[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 879
  • Last Modified:

Server 2003: 3 Servers Blue Screen at the Same Time (VM's)

This morning around 2:15am, three of our servers crashed, all at the same time (within a minute) and were hung on this blue screen:

http://i210.photobucket.com/albums/bb65/djfrost143/work/Untitled-1.jpg

The event logs on all of the servers that blue screened are pretty clean. The only events leading up to the blue screen’s around 2:15 were automatic update services, which only started and stopped on all servers. No updates were actually installed.

These servers are VM's. There are 13 VMs all running Server 2003 on this one Proliant DL585 G2 ESX server. Only 3 or them crashed.

If you look in VIC, and click the performance tab à Change Chart Options and sort by “last day”, you can see that around 2:15 – 2:20am, all of the servers that blue screened had a sudden spike in CPU usage, all around the same time. If you look at the other servers, their CPU usage remained stable.

                 It’s hard to tell what caused the Blue Screens. Many times they are caused from Windows Updates, or hardware failures. However, I believe if it was a hardware issue, all of the other VM’s would have crashed also. But, there’s also nothing software related going on in the event logs leading up to the crash.

               Any ideas as to what could have cause this or how to dig deeper and what to look for?

Untitled-1.jpg
0
NoneProfit
Asked:
NoneProfit
  • 4
  • 4
  • 3
  • +3
1 Solution
 
Joediggity2Commented:
What time are your windows updates set to apply (if they are set to apply automatically)?  
0
 
truromeo4julietCommented:
Yesterday was the 2nd tuesday of the month (Microsoft update day)... Chances are, they all took the same update and decided to hose themselves... try booting to safe mode in each VM and restoring to an earlier time using MS System Restore, or booting to repair mode and performing the same process
0
 
StappmeyerCommented:
Any chance they are all on the same datastore that has filled up?
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
Joediggity2Commented:
Also, was it a one time event (servers came back after reboot) or are they still dead?
0
 
truromeo4julietCommented:
I'm sorry TODAY is the 2nd tuesday, of the month, but the update could've been small and fast, but reckless and deadly like a bullet :( Continue with my advise above
0
 
NoneProfitAuthor Commented:
They are actually not set to install untill 3am nightly, set by a GPO.
In the event log, the events leading up to the crash are as follows:

12:51am  Service Control Manager  7035  The LiveUpdate service was successfully sent a start control
12:51am  Service Control Manager  7036  The LiveUpdate service entered the running state
12:51am  Service Control Manager  7036  The LiveUpdate service entered the stopped state
12:53am  Service Control Manager  7035  The LiveUpdate service was successfully sent a start control
12:53am  Service Control Manager  7036  The LiveUpdate service entered the running state
12:53am  Service Control Manager  7036  The LiveUpdate service entered the stopped state

And the next error was:

8:16am  eventlog  6008  The previous system shutdown at 2:16am on 8/17/2010 was unexpected

And what I am just realizing now is that in the application log, it shows:

12:52am  Symantec Antivirus  7  New virus definition file loaded. Version 120816p.

So the LiveUpdate service is not windows update, its symantec. Maybe the virus definition caused the BS? But, that was at 1am and the crash was at 2:15am, and none of the other servers crashed. ...
0
 
NoneProfitAuthor Commented:
Oh, and yes the servers are back up and running after a reboot. I am sorry I forgot to mention that, as important as it is. I just am looking to figure out why it happened to prevent future occurances.
0
 
truromeo4julietCommented:
Just re-read your original post... if you had a spike in CPU usage, it could be that the 3 VM's ran the scheduled automatic update task and then encountered a paging issue... try zeroing the paging files in each of the 3 VM's and re-enable them... alternatively, run chkdsk C: /f inside each of the 3 VM's to find errors, I guess. I'm out of ideas.
0
 
NoneProfitAuthor Commented:
@ Stapmeyerr, they are all on the same datastore, but there is over 200GB free.
@ Truromeo, that would make sense, only they did not crash until 2:15 and the scheduled updates (symantec) ran at 1. When you say re-zero the page files, I am not sure what you mean by that. Isn't that when the page files are cleared out? Would that be accomplished by a restart or is a manual way possible while server is in production?
0
 
truromeo4julietCommented:
Yes, clear the page files out... it would be accompanied by a restart, then another restart when you re-enable the paging file.
0
 
Joediggity2Commented:
Even though windows updates are set to run at 3:00am, If I remember correctly they actually have a 60 minute randomization in them so all the computers do not get updates at exactly the same time.  On the Symantec side, after the liveupdate, depending on the settings a scan is done either on active files or in some cases full or partial scans.  There is a chance something happened during the scan.
0
 
leegclystvaleCommented:
hmmmmmm.......I have seen the word "Symantec" in your post....... coincidental?......I don't think so :o)
0
 
NoneProfitAuthor Commented:
Haven't had any issue's since. There was no real resolution other than a reboot. Still not sure why it happened, I guess we will see if it happens again.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 4
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now