2008r2 file server stops accepting connections

Hi Guys

I need some assistance with a 2008r2 file server that becomes inaccessible periodically throughout the day.
some background on the issue...........

I have a standalone 2008r2 file server. server seems to run fine for a period of time and then suddenly stops accepting connections. this occurs randomly throughout the day. the only way to fix the problem is to restart the server.

one of the things I've noticed is that shares are inaccessible over the network but if I open the share from the server itself via the same UNC path, it works.

DNS checks out fine, network connectivity is fine, error logs do not give any info on the problem.
when checking sessions on the server, I noticed during one outage yesterday that the server had 1024 open files when it stopped working. the specificity of that number led me to believe that it was a limit of some sort, which led me to this article (http://support.microsoft.com/kb/324446/en-us)
the registry entries in the article were applied, issue still persists.
when checking the open file count during todays outage, it was sitting at 479 open files so I'm not sure about the limit being the cause.
Server patch level is up to date as of 3 weeks ago, this also includes all hotfixes from article (http://support.microsoft.com/kb/2473205/en-us) which is specific to file servers.
Server is running symantec antivirus (v12.1.1). I plan on stopping AV on the server for a while to test if this is the cause.

Any assistance with this issue will be greatly appreciated.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Radhakrishnan RSenior Technical LeadCommented:

Is there any backup running at the time of issue?  if so, try to change the backup schedule and see it makes any difference. Yes, Antivirus (especially SEP) cause this type of issues.  

Also, try disabling SMB2 on the server

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters
Add a new REG_DWORD key with the name of Smb2.
Value name     Smb2
Value type     REG_DWORD
0 =     disabled
1 =     enabled
Set the value to 0 to disable SMB2, or set it to 1 to re-enable SMB2.
ablsysadminAuthor Commented:
Hi Raj

thanks for getting back to me.
there are no backups running at the time of the outages.

if I disable SMB2, will the server default to SMB1 ? and if so, what happens to the active SMB2 sessions ?
ablsysadminAuthor Commented:
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Radhakrishnan RSenior Technical LeadCommented:

As a backwards compatibility, yes, its revert to SMB1. You can have a look at this article and  get a fully understanding about SMB http://www.petri.com/how-to-disable-smb-2-on-windows-vista-or-server-2008.htm

Hope this helps
ablsysadminAuthor Commented:
Thanks for the article, explains it nicely.
I'm waiting for the server to crash again before I make any more changes (murphy's law, its gonna run fine now)
It could also be caused by licensing issues. Maybe you have exceeded the CALS by the number you you own when it happens.
ablsysadminAuthor Commented:
server just crashed. I upgraded my symantec to version 12.1.3 as per recommendation from the vendor, will wait and see if there is any improvement.

this licensing issue you mention, how do I check if its a licensing issue ? I'm not aware of any licensing for a file server.
You need CALs for the users connecting to a server. As far as I know the 2008 r2 server standard comes with 5 such CALs. If more users try connecting they won't be able to. If you need more CALs you have to buys those.

The licensing overview from the link below should give you some idea. CALs are explained on page 18:

ablsysadminAuthor Commented:
i am running Microsoft network monitor 3.4. I will send the log asap. The server died now again
ablsysadminAuthor Commented:
ok, no luck. server is dead. had to reset.
ablsysadminAuthor Commented:
ok, here we go. the network capture
ablsysadminAuthor Commented:
please review and advise asap
ablsysadminAuthor Commented:
just an update, so far the below has been implemented

1. configured tcp stack settings as per below

        Receive-Side Scaling State          : disabled
        Chimney Offload State               : disabled
        NetDMA State                               : enabled
        Direct Cache Acess (DCA)            : disabled
        Receive Window Auto-Tuning Level    : normal
        Add-On Congestion Control Provider  : ctcp
        ECN Capability                              : disabled
        RFC 1323 Timestamps                 : disabled
2. applied hotfixes/patches/regEntries from the below articles
3. disabled SMB2 as per http://support.microsoft.com/kb/2696547/en-gb
        this caused more problems. lots of clients could no longer connect. reg entries were removed again.
4. call has been logged with microsoft (they say symantec should be disabled)
5. call logged with symantec (waiting for callback) due to the below article
6. network monitor trace run leading up to the time of an outage, nothing in    the logs that indicate where the problem is.
7. symantec AV was upgraded from v12.1.1 to v12.1.3.

Issue still persists.
ablsysadminAuthor Commented:
latest update, symantec has been has been disabled.
will now wait and see if it resolves the issue
ablsysadminAuthor Commented:
latest update,

After Symantec was disabled, the server did not fail from yesterday morning until now (about 19 hours running time)
Due to the risk of not having AV on the server being so high, I’ve now uninstalled v12.1.3 and installed v11.0.6.
Will monitor throughout the day.
ablsysadminAuthor Commented:

v11.0.6 ran successfully for about 4 days without incident.
symantec came back stating that 12.1.5 was just released and it should resolve the problem.
upgrade to v12.1.5 was done but the issue reappeared after 1 day.
I have now downgraded symantec back to v 11.0.6.

awaiting further feedback from symantec.
ablsysadminAuthor Commented:
Latest update .......

server is still running symantec v11.0.6 without issue for the last 1 month.
The call logged with symantec as been closed as they could not replicate the issue in their labs and I could not allow them to test on my prod server so the issue remains unresolved.
downgrading to v11 is the accepted solution for me. I will attempt an upgrade once symantec releases a new version.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ablsysadminAuthor Commented:
the provided solution worked for me
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.