Unexplained reboots

Discussion in 'Windows Server' started by Carlos Felipe França da Fonseca, Jul 20, 2009.

  1. I have 180 Windows Server 2003 being automatically rebooted almost every
    day. This is the event:

    Event Type: Information
    Event Source: USER32
    Event Category: None
    Event ID: 1074
    Date: 7/20/2009
    Time: 12:45:41 AM
    User: NT AUTHORITY\SYSTEM
    Computer: SERVERNAME
    Description:
    The process winlogon.exe has initiated the restart of computer SERVERNAME on
    behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for
    this reason could be found
    Reason Code: 0x40005
    Shutdown Type: restart
    Comment:

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 05 00 04 00 ....

    Does anybody have any idea what is going on?
     
    Carlos Felipe França da Fonseca, Jul 20, 2009
    #1
    1. Advertisements

  2. Hello Carlos Felipe França da Fonseca,

    This is a basic message related to the reboot but no to the reason itself.
    See also:
    http://support.microsoft.com/kb/293814

    Well, if 180 servers have the same symptom, it seems to be driver related,
    are all the same hardware? Do you use the latest drivers and at least SP2
    and the latest patches from windowsupdate?

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jul 20, 2009
    #2
    1. Advertisements


  3. All 180 of your servers are doing this? Wow. Are they all DCs, or mixed DCs and member servers?

    Using Unix services?
    What are you using for AV?

    Just for kicks, run malwarebytes (www.malwarebytes.com) and Spybot on one of them just to see what they have to say.

    See if the following help.

    An access violation occurs in Lsass.exe and event IDs 1015 and 1000 are logged in the application log on a Windows Server 2003 domain controller
    http://support.microsoft.com/kb/818080

    The Lsass.exe process crashes when you use Kerberos authentication to log on to a MIT realm on a Windows Server 2003 SP1-based domain controller
    http://support.microsoft.com/kb/911185

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

    Please reply back to the newsgroup or forum to benefit from collaboration among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCSE, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    http://twitter.com/acefekay

    For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Jul 20, 2009
    #3
  4. Carlos Felipe França da Fonseca

    Peter Foldes Guest

    Carlos

    Is there an electrical power drop for a second or maybe two and you do not have any
    power back up. Possibility if all 180 goes at the same time into a reboot
     
    Peter Foldes, Jul 20, 2009
    #4
  5. Hi Peter,

    This is not an unexpected shutdown.
    As shown in the event below, the process winlogon.exe just restarts the
    server cleanly.

    Thanks for your answer,

    Felipe
     
    Carlos Felipe França da Fonseca, Jul 21, 2009
    #5
  6. Hi Ace!

    They are mixed servers. I have found many articles talking about domain
    controllers, but they are mixed.

    Thanks,

    Felipe
     
    Carlos Felipe França da Fonseca, Jul 21, 2009
    #6
  7. I forgot to tell you about the antivirus.
    We are using E-Trust, from Computer Associates.

    Thanks,
     
    Carlos Felipe França da Fonseca, Jul 21, 2009
    #7
  8. Hi Meinolf!

    I don't believe it's hardware related, since we don't update drivers
    proactively.
    So, I'm sure that all servers are using drivers from different versions.
    We update drivers individually only when we face problems.
    The servers are running W2k3 SP2 with the latest patches. Maybe one of the
    patches is causing the problem.
    Windows Update is disabled, since we use a deployment software to install
    the updates.

    Thanks,

    Felipe
     
    Carlos Felipe França da Fonseca, Jul 21, 2009
    #8
  9. Ahh, CA's E-Trust. We've had problems with them with many issues from Powerpoint presentations not being able to be saved to network drives, to many other issues. When I worked for a 4500 user system as an Exchange engineer (there were 17 Exchange servers), we simply disabled it on our servers. The other servers (DCs, member servers, SAP, and numerous others, similar to what you have), were having intermittent issues. If I remember correctly, we had to disable 'scan network drives' on them, as well as (should be default) to not scan the Sysvol and NTDS folder on the DCs, as well as some other folders (can't remember know), and the issues went away.

    As for the Powerpoint issue, we had to work with CA for 4 months before they finally put an engineering team together to help us upon our threateting to go to McAfee if they couldn't get it resolved. We knew it was CA becaues if we disabled all CA services, the issue didn't occur. It happened to be an update for an arclib.dll file (if I remember the name correctly), that caused all the problems. They wound up creating a new update to stop the issue. Funny, however, they came out with subsequent updates to that file that get installed automatically, and it started happening again, and I would just rename the new one, copy the old one over, and it would go away. We would then report it, and of course they would send us an updated one that 'fixes' it. This went on for a couple of months.

    To get to that point to find the issue with PowerPoint, we had to run process monitor to find out if it certainly was CA. CA wanted us to prove it was their software doing it by us comparing process monitor logs while CA was running and after we disabled it while testing PowerPoint saves.

    Now on your servers, this is a much more difficult task because you don't exactly know when it's going to happen, and running processmon creates a VERY huge file that is difficult to find the issue, if it were to occur, but I guess you can run it on one server until it does reboot, to find the culprit by looking at the last 5 minutes or so of the log to figure it out.

    Well, not saying that it is CA, but when I hear CA and reboot in the same sentence, it just give me cause to wonder.

    Tell you what, just to test if it is or isn't CA, disable all their services on a couple of servers, and let me know if the problem stops occuring.

    Ace
     
    Ace Fekay [MCT], Jul 21, 2009
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.