kirret
asked on
Windows Server 2008 Shutting Down
Hi guys
This is the error message I found today:
The process C:\Windows\system32\winlog on.exe (SERVER) has initiated the power off of computer SERVER on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x500ff
Shutdown Type: power off
Comment:
The server itself is about 6 months old Dell PowerEdge running Foundation Server 2008 x64. It has happened 3 times today that the server just shuts down, not restarting but shutting down. I got a phone call after it happened the first time today so I was connected remotely to it when witnessed disconnect from RDP, but it wasn't just a "snap", and it's off but I saw a message first that it's logging off.
Exactly the same thing happened 4/4/2012 when the server shut itself down 4 times in 2 hours and then stayed stable, until now.
Any thoughts?
Thanks
This is the error message I found today:
The process C:\Windows\system32\winlog
Reason Code: 0x500ff
Shutdown Type: power off
Comment:
The server itself is about 6 months old Dell PowerEdge running Foundation Server 2008 x64. It has happened 3 times today that the server just shuts down, not restarting but shutting down. I got a phone call after it happened the first time today so I was connected remotely to it when witnessed disconnect from RDP, but it wasn't just a "snap", and it's off but I saw a message first that it's logging off.
Exactly the same thing happened 4/4/2012 when the server shut itself down 4 times in 2 hours and then stayed stable, until now.
Any thoughts?
Thanks
Please check the required link
http://social.msdn.microsoft.com/Forums/en-US/etw/thread/ca79615b-a76e-4e42-acfb-608057651981
http://social.msdn.microsoft.com/Forums/en-US/etw/thread/ca79615b-a76e-4e42-acfb-608057651981
ASKER
No, there's no scheduled task for it. As I said the server is about 6 months old but it's only the second day (02/05/2012 and then 04/04/2012) when it has happened several times during these 2 days.
How can I remove the permissions to shutdown the server for SYSTEM?
@dariusg and @nsonbaty - you are both pointing to the same article what describes an error message when a system has been shut down manually. I have said though that in my case the server shuts down on its own...
How can I remove the permissions to shutdown the server for SYSTEM?
@dariusg and @nsonbaty - you are both pointing to the same article what describes an error message when a system has been shut down manually. I have said though that in my case the server shuts down on its own...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Firebar
Which one should I remove then to avoid the server shutting down on its own?
Which one should I remove then to avoid the server shutting down on its own?
Who is supposed to turn-off the server. This should be only a handful of people. Remove everyone just to test it, add yourself as the only one who can turn it off. Make a note of the default membership.
ASKER
I know that no one else is turning it off. It's a dentist practice and the server is in a separate room, everyone else are in surgeries or at the reception. And, as I said before, I was logged in remotely (RDP) when I got the message that it's logging off.
I'm the only one who is supposed to restart/turn off/install updates etc and I'm 99.9% certain that none of the staff knows the password and how to turn it off. So it's the system itself as described in my initial system. Which one of them 4 is the System account I should remove from there to avoid the shut down process triggered by the server itself?
I'm the only one who is supposed to restart/turn off/install updates etc and I'm 99.9% certain that none of the staff knows the password and how to turn it off. So it's the system itself as described in my initial system. Which one of them 4 is the System account I should remove from there to avoid the shut down process triggered by the server itself?
I would remove them all and add you and one other person who can shut the machine off. Just to test it out. SYSTEM's membership cannot be manually controlled. It is implicitly added by the OS itself.
ASKER
Well, can't remove/add anyone remotely, options are grayed out. So will have to ask someone to do it locally.
Additionally, last time when we had the same problem (4/4/2012) it happened 4 times in 2-3 hours and then stopped. Today it has happened 3 times and it's been almost an hour now since the last shut down so I wouldn't be surprised if it won't happen again, maybe for another 30 days or so, in case if there's a pattern developing...
Also, is it not worth finding out what's triggering it (the cause) instead of patching the problem with changing permissions?
Additionally, last time when we had the same problem (4/4/2012) it happened 4 times in 2-3 hours and then stopped. Today it has happened 3 times and it's been almost an hour now since the last shut down so I wouldn't be surprised if it won't happen again, maybe for another 30 days or so, in case if there's a pattern developing...
Also, is it not worth finding out what's triggering it (the cause) instead of patching the problem with changing permissions?
Look in the Event Logs, around the times the shutdowns occur. System Log, App Log, Security Log.
ASKER
System log:
3.14.44pm The Application Experience service entered the stopped state.
3.19.33pm The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.
3.20.21pm The process C:\Windows\system32\winlog on.exe (SERVER) has initiated the power off of computer SERVER on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found (thats the main message)
3.20.22pm User Logoff Notification for Customer Experience Improvement Program
And loads of other services shutting down as expected.
Application log has these:
3.20.22pm The Desktop Window Manager has exited with code (0x40010004)
3.20.25pm SQL Server is terminating because of a system shutdown. This is an informational message only. No user action is required.
Prior to the shut down nothing for 15 minutes. Both of these messages are well expected as the system is shutting down.
Security Log:
3.19.41pm An account was successfully logged on. Security ID: NULL SID
3.20.21pm An account was logged off. Security ID: Computer12-PC$
3.20.22pm User initiated logoff: Security ID: Myusername
As I said it has happened 3 times today. I noticed that in every instance when the server has shut down there's an entry in Security log like this one:
An account was logged off. Security ID: Computer12-PC$
Sometimes it's Computer 12, sometimes it's Computer 13. And it happened up to 25 seconds before the server was shut down in all 3 occasions.
Maybe there's something there?
Thanks
3.14.44pm The Application Experience service entered the stopped state.
3.19.33pm The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.
3.20.21pm The process C:\Windows\system32\winlog
3.20.22pm User Logoff Notification for Customer Experience Improvement Program
And loads of other services shutting down as expected.
Application log has these:
3.20.22pm The Desktop Window Manager has exited with code (0x40010004)
3.20.25pm SQL Server is terminating because of a system shutdown. This is an informational message only. No user action is required.
Prior to the shut down nothing for 15 minutes. Both of these messages are well expected as the system is shutting down.
Security Log:
3.19.41pm An account was successfully logged on. Security ID: NULL SID
3.20.21pm An account was logged off. Security ID: Computer12-PC$
3.20.22pm User initiated logoff: Security ID: Myusername
As I said it has happened 3 times today. I noticed that in every instance when the server has shut down there's an entry in Security log like this one:
An account was logged off. Security ID: Computer12-PC$
Sometimes it's Computer 12, sometimes it's Computer 13. And it happened up to 25 seconds before the server was shut down in all 3 occasions.
Maybe there's something there?
Thanks
That may narrow the scope a bit. Run all sorts of A/V software against 12 and 13.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your reply sapird.
There's no tool installed from Dell, I did install Speedfan though yesterday to monitor the overheating possibility. Fortunately/unfortunately all cores are staying around 30 degrees Celsius...
Is there anything else I could install on it what monitors the server hardware?
There's no tool installed from Dell, I did install Speedfan though yesterday to monitor the overheating possibility. Fortunately/unfortunately all cores are staying around 30 degrees Celsius...
Is there anything else I could install on it what monitors the server hardware?
ASKER
What is striking though is that it happened yesterday, that’s Wednesday, and 4th of April was Wednesday as well. Additionally, both happened between 1pm and 4pm. So if there’s a pattern establishing then it should happen again in 4 weeks’ time, on Wednesday the 30th of May...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
is the computer joined to domain?
if there is no critical services on it you can tray and move the date/time to see:):)
if there is no critical services on it you can tray and move the date/time to see:):)
ASKER
It is a DC yes. Will look into the Dell doc you provided later.
Could this be licensing? It seems to happen once a month, which would jive with an activation error. Is Windows properly licensed and activated?
ASKER
Yea, Windows is activated it says. And there are 5 PCs connected to it so I doubt it will be a licensing issue...
5 CALS are a default for Windows Server, though I am not 100% on that for Windows Foundation.
ASKER
There's no need for CAL with Foundation Server...
http://www.techrepublic.com/blog/datacenter/windows-server-2008-r2-foundation-gives-small-networks-more-options/1600
http://www.techrepublic.com/blog/datacenter/windows-server-2008-r2-foundation-gives-small-networks-more-options/1600
There shouldn't be any, but that is my opinion.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@ rejoinder
I'm not sure it's a hardware problem. If it was it would just go off without logging off and without showing the messages in the log file that's it's about to log off. Unless of course servers as so well built and so clever that they can still turn off properly when a capacitor goes. Additionally, it might be a coincidence, but as I mentioned it happened exactly 4 weeks apart, same day, same time...
But thanks for your input
I'm not sure it's a hardware problem. If it was it would just go off without logging off and without showing the messages in the log file that's it's about to log off. Unless of course servers as so well built and so clever that they can still turn off properly when a capacitor goes. Additionally, it might be a coincidence, but as I mentioned it happened exactly 4 weeks apart, same day, same time...
But thanks for your input
Yeah, a hardware issue like the one I mentioned would likely just stop the server dead in its tracks and not gracefully shutdown - good point.
If the server has a fancy powerbar/UPS hooked up, could some equipment in the office be browning out the power enough that the computer gets a signal to shutdown?
If the server has a fancy powerbar/UPS hooked up, could some equipment in the office be browning out the power enough that the computer gets a signal to shutdown?
ASKER
So just an update as I don't want to close the topic yet.
The server hasn't experienced the same issu, yet. But as I said in an earlier comment it, if there's a pattern developing then it might happen again on the 30thof May, 4 weeks after the last occurance.
So will wait and see.
The server hasn't experienced the same issu, yet. But as I said in an earlier comment it, if there's a pattern developing then it might happen again on the 30thof May, 4 weeks after the last occurance.
So will wait and see.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Had to choose my comment as an answer cause noone offered that advice. Thanks
I would remove the permission to shutdown the server from SYSTEM, in the local security policy.