JSchoeberle
Member
- Joined
- Feb 22, 2012
- Messages
- 1
System Issue- Server goes into an unknown state where domain users cannot log off, explorer.exe becomes unresponsive, and some users can continue working, while others are not.- Domain Administrators cannot get into Control Panel/Administrative Tools- Icon that network cable is disconnected is seen in the notification area by administrators- Server still responds to ping requests- Server is located in a DC, no physical access to the server, only RDP- Only thing I could do is comb through the event log looking for something
System Outline- 2 terminal servers running off a load balancer, both exibiting same issues at approx the same timeline- Windows Server Enterprise 2008 SP2 32bit, 16GB Ram- Both running same applications and patch level
- Server is patched for most important updates up to date
- Terminal servers had been running for 26 days stable, weeks since their last reboot- No new software was installed/configured since then
- Server is patched for most important updates up to date
- Terminal servers had been running for 26 days stable, weeks since their last reboot- No new software was installed/configured since then
Things I FoundA pattern of Event ID: 1530 Application Log:
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 21/2/2012 10:54:46 AM
Event ID: 1530
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: SVR-TS03.Star.County
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
25 user registry handles leaked from \Registry\User\S-1-5-21-3206598590-745459590-3389446312-1463:
Process 33704 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3206598590-745459590-3389446312-1463
Process 33704 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3206598590-745459590-3389446312-1463\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7257ddb5-5a29-11df-975c-002219af9615}
Process 33704 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3206598590-745459590-3389446312-1463\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\KnownFolder\{4BD8D571-6D19-48D3-BE97-422220080E43}
** I had to shorten how much of this event to paste due to its length **
A second example of a pattern is seen in the System Log Event ID 7011 :: netprofm and fdPHost service
LOG EXAMPLE 1
Log Name: System
Log Name: System
Source: Service Control Manager
Date: 21/2/2012 10:55:16 AM
Event ID: 7011
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SVR-TS03.Star.County
Description:
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the netprofm service.
LOG EXAMPLE 2
Log Name: System
Log Name: System
Source: Service Control Manager
Date: 21/2/2012 10:55:53 AM
Event ID: 7011
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SVR-TS03.Star.County
Description:
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the fdPHost service.
Actions Taken To Resolve- Only action I could do was attempt to restart the servers- The first reboot took approx. 10 minutes to process before it actually went down and reboot- After server came back up same issues were seen (administrator users could not get into Control Panel or any Administrative Tools)- A second reboot was performed, and then the servers started to operate correctly- The servers continued to operate correctly since (this happened yesterday)
Any thoughts as to why these events happened which ended up loss of work for almost 100 users that connect to this environment? Any additional diagnostic work I should be performing?
