Twice a day something takes my server down
Not sure if this is the right forum but I got to start somewhere. For months I've been trying to track this problem down. This all started after I took a vacation. Prior to leaving all was well. While gone no changes to configuration were made and none prior everything was fine w/ no problems. Since getting back something is firing up around 10 and then again around 3 that basically grinds the system to a slow grind and then I have to reboot because access to the Internet or files to the server are not possible. You can actually hear the server grinding away. No events show up in the Event Viewer indicating there is an error w/ an app or something else. I've used PerfMon from SysInternals and found nothing running that shouldn't be running or eating up resources other than the store.exe......No task are scheduled to run at these times....No AV....No Updates.....
The server is 2003 and here are the specs for the is the domain controller and exchange server for the company....25 local users and 5 remote.....
Dell Server PE1800.....1GB ram....I know the ram is low but the amount of mailboxes was the same before this started and I would think if it was a low ram issue this would have been going on prior to my vacation.....
What else can i provide anyone to help me w/ this problem.....I've got to get this resolved because I'm starting to catch some heat over this issue....
November 11th, 2008 6:35pm
sounds like it's indexing...anything spiking the CPU? check the taskmgr...
Free Windows Admin Tool Kit Click here and download it now
November 12th, 2008 7:40am
You could always take a image snapshot of your server, then restore your registry back to when you left to take holidays Follow my procedure:
Navigate on the server to c:\windows\repair check the date modified on these files. If they are really old dont use them, if they are recent we will restore them.Registry files need to be manually copied outside of windows in Directory Services Restore mode. To access this you need to boot of a windows 2003 CD, you will also need the RAID drivers on a floppy disk.Once youre in Directory Services Restore mode, navigate to the System Volume Information directory provided the registry backups in windows\repair are too old. In the system volume information type:DIR /OThis will show you all directories from oldest to newest. You want a relatively new one about 2 weeks old. The directories look like this:_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}If we were using this directory, navigate to a folder with a name something like this:C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP1\SnapshotIn here there are a bunch of files that have this naming format:_REGISTRY_USER_.DEFAULT_REGISTRY_MACHINE_SECURITY _REGISTRY_MACHINE_SOFTWARE_REGISTRY_MACHINE_SYSTEM _REGISTRY_MACHINE_SAMCopy them to C:\Windows\System32\Config and rename them to suit the original name. ie. _REGISTRY_MACHINE_SYSTEM will be renamed to SYSTEM.Make you backup the original registry files in system32\config to system.bak or something, so if it does not boot with the restored registry files, you can boot back into recovery console and restore the original ones.
November 12th, 2008 3:26pm
1. We can download ExBPA to have a health check for the Exchange Server.
Microsoft Exchange Best Practices Analyzer v2.8
2. We can check counter via Performance Tool to see if disk I/O performance is OK.
Performance Counters for Database DisksPhysicalDisk\Average Disk sec/Read and PhysicalDisk\Average Disk sec/Write The average value should be below 20 ms.Spikes (maximum values) should not be higher than 50 ms.Transaction logs:PhysicalDisk\Average Disk sec/Read The average value should be below 5 ms.Spikes (maximum values) should not be higher then 50 ms.PhysicalDisk\Average Disk sec/Write The average value should be below 10 ms.Spikes (maximum values) should not be higher than 50 ms.Performance Counters for SMTP Queues:PhysicalDisk\Average Disk sec/Read and PhysicalDisk\Average Disk sec/Write The average value should be below 10 ms.Spikes (maximum values) should not be higher than 50 ms.
3. We can use Process Explorer to trace which exe spike your CPU. It can be download from the following link:
After that, please check event log against the result from above steps and then post the detail result here for further troubleshooting.
Hope it helps.
Free Windows Admin Tool Kit Click here and download it now
November 13th, 2008 10:04am
1. I ran ExBPA and all is well.....
2. When the slow down starts.....none yesterday.....two today and I think it might be more. I can't get to the performance monitor and when I do the pages/sec and % processor time are pegging out on the chart....scale is set to 1.000.....the avg disk queue is spiked at the top of the chart.....
3. is results..
ProcessPIDCPUDescriptionCompany NameSystem Idle Process073.08procexp.exe66080.77Sysinternals Process ExplorerSysinternals - www.sysinternals.comwuauclt.exe5980Windows Update Automatic UpdatesMicrosoft Corporationwmiprvse.exe4932WMIMicrosoft Corporationwmiprvse.exe4680WMIMicrosoft Corporationwins.exe3120WINS SERVERMicrosoft Corporationwinlogon.exe5416Windows NT Logon ApplicationMicrosoft Corporationwinlogon.exe372Windows NT Logon ApplicationMicrosoft Corporationw3wp.exe5244IIS Worker ProcessMicrosoft Corporationw3wp.exe4804IIS Worker ProcessMicrosoft CorporationVxTaskbarMgr.exe6252Software Update Taskbar UtilityVERITAS Software Corporationvssvc.exe4476Microsoft Volume Shadow Copy ServiceMicrosoft CorporationTevoSource.exe14320.38Replay Agent ServiceAppAssure Software, IncTeaTimer.exe6372System settings protectorSafer Networking Limitedtcpsvcs.exe2064TCP/IP Services ApplicationMicrosoft CorporationSystem424.23svchost.exe880Generic Host Process for Win32 ServicesMicrosoft Corporationsvchost.exe756Generic Host Process for Win32 ServicesMicrosoft Corporationsvchost.exe3816Generic Host Process for Win32 ServicesMicrosoft Corporationsvchost.exe824Generic Host Process for Win32 ServicesMicrosoft Corporationsvchost.exe5640Generic Host Process for Win32 ServicesMicrosoft Corporationsvchost.exe596Generic Host Process for Win32 ServicesMicrosoft Corporationsvchost.exe860Generic Host Process for Win32 ServicesMicrosoft Corporationsvchost.exe1920Generic Host Process for Win32 ServicesMicrosoft Corporationsvchost.exe2632Generic Host Process for Win32 ServicesMicrosoft Corporationsvchost.exe6308Generic Host Process for Win32 ServicesMicrosoft Corporationsvchost.exe8032Generic Host Process for Win32 ServicesMicrosoft Corporationstore.exe4408Microsoft MDB StoreMicrosoft Corporationsqlservr.exe22720.38SQL Server Windows NTMicrosoft Corporationsqlservr.exe2312SQL Server Windows NTMicrosoft Corporationsqlservr.exe2368SQL Server Windows NTMicrosoft Corporationsqlmangr.exe6392SQL Server Service ManagerMicrosoft Corporationsqlagent.EXE3704Microsoft SQL Server AgentMicrosoft Corporationspoolsv.exe1304Spooler SubSystem AppMicrosoft Corporationsnmp.exe2656SNMP ServiceMicrosoft Corporationsmss.exe300Windows NT Session ManagerMicrosoft Corporationsfmsvc.exe2084Windows NT Macintosh File Server ServiceMicrosoft Corporationsfmprint.exe2120MacPrint ServiceMicrosoft Corporationservices.exe420Services and Controller appMicrosoft CorporationRtvscan.exe2816Symantec AntiVirusSymantec Corporationrdpclip.exe2248RDP Clip MonitorMicrosoft Corporationpvlsvr.exe3364Backup Exec PVL ServiceVERITAS Software CorporationPRONoMgr.exe6240PRONotifyMgr ModuleIntel(R) CorporationPBESER~1.EXE1528APC PowerChute Business Edition ServerAPCpbeagent.exe1516APC PowerChute Business Edition AgentAPCOWSTIMER.EXE2788SharePoint Timer ServiceMicrosoft Corporationntfrs.exe2420File Replication ServiceMicrosoft Corporationmssearch.exe3612Microsoft PKM Search ServiceMicrosoft Corporationmsdtc.exe1336MS DTCconsole programMicrosoft Corporationmmc.exe5292Microsoft Management ConsoleMicrosoft Corporationmmc.exe6580Microsoft Management ConsoleMicrosoft CorporationMDM.EXE2184Machine Debug ManagerMicrosoft Corporationmad.exe3560Microsoft Exchange Server - System AttendantMicrosoft Corporationlsass.exe432LSA ShellMicrosoft Corporationlogon.scr4300Logon Screen SaverMicrosoft CorporationInterruptsn/a0.38Hardware Interruptsinetinfo.exe2020Internet Information ServicesMicrosoft Corporationexplorer.exe6044Windows ExplorerMicrosoft Corporationexmgmt.exe3480Microsoft Exchange WMI ProviderMicrosoft CorporationDSM_BMU_SOLProxy32.exe2752DPCsn/a0.38Deferred Procedure Callsdns.exe1904Domain Name System (DNS) ServerMicrosoft Corporationdfssvc.exe1844Windows NT Distributed File System ServiceMicrosoft CorporationDefWatch.exe1796Virus Definition DaemonSymantec Corporationdavcdata.exe7500Web DAV File Handle CacheMicrosoft Corporationcsrss.exe5612Client Server Runtime ProcessMicrosoft Corporationcsrss.exe348Client Server Runtime ProcessMicrosoft Corporationcertsrv.exe1752Microsoft Certificate ServiceMicrosoft Corporationbeserver.exe3972Backup Exec RPC ServerVERITAS Software Corporationberemote.exe1540Backup Exec Remote Agent for Windows NT/2000VERITAS Software Corporationbenser.exe1728Backup Exec Naming ServiceVERITAS Software Corporationbengine.exe324Backup Exec Job EngineVERITAS Software Corporationbenetns.exe1696Backup Exec Agent BrowserVERITAS Software Corporation
November 14th, 2008 12:47am
I noticed this is also started to show up....
Event Type:ErrorEvent Source:VSSEvent Category:NoneEvent ID:11Date:11/13/2008Time:10:10:57 AMUser:N/AComputer:MTJ01Description:Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x8007041d]
and this follows along w/ it...
Event Type:ErrorEvent Source:VSSEvent Category:NoneEvent ID:8193Date:11/13/2008Time:10:10:57 AMUser:N/AComputer:MTJ01Description:Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007041d.
I am using an app that takes snapshots of the server for backing up Exchange. Replay 2007......This errors appear when Replay is attempting to access the Exchange server to take a snapshot. It takes a snapshot every 15 mintues and this was abou the time it would be taking a snapshot.....this error nor the server slow down happen every 15 minutes so it can't be related to Replay.....
Also I noticed on the weekends when nobody is in the office it appears this slow down does not occur.....and didn't happen at all yesterday......
Free Windows Admin Tool Kit Click here and download it now
November 14th, 2008 12:56am
We can start performance Tool from Start-Administrative Tools-Performance. Please check again.
Meanwhile, we need to disable VSS to narrow down the root cause.
If it is not the case, then Id like to know if it is a SBS Server, I found several SQL related process.
If the problem is affected by VSS, then please follow the steps below to troubleshoot the issue.
First please apply the hotfix listing below:
Various issues may occur on a Windows Server 2003-based computer that is running the Volume Shadow Copy Service
Availability of Windows Server 2003 Post-Service Pack 2 COM+ 1.5 Hotfix Rollup Package 12
Availability of a Volume Shadow Copy Service (VSS) update rollup package for Windows Server 2003 to resolve some VSS snapshot issues;EN-US;940349
Then Register the VSS components:
cd /d %windir%\system32
Net stop vss
Net stop swprv
regsvr32 ole32.dll
regsvr32 oleaut32.dll
regsvr32 vss_ps.dll
vssvc /register
regsvr32 /i swprv.dll
regsvr32 /i eventcls.dll
regsvr32 es.dll
regsvr32 stdprov.dll
regsvr32 vssui.dll
regsvr32 msxml.dll
regsvr32 msxml3.dll
regsvr32 msxml4.dll
Net start vssNet start swprv
Hope it helps.
November 14th, 2008 9:06am
I'm lost on how to find the following information on the Performance Monitor. I know how to find the physicaldisk\average disk sec/read.....but how do I get the information for the Transaction logs and SMTP Queues?
VSS on the volumes is disabled so that Replay can run. The service is set to Automatic and can not be disabled because Replay uses that.
Free Windows Admin Tool Kit Click here and download it now
November 14th, 2008 7:30pm
Still happening......around 11 and 3....starts grinding away.....first goes the companyweb....then email slows way down....then the Internet goes comes the phone calls......reboot....takes 30 minutes....this is killing me!!!!!!
December 4th, 2008 8:01pm
I had something similar once and before I would suggest anything, I would like to find out something:
If you do a restart of your router, doesthe connectivity to your website, email, etc., come back like it should?
Free Windows Admin Tool Kit Click here and download it now
December 5th, 2008 12:23am
Thanks for writing.....Idon't have to restart the router....but sometimes when we lose Internet I have to restart the router after I verify that we have not lost connection due to the server going down....
Today it didn't happen.....that is what is making this so strange......
December 5th, 2008 1:17am
Sorry for the late reply...I thought I was supposed to get an alert when a reply was made, but I guess not.
Anyway...I had a very similar problem to yours, last year. When the problem began to happen, I was rebooting just as you are...but found that if I just did a quick reload on my router when the issue arose, the problem would clear. It ultimately came down to my DNS Server being infected and even though I could never pinpoint the culprit, removing that server and replacing it resolved the issue. My mail server would bog-down, we would lose Internet, etc...similar to what you are experiencing.
Free Windows Admin Tool Kit Click here and download it now
December 5th, 2008 9:59pm