Printable View
Win2k webserver runs it's own bugcheck and dumps out.
Have to log back in.
It's doing this at least twice a day.
Publishes webpages and asp connector to SQL server
The server also runs F-prot antivirus.
Can anyone please suggest the best course of action
to take to stop the problem?
Thank you.
We're going to need more specific information to provide any meaningful comments.
Give me a list to save time, be happy to oblige. otherwise I have no idea what you need to see and my guesses would waste our time.
What's this bugcheck you are referring to?
Well, of course we are guessing too. But I'll make a start.
Does this occur after any specific action on your part, like running ......?
Do your event logs show any events around that time that are not always associated with shutdown and startup?
Do your web logs show any activity at that time that seems to be common?
When the "bugcheck" runs does it create any logs or display any error code? If so, what do they say?
The logout if I can call it that, happens without any warning and as far as I can tell, without any instigation on my part.
Here are some event files
The computer has rebooted from a bugcheck. The bugcheck was: 0x000000d1 (0x00000000, 0x00000002, 0x00000000, 0xf20db912). Microsoft Windows 2000 [v15.2195]. A dump was saved in: C:\WINNT\MEMORY.DMP.
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{AB136EDE-B38E-492B-8A40-1D09CD0AD5E2}. The backup browser is stopping.
Is this sufficient or can I help more?
Did you have a Norton product on there before?
No Norton products.
For the record the dump file is about 489mb big
Check you memory is firmly seated. If it continues, swap out memory with new if possible or rotate sticks through the slots and see if it stops.
Then I would begin to suspect a driver or bad dll. The it all becomes a little more difficult to track down. Try the memory stuff first. It may take a day or two to eliminate that.
http://support.microsoft.com/default...roduct=win2000
Maybe this???
MLF
I run a w2 k server and whenever it starts to actup I reapply the SPs...appears to fix them for a while
Edit
Heres another one
Just put new RAM in PC. See how we go.
Will check out and re-apply service packs too.
Thank you very much.
Before I had a mess, now I have a plan thanks to you all.
RAM not the problem.
More servers shutting down now.
found this in event log
Logon Failure:
Reason: Unknown user name or bad password
User Name: TsInternetUser
Domain: DEBORAH
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DEBORAH
We dont have a DEBORAH
The PC crashed after this
I think we are under attack - help
If you are not running Terminal Services, you can disable the TsInternetUser account.
New RAM problem continues.
This was in Events security failed security test
Logon Failure:
Reason: Unknown user name or bad password
User Name: TsInternetUser
Domain: DEBORAH
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DEBORAH
We don't have a DEBORAH
Have we been attacked?
Like GandalfTheGray said, that ID (TsInternetUser) is used by Terminal Services. Are you using Terminal Services? Are these boxes that are 'crashing' behind a firewall? (which one). Are there any other 'werid' events in the other logs (system & application)?
Cheers:
For a test, i would take that machine offline (unplug the network cable(s)) and reboot it. If it seems to run fine for a while (we don't know how long it usually runs before it begins to have these problems do we?) then a good guess would be an outside influence.
If that is the case, I would put a firewall on your network, preferablly from the T-Line (or however you connect to the outside world) to your first point of contact with what you are responsible for. If you can't put a hardware firewall up anytime soon, install some software firewall on each machine while it is off the network and see if any traffic tries to call home.
Good luck and keep us posted.
~Halv
Just disabled the TsInternetUser account.
(Can we edit postings here? I accidently duplicated my last message.)
Can I presume DEBORAH was trying to logon through Terminanl Services?
What is the next move, as we have established that RAM is not the problem and now
one PC is shutting down with a dump on a faster frequency than before.
(now at least twice a day)
Two Webserver affected today, these web servers have these in common:-
1. Locked down recently
2. Baseline analizer run and attempt to get full score made
3. Serve web pages and tested ASP
4. Run perfectly up untill about two weeks ago
Exceptions:
One server of the two I have just uninstalled lock down, during process it stated
suamgrd.exe could not be changed.
It crashed after that. Rebooted and monitoring.
What should I be doing to help this situation, I am very keen to learn.
Thank you
Sounds like this: http://support.microsoft.com/default...b;en-us;826502
As for your login attempts, are you servers behind a firewall or directly exposed to the net?
Ammo
I was part protected by a software firewall Zonealarm and the server has previously performed well without a problem untill recent updates from MS. I have other servers similar set-up no crashes or IIS problems.
I will now transfer HTML and ASP to another web server and monotor offline problem webserver as suggested. But if Ammo's link is correct, this is a tcp/ip / ms update* problem and may not manifest because it won't be connected, or am I walking before I can crawl.
*I say update because server worked fine before.
Maybe it's time to put a hardware firewall somewhere but they have drawbacks and I have no experience of such things.
T1 comes to my home office straight into managed Cisco router then gets switched to two ethernets which are switched to nodes (webservers, dns, mail, XP workstation)
No real problems I could't solve till web servers started losing publishing without stopping service running. It's after that the shutdowns on one web server started, that is the one I am going to isolate now.
You are teaching me at a distance and you should all know I am very grateful and moreover appreciate your help very much. Thank you sincerely.