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.090805-1438
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Wed Dec  2 03:48:45.769 2009 (GMT-5)
System Uptime: 1 days 2:46:45.338
Loading Kernel Symbols
...............................................................
.............................................................
Loading User Symbols
Loading unloaded module list
.....................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.
BugCheck 1000007E, {c0000005, 808f8157, f78cabc0, f78ca8bc}
Probably caused by : ntkrpamp.exe ( nt!IopQueryNameInternal+59 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 808f8157, The address that the exception occurred at
Arg3: f78cabc0, Exception Record Address
Arg4: f78ca8bc, Context Record Address

Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!IopQueryNameInternal+59
808f8157 83782c14        cmp     dword ptr [eax+2Ch],14h

EXCEPTION_RECORD:  f78cabc0 -- (.exr 0xfffffffff78cabc0)
ExceptionAddress: 808f8157 (nt!IopQueryNameInternal+0x00000059)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 0000002c
Attempt to read from address 0000002c

CONTEXT:  f78ca8bc -- (.cxr 0xfffffffff78ca8bc)
eax=00000000 ebx=e6285930 ecx=00002521 edx=000001c8 esi=000000c8 edi=87914068
eip=808f8157 esp=f78cac88 ebp=f78cacd0 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
nt!IopQueryNameInternal+0x59:
808f8157 83782c14        cmp     dword ptr [eax+2Ch],14h ds:0023:0000002c=00000000
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  0000002c

READ_ADDRESS:  0000002c

FOLLOWUP_IP:
nt!IopQueryNameInternal+59
808f8157 83782c14        cmp     dword ptr [eax+2Ch],14h

BUGCHECK_STR:  0x7E

EXCEPTION_STR:  0x0

LAST_CONTROL_TRANSFER:  from 808ea1b0 to 808f8157

STACK_TEXT:  
f78cacd0 808ea1b0 87914068 00000001 00000001 nt!IopQueryNameInternal+0x59
f78cad04 8080fcc9 87914068 f78cad3c 808a3ff0 nt!IoQueryFileDosDeviceName+0x30
f78cad40 808127c2 8a3955d8 808ae5c0 8a393280 nt!CcWriteBehind+0x16d
f78cad80 80880469 8a393280 00000000 8a3955d8 nt!CcWorkerThread+0x15a
f78cadac 80949b80 8a393280 00000000 00000000 nt!ExpWorkerThread+0xeb
f78caddc 8088e092 8088037e 00000000 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!IopQueryNameInternal+59

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4a799091

STACK_COMMAND:  .cxr 0xfffffffff78ca8bc ; kb

FAILURE_BUCKET_ID:  0x7E_nt!IopQueryNameInternal+59

BUCKET_ID:  0x7E_nt!IopQueryNameInternal+59

Followup: MachineOwner

*****************************************************************************************************************
Events Im receiving in the server logs are:
******************************************************************************************************************
Event Type:      Error
Event Source:      NTDS Replication
Event Category:      DS RPC Client
Event ID:      2087
Date:            12/15/2009
Time:            1:01:37 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVER-AP01
Description:
Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
 
Source domain controller:
 Server-dc02
Failing DNS host name:
 8a86d9c0-05bc-4b46-a1d2-1ad4b73f2a85._msdcs.mydomain.com
 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
 
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
 
User Action:
 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 
 2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
 
  dcdiag /test:dns
 
 4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
 
  dcdiag /test:dns
 
 5) For further analysis of DNS error failures see KB 824449:
   http://support.microsoft.com/?kbid=824449
 
Additional Data
Error value:
 11004 The requested name is valid, but no data of the requested type was found.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Warning
Event Source:      NTDS Replication
Event Category:      DS RPC Client
Event ID:      2088
Date:            12/15/2009
Time:            1:02:37 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVER-AP01
Description:
Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
 
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.
 
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
 
Alternate server name:
 SERVER-DC01
Failing DNS host name:
 9dfab456-2df2-43f0-87e6-4448b75e15d1._msdcs.mydomain.com
 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
 
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
 
User Action:
 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 
 2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
 
  dcdiag /test:dns
 
 4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
 
  dcdiag /test:dns
 
 5) For further analysis of DNS error failures see KB 824449:
   http://support.microsoft.com/?kbid=824449
 
Additional Data
Error value:
 11004 The requested name is valid, but no data of the requested type was found.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      NTDS General
Event Category:      Replication
Event ID:      1079
Date:            12/15/2009
Time:            7:51:26 AM
User:            DOMAIN\SERVER-DC02$
Computer:      SERVER-AP01
Description:
Internal event: Active Directory could not allocate enough memory to process replication tasks. Replication might be affected until more memory is available.
 
User Action
Increase the amount of physical memory or virtual memory and restart this domain controller.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1308
Date:            12/17/2009
Time:            9:29:19 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVER-AP01
Description:
The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following domain controller has consistently failed.
 
Attempts:
8
Domain controller:
CN=NTDS Settings,CN=SERVER-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Period of time (minutes):
123
 
The Connection object for this domain controller will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this domain controller resumes, the temporary connection will be removed.
 
Additional Data
Error value:
14 Not enough storage is available to complete this operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1308
Date:            12/17/2009
Time:            9:59:19 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVER-AP01
Description:
The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following domain controller has consistently failed.
 
Attempts:
454
Domain controller:
CN=NTDS Settings,CN=SERVER-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Period of time (minutes):
126
 
The Connection object for this domain controller will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this domain controller resumes, the temporary connection will be removed.
 
Additional Data
Error value:
14 Not enough storage is available to complete this operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

******************************************************************************************************************
These errors are simply filling the DNS logs, creating a new one every 3 minutes.
******************************************************************************************************************

Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4000
Date:            12/18/2009
Time:            7:27:34 AM
User:            N/A
Computer:      SERVER-AP01
Description:
The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00               *#..    

******************************************************************************************************************
And finally, I get these generated in the System log.
******************************************************************************************************************

Event Type:      Error
Event Source:      KDC
Event Category:      None
Event ID:      7
Date:            12/23/2009
Time:            9:37:21 AM
User:            N/A
Computer:      SERVER-AP01
Description:
The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was administrator@DOMAIN and lookup type 0x20.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 17 00 00 c0               ...À    

Event Type:      Error
Event Source:      KDC
Event Category:      None
Event ID:      7
Date:            12/23/2009
Time:            9:37:21 AM
User:            N/A
Computer:      SERVER-AP01
Description:
The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was administrator and lookup type 0x0.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 17 00 00 c0               ...À    

******************************************************************************************************************
******************************************************************************************************************

I am afraid this server is about to kick the bucket unless I do something quick. Just looking for a good starting place, as Ive looked at a lot already and dont seem to be narrowing this down at all.
0
pcteamadmin
Asked:
pcteamadmin
1 Solution
 
marine7275Commented:
Within the text above it notes where you should start troublshooting:

User Action:
 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 
 2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
 
  dcdiag /test:dns
 
 4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
 
  dcdiag /test:dns
 
 5) For further analysis of DNS error failures see KB 824449:
   http://support.microsoft.com/?kbid=824449
0
 
holthdCommented:
Seems you got a couple of printers queues setup on this server as well.

Go into Printers and faxes. Open properties on at least one printer pr print driver and make sure you don't get any memory access violation errors. Also, it's a bad sign if the print spooler stops/restarts.

If you happen to have any hp 2600n drivers installed I suggest you get rid of it asap. The print driver works for printing but it crashes the spooler (and sometimes causes BSOD) when the properties settings are opened.
0
 
ChiefITCommented:
Let's check DNS and see if your MSDCS file folders are GREYED out. It looks exactly like this:
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html
0
 
pcteamadminAuthor Commented:
Worked perfectly, and seemed to resolve all the issues.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now