NoneProfit
asked on
Server 2003: 3 Servers Blue Screen at the Same Time (VM's)
This morning around 2:15am, three of our servers crashed, all at the same time (within a minute) and were hung on this blue screen:
http://i210.photobucket.com/albums/bb65/djfrost143/work/Untitled-1.jpg
The event logs on all of the servers that blue screened are pretty clean. The only events leading up to the blue screen’s around 2:15 were automatic update services, which only started and stopped on all servers. No updates were actually installed.
These servers are VM's. There are 13 VMs all running Server 2003 on this one Proliant DL585 G2 ESX server. Only 3 or them crashed.
If you look in VIC, and click the performance tab à Change Chart Options and sort by “last day”, you can see that around 2:15 – 2:20am, all of the servers that blue screened had a sudden spike in CPU usage, all around the same time. If you look at the other servers, their CPU usage remained stable.
It’s hard to tell what caused the Blue Screens. Many times they are caused from Windows Updates, or hardware failures. However, I believe if it was a hardware issue, all of the other VM’s would have crashed also. But, there’s also nothing software related going on in the event logs leading up to the crash.
Any ideas as to what could have cause this or how to dig deeper and what to look for?
Untitled-1.jpg
http://i210.photobucket.com/albums/bb65/djfrost143/work/Untitled-1.jpg
The event logs on all of the servers that blue screened are pretty clean. The only events leading up to the blue screen’s around 2:15 were automatic update services, which only started and stopped on all servers. No updates were actually installed.
These servers are VM's. There are 13 VMs all running Server 2003 on this one Proliant DL585 G2 ESX server. Only 3 or them crashed.
If you look in VIC, and click the performance tab à Change Chart Options and sort by “last day”, you can see that around 2:15 – 2:20am, all of the servers that blue screened had a sudden spike in CPU usage, all around the same time. If you look at the other servers, their CPU usage remained stable.
It’s hard to tell what caused the Blue Screens. Many times they are caused from Windows Updates, or hardware failures. However, I believe if it was a hardware issue, all of the other VM’s would have crashed also. But, there’s also nothing software related going on in the event logs leading up to the crash.
Any ideas as to what could have cause this or how to dig deeper and what to look for?
Untitled-1.jpg
Joediggity2
What time are your windows updates set to apply (if they are set to apply automatically)?
Yesterday was the 2nd tuesday of the month (Microsoft update day)... Chances are, they all took the same update and decided to hose themselves... try booting to safe mode in each VM and restoring to an earlier time using MS System Restore, or booting to repair mode and performing the same process
Any chance they are all on the same datastore that has filled up?
Also, was it a one time event (servers came back after reboot) or are they still dead?
I'm sorry TODAY is the 2nd tuesday, of the month, but the update could've been small and fast, but reckless and deadly like a bullet :( Continue with my advise above
ASKER
They are actually not set to install untill 3am nightly, set by a GPO.
In the event log, the events leading up to the crash are as follows:
12:51am Service Control Manager 7035 The LiveUpdate service was successfully sent a start control
12:51am Service Control Manager 7036 The LiveUpdate service entered the running state
12:51am Service Control Manager 7036 The LiveUpdate service entered the stopped state
12:53am Service Control Manager 7035 The LiveUpdate service was successfully sent a start control
12:53am Service Control Manager 7036 The LiveUpdate service entered the running state
12:53am Service Control Manager 7036 The LiveUpdate service entered the stopped state
And the next error was:
8:16am eventlog 6008 The previous system shutdown at 2:16am on 8/17/2010 was unexpected
And what I am just realizing now is that in the application log, it shows:
12:52am Symantec Antivirus 7 New virus definition file loaded. Version 120816p.
So the LiveUpdate service is not windows update, its symantec. Maybe the virus definition caused the BS? But, that was at 1am and the crash was at 2:15am, and none of the other servers crashed. ...
In the event log, the events leading up to the crash are as follows:
12:51am Service Control Manager 7035 The LiveUpdate service was successfully sent a start control
12:51am Service Control Manager 7036 The LiveUpdate service entered the running state
12:51am Service Control Manager 7036 The LiveUpdate service entered the stopped state
12:53am Service Control Manager 7035 The LiveUpdate service was successfully sent a start control
12:53am Service Control Manager 7036 The LiveUpdate service entered the running state
12:53am Service Control Manager 7036 The LiveUpdate service entered the stopped state
And the next error was:
8:16am eventlog 6008 The previous system shutdown at 2:16am on 8/17/2010 was unexpected
And what I am just realizing now is that in the application log, it shows:
12:52am Symantec Antivirus 7 New virus definition file loaded. Version 120816p.
So the LiveUpdate service is not windows update, its symantec. Maybe the virus definition caused the BS? But, that was at 1am and the crash was at 2:15am, and none of the other servers crashed. ...
ASKER
Oh, and yes the servers are back up and running after a reboot. I am sorry I forgot to mention that, as important as it is. I just am looking to figure out why it happened to prevent future occurances.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@ Stapmeyerr, they are all on the same datastore, but there is over 200GB free.
@ Truromeo, that would make sense, only they did not crash until 2:15 and the scheduled updates (symantec) ran at 1. When you say re-zero the page files, I am not sure what you mean by that. Isn't that when the page files are cleared out? Would that be accomplished by a restart or is a manual way possible while server is in production?
@ Truromeo, that would make sense, only they did not crash until 2:15 and the scheduled updates (symantec) ran at 1. When you say re-zero the page files, I am not sure what you mean by that. Isn't that when the page files are cleared out? Would that be accomplished by a restart or is a manual way possible while server is in production?
Yes, clear the page files out... it would be accompanied by a restart, then another restart when you re-enable the paging file.
Even though windows updates are set to run at 3:00am, If I remember correctly they actually have a 60 minute randomization in them so all the computers do not get updates at exactly the same time. On the Symantec side, after the liveupdate, depending on the settings a scan is done either on active files or in some cases full or partial scans. There is a chance something happened during the scan.
hmmmmmm.......I have seen the word "Symantec" in your post....... coincidental?......I don't think so :o)
Did the crash leave a minidump?
http://support.microsoft.com/kb/315263
http://www.symantec.com/connect/blogs/display-blue-screen-death-bsod-information
http://support.microsoft.com/kb/315263
http://www.symantec.com/connect/blogs/display-blue-screen-death-bsod-information
ASKER
Haven't had any issue's since. There was no real resolution other than a reboot. Still not sure why it happened, I guess we will see if it happens again.