locked
SBS 2011 RPC service crashing and causing reboots RRS feed

  • Question

  • We have a problem with a fairly new install (nothing much changed/installed other than added some shares, users and imported mail)... However it's starting to reboot on a regular basis. I doubt it's a hardware fault given that the same service crashes everytime, but you never know. The server is fully patched too, with latest drivers and MS updates. There is no antivirus installed at the moment.

    The error log shows:

     

     

    Log Name:      Application

    Source:        Application Error

    Date:          08/06/2011 10:31:59

    Event ID:      1000

    Task Category: (100)

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      SERVER01.xxx.local

    Description:

    Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1

    Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c8f9

    Exception code: 0xc0000005

    Fault offset: 0x000000000002baad

    Faulting process id: 0x358

    Faulting application start time: 0x01cc2224d13a7e7f

    Faulting application path: C:\Windows\system32\svchost.exe

    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll

    Report Id: 284d6b87-91b2-11e0-bbc0-3c4a92f7be26

     

     

    I did see this KB article: http://support.microsoft.com/kb/2401588/en-us but not sure it relates to the same issue, faulting module is different. 

     

    Anybody experienced this before or know if this hotfix would fix the issue? 

     

    Thanks.



    Wednesday, June 8, 2011 10:21 AM

All replies

  • I had the same problem two days in a row and have not found a solution yet.  Did you also see an error in the system logs related to an RPC overflow?


    Jeff
    Wednesday, June 8, 2011 9:34 PM
  • I can't recall I did, nope. However, I'm wondering if we can find something similar between machines. Don't tell me it's an HP ML350 G6? If you have the exact eventID I will check for the RPC overflow. 

    One of the steps we're taking is to virtualise the machine for testing but we're a little concerned that it only happens maybe under load.  If you do find a fix let me know, and I'll post what the fix is here also (if we find one). 

    Wednesday, June 8, 2011 9:37 PM
  • Also, I forgot to mention that I have a strong feeling it could be network stack. If IPv6 is enabled I get a number of DNS issues, disabling IPv6 using the recommended method (editing registry) it solves that issue but causes another. If I run the Internet Connection Wizard it fails to detect the router or set the settings properly. 
    Wednesday, June 8, 2011 9:39 PM
  • It is a Dell server so it should not be the hardware.  I searched online and did not see much on the issue.  A coworker said he saw reports that this happened to two other SBS 2011 servers.

     

    I had a total of two items recorded in Event Viewer.  One was in the application logs and one item in the system logs.  Did you have the same messages?

     

    Application log

    Source: Application error

    Event ID 1000

    Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1

    Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c8f9

    Exception code: 0xc0000005

    Fault offset: 0x0000000000021cca

    Faulting process id: 0x368

    Faulting application start time: 0x01cc2541f4ca086e

    Faulting application path: C:\Windows\system32\svchost.exe

    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll

    Report Id: 56cb0b8e-91fd-11e0-8663-842b2b62b142

     

    System log

    Source: User32

    The process C:\Windows\system32\services.exe (SERVER3) has initiated the restart of computer SERVER3 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found

    Reason Code: 0x30006

    Shutdown Type: restart

    Comment: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly

     

     

    What antivirus software are you using?  I am using Symantec.

     

    I believe you need to leave IPv6 enabled.

     

    I just ran into issues with the Internet Connection Wizard for another client but it was on SBS 2008.  I had to run a schema update after installing Exchange 2007 service pack 3.  I do not believe SBS 2011 needs that.  What is listed in your logs?  C:\Program Files\Windows Small Business Server\Logs folder.  I believe it is the CTIW log file.

     


    Jeff
    Thursday, June 9, 2011 12:27 PM
  • Yes I have both of those errors Jeff. IPv6 was enabled, ticked - everything. 

    There is no AV on the server at the moment, however we normally use ESET so that is not a common factor. In your case I would remove Symantec anyway to rule that out. 

    I don't know if I've fixed it yet, it happens randomly but I disabled IPv6 with the registry key, and uninstalled network adaptor, installed again and rerun Connection Wizard and server seems to be running better (less errors in the logs).

    Do you have any DNS related errors by the way?

    Thursday, June 9, 2011 2:40 PM
  • Do you have SP1 installed Jeff, and did this happen after the install of SP1?
    Thursday, June 9, 2011 2:41 PM
  • SP1 is installed.  The server has frozen four times on its own and two happened before SP1 was installed.  I installed it in the middle of May.  No DNS errors on the server except for when rebooting.  I have another DC on the network.


    Jeff
    Thursday, June 9, 2011 3:25 PM
  • Jeff, is this a SBS 2011 box? If so, you can only have one DC unless it has the premium add-on right?

    I initially had DNS issues, binding to the IPv6 interfaces so I just disabled it. I know you should not in normal cases but I suppose it was a way to resolve the issue with least downtime.

    Ours was installed at a similar time also. Is there anything else you have changed/installed since May?

    Thursday, June 9, 2011 4:32 PM
  • It is SBS 2011.  I did a migration and added the SBS server to the network.  You can have more than one DC with SBS.  The SBS server needs to be the first one in the domain unless you do a migration and transfer FSMO roles to it. 

    I have not installed any additional updates on the server since the middle of May.  I will be logging onto it in a few minutes to monitor the behavior.  It's less than an hour from when it has restarted the last two days.


    Jeff
    Thursday, June 9, 2011 5:44 PM
  • The server was fully patched quite soon after the install so not really sure it's an update. Let me know if you find anything,
    Thursday, June 9, 2011 7:21 PM
  • Hi,

     

    I would like to suggest you update the BIOS and the hardware drivers first.

     

    If BSOD is encountered, you may collect the minidump files and analyze them.

     

    Collect Minidump Files

    =================

    1. Click "Start", input "SYSDM.CPL" (without quotation marks) in the “Search” bar and press “Enter”.

    2. Switch to the "Advanced" tab and click the "Settings" button under "Startup and Recovery".

    3. Under "Write debugging information" section, make sure the "Small memory dump (128KB)" option is selected.

    4. Make sure "%SystemRoot%\Minidump" is in the "Small dump directory" open box and click “OK”.

     

    If the Blue Screen appears again, please refer to the following steps to collect memory dump files:

     

    1. Click “Start”, type “%SystemRoot%\Minidump" (without quotation marks) in “Search” bar and press “Enter”.

    2. Go to your Desktop, right-click on it and create a new folder named "Dump".

    3. Copy all the memory dump files (looks like [Mini092008-01.dmp]) in Minidump to this folder.

    4. Right-click on the Dump folder, click "Send To", and click "Compressed (zipped) Folder".

    5. Please send the ZIP file to us.

     

    You may also analyze them with Debugging Tools by yourself. You can install it and it’s Symbol Packages from the following link:

     

    http://www.microsoft.com/whdc/Devtools/Debugging/default.mspx

     

    WinDbg will tell you the possible cause. For more information, please read Microsoft KB article below:

     

    How to read the small memory dump files that Windows creates for debugging

    http://support.microsoft.com/kb/315263

     

    If no clue can be found, you may contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request. To troubleshoot this kind of kernel crash issue, we need to debug the crashed system dump. Unfortunately, debugging is beyond what we can do in the forum. Please be advised that contacting phone support will be a charged call.

     

    To obtain the phone numbers for specific technology request please take a look at the web site listed below:

     

    http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, June 10, 2011 9:13 AM
  • Arthur_Li

    The firmware and BIOS have all been updated. The server at no point BSOD's - it just gracefully restarts. Symptoms remind me of the Blaster and Sasser infection.

    Friday, June 10, 2011 9:29 AM
  • Same here.  The server has the latest firmware and BIOS.  I did that after the server was unresponsive the first two times.  The server is gracefully restarting on its own. 
    Jeff
    • Proposed as answer by John Grawitch Wednesday, October 29, 2014 8:24 PM
    Friday, June 10, 2011 11:47 AM
  • We have a client with the exact same problem right now. We migrated them from SBS 2003 to 2011. Hardware is a Dell server but we are running Hyper-V so SBS 2011 is on a virtual server. I posted on the private Microsoft but they couldn't help. This happens about once a week.

    Last night it happened about four times in a row, we good for a few hours and then did it again. The client is getting really frustrated!

    Tim

    Sunday, June 12, 2011 3:53 AM
  • That is interesting, if it's happening on a VM that really does rule out hardware or I'd expect the host to be having similar issues. The thing is we have over 300 Windows Server R2 in our estate and it's proven to be really reliable, however nearly every SBS box we manage drives us nuts - especially 2008 and 2011!

    This is obviously specific to SBS 2011 and it does look like a few people are having the same issue. I wonder i there is anything common between these systems?

    Tim, is IPv6 working correctly on your box? We havent had this since IPv6 was disabled with the regkey. You don't happen to have HP Printer drivers installed on SBS 2011 do you? Or an APC SmartUPS? I am just trying to isolate everything here.  

    I must stress that throughout the installation of this server nothing has been changed outside of the SBS console so I don't think it's related to a customization. Our client is also frustrated by this issue and it's very difficult to resolve given we cant find a specific cause.

    We have 5 other SBS 2011 boxes which do not present this error. Very strange.
    Sunday, June 12, 2011 4:46 AM
  • This particular server with this issue also had the 'known' bug with the Exchange Form-Based authentication service not starting properly, I had to set it to Delayed Start. Is this also an issue on your boxes? 

    The other 5 servers seem fine and start all services correctly.

    Sunday, June 12, 2011 4:51 AM
  • In our environment we do not have any APC SmartUPS software installed as the Server is running on ESX. IPv6 is enabled on the interface. We have Universal HP PCL6 and PCL5 drivers installed for a range of printers.

    I had a look at the Exchange Form-Based authentication service, seems to start up fine. 

    Tuesday, June 14, 2011 10:51 PM
  • I've done two SBS 2003 to SBS 2011 migrations and one of them has this problem as well.  My problem may or may not have the same cause, as the source server had several underlying FRS errors that we did not find until we tried the migration, and we had to rollback and restart the migration process several times.  We finally got everytihng migrated, then a storm took out the power and the server somehow got formatted when it powered itself back on when power was restored.  We managed to recover from the failure (not a fun experience by the way), and everything seems to run smoothly except for the fact that the RPC endpoint mapper unexpectedly terminates, resulting in a server restart every once in a while.

     

    Here is the environment:

    • Dell PowerEdge T610
    • APC SmartUPS (forget model, but no management software is installed on the server)
    • Trend Micro Worry-Free Business Security 7
    • SQL 2005 Standard (with SP3)
    • PCS Express Server Manager
    • Backup Exec 2010 R2
    • Virtual CloneDrive
    • IPv6 was not changed from its default configuration
    • Dell LaserJet 1855dn PCL and Dell LaserJet 2355dn PCL print drivers installed (shared network printers)
    • Exchange Form-Based authentication service had to be set to Delayed Start because it was failing to start automatically
    • RPC Endpoint Mapper service crashes (event 7031), prompting a restart of the service. RPC service crashes (event 7031), prompting a restart of the server. Svchost.exe fault (faulting module ntdll.dll), event 1000. Each time the RPC Endpoint Mapper crashes, I have the RPC 7031 and svchost 1000 events, followed by a server that just says Access Denied for any remote access until it reboots itself.

    I have a maintenance window planned for tomorrow evening and I am going to install every Microsoft update and driver/firmware update I can find in an attempt it will fix this.  We've had the problem only a few times and they are days apart, so I won't know if the updates work for a while, but I will post back with my findings.

    My RPC-induced reboots (these are the ones still in the event log...it also happend on 5/11 and one or two more times in late May):

    • 6/5/11 4:00pm
    • 6/8/11 6:30am
    • 6/14/11 10:30am

    Oh, and because of this issue (and some 3rd-party data migration issues), the SBS 2003 box is still online. All FSMO roles were transferred, so SBS 2011 is happy, but SBS 2003 was hacked to allow it to stay online past the 21 day migration timer (well past it) until I can get these other issues worked out.


    Sr System Engineer
    Wednesday, June 15, 2011 1:20 PM
  • Okay so I don't think this is a hardware issue, since some people have Virtual Machines with the same issue. 

    Derek, what concerns me is you have the same issue with Exchange Form-Based authentication service, we also had to set it to delayed start. However I don't think this is related by any means. 

    This server is also not a migration, it's a flat install and no issues were identified upon installation. We also have every update and all drivers are up to date so I'm not sure that will fix it for you but it's worth a go. 

    I must be honest, since disabling IPv6 it's not rebooted... but just watch - it'll do it now!!

    If anyone does find the answer I would really appreciate it if you could post back, it appears more people than I expected are having this issue. I feel it's a Microsoft bug personally but it's not documented anywhere. 
    Wednesday, June 15, 2011 1:40 PM
  • I agree.  I do not think it is a hardware issue. 

    This link: http://blogs.technet.com/b/sbs/archive/2011/03/24/exchange-services-may-not-start-automatically-after-a-reboot.aspx explains the Exchange issue everyone is running into with form-based authentication.  I have installed the hotfix on this server and appear to be the only one with the hotfix so I do not think the hotfix is the issue.  Please let me know if you have it installed.

    The server has not rebooted since it did twice last week.  We have monitoring software on this server and it has not detected any cpu spikes, low memory, etc.

    The only third-party apps are Symantec and Dell's Open Manage software.


    Jeff
    Wednesday, June 15, 2011 2:44 PM
  • Jeff,

    I don't see a hotfix on the referenced KB article.  All I see are some options to resolve the problem by changing settings or registry keys, but nothing to install but the Fix it for me tool that just maes the same changes IU can do manually.  The Forms-based authentication isn't really a big deal since setting it to a delayed start fixed it.  I hadn't really given it another thought since I made the change.  The RPC Endpoint Mapper however is a huge problem for my customer.  It literally just happened again :/

    Tim (TRSNETPROS) also posted this in the Microsoft Partner forum.  I was going to make my own post, but did a quick search to see if anyone had already posted it, and it jsut so happens that the only relevant post I found was from someone that also commented on this same thread!  If you are a Partner, you can access the thread here, but the Microsoft rep did not offer much help.  I am also leaving a comment on that thread pointing back here in hopes that the information everyone has provided will get more eyes on the issue.

    -Derek


    Sr System Engineer
    Wednesday, June 15, 2011 3:05 PM
  • I doubt the hot fix is the cause either as you can make the changes manually as you say. I did not post on the partner forum because I wanted more people to read this thread to see if anyone else had this issue since I couldnt find any information on the Internet at the time. It looks like it is a rare issue but something that is certainly happening to multiple people with various configurations. 

    Our install does not have any third-party software besides the standard HP drivers (I later installed PSP). 

    A clean boot doesn't fix it either but fingers crossed disabling IPv6 (you do have to do this by the registry key method or you'll break SBS big time) seems to have resolved it for now, but I could be wrong. I will update everyone here when it next happens. 

    I think the biggest issue is you don't know when it's totally fixed because it's just so random - it can happen 2 days in a row and then not again until next month. 

    Wednesday, June 15, 2011 3:28 PM
  • 2401588 Remote procedure call service crashes on a computer that is running Windows Server 2003 SP2, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2
    http://support.microsoft.com/default.aspx?scid=kb;en-US;2401588

     

    Try that (it's not included in SP1)

    Wednesday, June 15, 2011 6:28 PM
  • Already tried this... it would be interesting to see if it fixes it for someone else but the key here is the module is different. 

     

    Faulting application svchost.exe version <var style="box-sizing: border-box;"><version></var>, faulting module rpcrt4.dll

    Wednesday, June 15, 2011 6:40 PM
  • Mine always shows ntdll.dll as the faulting module for the svchost.exe crash :/

    On a side note, if this thread caught the attention of the SBS Diva, maybe our cries for help are being heard! Susan, you probably comment on a lot of these SBS threads, but I realized I never did thank you for your help in early April on my last issue.  I had opened a case and it worked its way up to CSS in Texas and you convinced me to let them work on the issue instead of pulling the plug and restarting my migration.  The problem ended up being with the source server, so restarting the migration 100 times would have always failed, and they helped me find the underlying problem (corruption in AD; I manually fixed via ADSIedit) to get my migration back on track...although ultimately it just led to the issue at hand with the RPC Endpoint Mapper ;)


    Sr System Engineer
    Wednesday, June 15, 2011 8:02 PM
  • AHHHH!  It just happened again as I was submitting that last post!
    Sr System Engineer
    Wednesday, June 15, 2011 8:04 PM
  • I genuinely think this is a bug. It's the same here - always ntdll.dll as the faulting module. This system is not a migration so I don't expect it's your migration at fault, but maybe it's more likely to happen after a migration.

    I really hope we can find a resolution, although as I said it's not happened over here since I disabled IPv6. I suppose it is entirely possible there is an issue with IPv6 but I wouldn't have thought so. 

    I can confirm this is just an issue with SBS 2011 though, it does not happen on any 2008 R2 servers and we have loads of those. 

    Wednesday, June 15, 2011 9:55 PM
  • Hi, I am having the same issue as posted above! I too have a virtual sbs2011 server. It is running the following extra applications: StorageCraft Shadow Protect SBS ESET NOD32 Mail Protection This started happening about 2 weeks ago, but no other changes were made at the time. If you need anymore information (error messages) please let me know Thanks James McPherson
    Wednesday, June 15, 2011 11:57 PM
  • We have almost nothing installed on the virtual SBS 2011 server - no A/V, no printers, no APC software. The only things we have installed are our Zenith monitoring agent and PeachTree accounting with its Pervasive database, although that was installed after this was already happening.

    I have heard that disabling IPv6 is a very bad idea on SBS 2008/2011, but I see Solutions Computers did that via a registry hack. Does that make a difference? I am very hesitant to try that as I am afraid it will break something else. Our senior tech was suspecting IPv6 as well.

    If we don't have something figured out soon, we are going to have to call PSS.

    Susan - I am happy to see you are following this thread. I saw that same KB article but it is the wrong DLL. Everybody here is having an issue with the ntdll.dll. That is where this all starts.

    Is anyone from Microsoft paying any attention to this????

    Thursday, June 16, 2011 2:32 AM
  • TRSNETPROS,

    We disabled IPv6 using the documented way over at http://support.microsoft.com/kb/929852

    It will not break anything long as you only make the changes in that document. For what it is worth I would make a note of the configuration in the network adapter properties.

    Once you have completed the IPv6 disable, we re-run the Internet Connection Wizard and Fix My Network wizard. 

    In addition on SBS 2011 you will need to make the following change too.

    RRAS (VPN) Note: If you plan to enable VPN on your SBS 2011 server, you MUST also Export and then Delete the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ipv6

    If you do not delete this key you will get an 20103 Event when trying to start RRAS with IPv6 disabled.  You must reboot after removing this key.

    NOTE: ALWAYS MAKE A COMPLETE, FULL AND WORKING BACKUP OF THE SYSTEM REGISTRY BEFORE COMPLETING ANY TASK INVOLVING SYSTEM CHANGES.

    Thursday, June 16, 2011 9:32 AM
  • I would like to mention that the server has been solid since. I don't want to speak too soon though!
    Thursday, June 16, 2011 9:33 AM
  • Step One : Isolate the RPC service on the server.

     

    ======================================

     
       
    1. Search and locate the Svchost.exe file on the server. 
    2. Make a copy of the Svchost.exe file and call it “Svchost_RPC.exe”. 
    3. Click Start, click Run, typeregedit, and then click OK to start Registry Editor. 
    4. Locate and then right-click the following registry subkey: 
     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs

     
       
    1. Modify the ImageName key so that the value is%systemroot%\System32\svchost_RPC.exe -k rpcss 
    2. Exit Registry Editor. 
    3. Restart the server to apply the change.

    After that, the RPC service will only run with the new svchost_RPC.exe process, not the original svchost.exe. We can use the next step to collect the dump file for the svchost_RPC.exe

    Step Two: Collect the DUMP file with Adplus

    1. Please use the Adplus utility to generate a dump for the svchost_RPC.exe if the RPC service crashes again.

    =========================================================

    ADPlus is a utility that allows us to get a memory dump from a process that is giving us problems.

    a. To get this utility, please download and install the Microsoft Debuggers at

    http://www.microsoft.com/whdc/devtools/debugging/default.mspx (Debugging Tools for Windows)

    We may have to reboot your machine after installing the debuggers.

    b. Create a directory calledC:\adplus for saving the output of debugger tool.

    c. Click Start, right-click Command Prompt, and choose "Run as Administrator" to open an elevated command prompt, and then navigate to the debugger’s directory. (By default is C:\Program Files\Debugging Tools For Windows).

    d. Then run the following command in the elevated command prompt:

    adplus.exe -crash -pn svchost_RPC.exe -o c:\adplus

    Note: The debugging tool will monitorsvchost_RPC.exe process. If it encounters an exception, a dump file will be automatically saved. Please keep the window open. Also, please do NOT log off the console.

    e. When the RPC crashes again, please check if any files are saved to C:\adplus folder.

    Once we got the dump files, we can contact our PSS Support and provide the dump file for further analysis.


    I linked back to this thread from the other thread that was started in the Partner forum and a Microsoft Moderator did post an update. The above are instructions to isolate RPC and enable debugging so that when it crashes Microsoft will have a dump file to analyze. I am going to make these changes tonight when I am installing updates, but if anyone else wants to contribute, I'd imagine multiple dump files from different environments would help Microsoft identify the common problem.


    Sr System Engineer
    Thursday, June 16, 2011 12:51 PM
  • If a few people, including ourselves could do the above maybe we can get some solid information about this issue. It hasn't happened on us again, yet... but if it does at least we have some further diagnostic traces. 
    Thursday, June 16, 2011 3:50 PM
  • Can you try KB 982293?

    982293 The Svchost.exe process that has the WMI service crashes in Windows Server 2008 R2 or in Windows 7
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;982293

    Thursday, June 16, 2011 8:35 PM
  • Chris,

     

    I believe this was installed and then we had a further crash but I cannot be sure the server was rebooted right after the install. If it reoccurs I will let you know. If someone else could try the hotfix that may help eliminate the issue too. 

    It did cross my mind if WMI was the cause, it does relate to different services but we have monitoring software also which does indeed call WMI.

    Thursday, June 16, 2011 8:37 PM
  • Can you try KB 982293?

    982293 The Svchost.exe process that has the WMI service crashes in Windows Server 2008 R2 or in Windows 7
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;982293

     

     

    I will also try this tonight Chris.  I have to wait till after 8pm New Zealand time in order to install and reboot.

    I will also enable debugging for the RPC service and post any logs that it produces.

    Cheers

    Thursday, June 16, 2011 9:30 PM
  • I made the change from step 1 of the Microsoft moderator's recommendation and now my server is unresponsive.  If you are going to try the same thing, I strongly suggest you do so from the console and not remotely...
    Sr System Engineer
    Friday, June 17, 2011 2:02 AM
  • I made the change from step 1 of the Microsoft moderator's recommendation and now my server is unresponsive.  If you are going to try the same thing, I strongly suggest you do so from the console and not remotely...
    Sr System Engineer
    Changes made to any server should always be done from the console.  You are asking for trouble doing it via a RDP session!
    Friday, June 17, 2011 4:41 AM
  • If you guys consider this a "server down" issue, you can call in and get support.
    Friday, June 17, 2011 7:36 AM
  • Derek, it was a risky change really. I would always recommend doing these things in a lab environment before even doing it on a live system. However you should be able to get back up and running by reversing the changes to the registry. A boot CD may help. 

    Susan [below], I consider this a bug not a server down issue. It's pretty alarming more people are coming along with the same issue and as others have said it seems a bit cheeky to charge when there are so many people reporting it. I think Microsoft should look into it initially, with no cost to their loyal partners.


    Friday, June 17, 2011 10:09 AM
  • I made the change from step 1 of the Microsoft moderator's recommendation and now my server is unresponsive.  If you are going to try the same thing, I strongly suggest you do so from the console and not remotely...
    Sr System Engineer
    Changes made to any server should always be done from the console.  You are asking for trouble doing it via a RDP session!

    Yeah, I know...shame on me.  Looking at what needed done, it seemed like a quick and easy change, and I assumed it was safe since it was coming from a Microsoft employee.  It wasn't a big deal though as I have a key and beat all the users in.  I always keep a copy of UBCD handy just for occasions such as this (I used the offline registry editor on it to change the string value back).
    Sr System Engineer
    Friday, June 17, 2011 10:56 AM
  • Derek, it was a risky change really. I would always recommend doing these things in a lab environment before even doing it on a live system. However you should be able to get back up and running by reversing the changes to the registry. A boot CD may help. 

    Susan [below], I consider this a bug not a server down issue. It's pretty alarming more people are coming along with the same issue and as others have said it seems a bit cheeky to charge when there are so many people reporting it. I think Microsoft should look into it initially, with no cost to their loyal partners.



    Yeah, the server down was a result of the registry change, not the problem itself.  It was easily undone, but this is a lowend Dell server with DRAC Express, so I had no remote console options.  I did test this on my laptop (Win7 x64) and it rebooted fine, so I figured it would be the same.  Then again, the problem we are all having is random crashes in svchost (RPC), so perhaps that was the difference that made the server unbootable?
    Sr System Engineer
    Friday, June 17, 2011 10:59 AM
  • NOTICE:

    For anyone reading this thread install the following two hotfixes:

    Remote procedure call service crashes on a computer that is running Windows Server 2003 SP2, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2
    http://support.microsoft.com/default.aspx?scid=kb;en-US;2401588
    
    Svchost.exe process that has the WMI service crashes in Windows Server 2008 R2 or in Windows 7
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;982293
    
    Please confirm that you've installed BOTH hotfixes.
    If you still get the issue, ping me at susan-at-msmvps.com and I'll set up a case.
    Friday, June 17, 2011 3:56 PM
  • I have seen KB2401588 when the issue started happening. I believe the hot fix was installed nearly 2 weeks ago but will double check.

     

    Can other people try these hot fixes and let us know if this resolves it for them? 

    Friday, June 17, 2011 4:00 PM
  • I tried to install the update Chris suggested, but it said it was not applicable to my computer.  I did install the hotfix mentioned in the original post, but based on the above comments, it most likely won't make a difference.


    Sr System Engineer
    Friday, June 17, 2011 4:04 PM
  • I spoke to the technician who was asked to try this hotfix and he said that he received the same message too. It says it's not applicable. 

    Friday, June 17, 2011 4:05 PM
  • The server probably had Windows Server 2008 R2 SP1 installed on it and 982293 is included in Windows Server 2008 R2 SP 1.

     

    Has anyone experiencing this issue implemented the following group policy:


    "Limit the size of entire roaming user profile cache" under Computer Config/Admin temp/Windows Comp/RDS/RD Session Host/Profiles.

    I do not see this implemented in a default SBS 2011 Standard installation.

    Friday, June 17, 2011 8:10 PM
  • That possibly explains that then. This issue happened after SP1 for us, but has been happening before and after for others here. 

    That group policy object is not configured on any of our policies. 

    Friday, June 17, 2011 8:12 PM
  • I installed SP1 and a lot of other updates last night (actually every update that would show up in Microsoft Update), then I made sure I had both hotfixes installed (well, I installed one and one didn't apply because of SP1).  I haven't had the issue since then, but we've gone weeks at a time before it happens several times in a single day, so we'll see.

    I have a case open as of ~1:30pm EST today (SR 111061762869106 in case you do open one and the tech can reference that). I will keep both threads updated as we work through this.

    Sr System Engineer
    Friday, June 17, 2011 11:14 PM
  • Note: I am cross-posting this from the Partner Forum and updated with my PSS Ticket Number

    I would like to throw my hat in the ring as well on this issue.  I'm glad other people are having the EXACT SAME ISSUE with SBS2011.

    The issue is EXACTLY the same as TRSNETPROS....Virtual environment, running on Server 2008 R2, the RPC Endpoint Mapper service terminates unexpectedly and eventually the svchost crashes with the ntdll.dll module and the server reboots shortly thereafter.

    The problem with this sort of issue is that it is random when it occurs and sometimes happens multiple times in a row or in the same day, and then goes a week or two with no issues at all.

    I have read this forum and the other social thread and while I feel that IPv6 might be something related to this issue, based on reading the other forum posts and lack of an answer think this might be a bug and doing a registry hack for IPv6, while it might work, is a bandaid to this issue and Microsoft needs to come up with a fix for this.  

    I am hesitant to installing hotfixes that deal with a different .dll module than the one I have an error with.

    I am probably going to escalate our issue to PSS as it is a Friday and I want to get this taken care of on a day that least impacts users.  I will update with any progress I have on that front.

    Derek, sorry to hear all the troubles you went through, but thanks for sharing with the community about your experience doing the recommendation mentioned in the thread.

    Thanks,

    Matt

    I have opened a case and the PSS # is: SR 111061800151213

     

    Saturday, June 18, 2011 12:21 AM
  • Matt,

    Thank you for posting [and thank you to everyone else that has joined this thread]. It's actually quite worrying now that more and more people are having the same issue. You are totally right that it's hard to get to the bottom of the issue as it can go weeks without a hitch and then all of a sudden it crops up again. 

    We're seeing if disabling IPv6 has resolved this, which so far so good. I will also keep the thread updated if it happens again (or not). 


    Saturday, June 18, 2011 12:59 AM
  • Matt,

    What have you heard on the issue?  I have not had time to install updates on my client's SBS server.  They are operating 19 hours a day during the week and sometimes on weekends.  I am trying to schedule time this weekend for updates and will post the results.


    Jeff
    Tuesday, June 21, 2011 3:22 PM
  • We have had no issues since. But i'd still like to assist anyone else and find out more information. It's a real strange issue. 
    Tuesday, June 21, 2011 10:04 PM
  • I haven't really made any progress on this since the case was opened (we've exchanged some e-mails regarding very basic troubleshooting and diagnostics, but I haven't had much time to dedicate to this issue), but as the server rebooted twice since the case was opened, I went ahead and disabled IPv6 as a temporary workarund (and to see if this really does fix the problem).

    http://blogs.technet.com/b/sbs/archive/2011/02/18/small-business-server-2011-slow-to-boot-and-several-services-fail-to-start.aspx


    Sr System Engineer
    Wednesday, June 22, 2011 1:28 AM
  • Did you install both updates?  Does this server have SP1 on it already?

    Given that IPv6 is needed by Exchange, I really don't believe it's going to be ipv6.

    If there is anyone else seeing this please apply the hotifixes and if you still see the issue, email me and I'll set up a case.

    Wednesday, June 22, 2011 5:55 AM
  • Install the hotfixes.  They will be included in the next service pack.  They are not beta code.  They can be easily removed.
    Wednesday, June 22, 2011 5:59 AM
  • I was only able to install 1 hotfix as the other said it was not applicable.  SP1 is installed, along with every other update available through Microsoft Update.  Since disabling IPv6, I have heard no complaints, but it has only been a day, so I'm not holding my breath yet...
    Sr System Engineer
    Wednesday, June 22, 2011 7:24 PM
  • Also, I forgot to mention that I have a strong feeling it could be network stack. If IPv6 is enabled I get a number of DNS issues, disabling IPv6 using the recommended method (editing registry) it solves that issue but causes another. If I run the Internet Connection Wizard it fails to detect the router or set the settings properly. 

    Since I disabled IPv6, I have not seen any more issues from this server, but what DNS issues were you referring to in this post?  All I saw was a warning (DNS-Server-Service 409) that "the DNS server list of restricted interfaces contains IP addresses that are not configured for use at the server computer", but DNS is working just fine.
    Sr System Engineer
    Thursday, June 23, 2011 1:06 PM
  • Derek,

    Keep me informed if your server falls over after making the change. Ours is still working fine. 

    DNS issues, well yes we did receive 409 but also a few others particularly referring to bindings.  DNS errors 405, 406 and 409 appeared regularly when rebooting the server (until disabling IPv6). 

    Interestingly on another install I have no DNS errors and IPv6 is enabled. That server has never had a problem, in fact it's the smoothest SBS install we have had. 

    Thursday, June 23, 2011 1:58 PM
  • I have my hotfix installation scheduled for Saturday.  I will post again after the hotfix is installed.  The server already has SP1.  I have two other clients with SBS 2011 systems and they have not had one issue.  All SBS 2011 systems have IPv6 installed.

    I plan on installing the hotfix on both.  It will be a mandatory requirement for all new SBS 2011 systems until the next service is released.


    Jeff
    Thursday, June 23, 2011 4:26 PM
  • I installed the hotfix on the troublesome server and other SBS 2011 systems that have not had any crashes.  I will post if I see any unexpected restarts.
    Jeff
    Saturday, June 25, 2011 6:03 PM
  • Any word gang?
    Saturday, June 25, 2011 7:23 PM
  • PSS had me run MSDT and upload the results; I am waiting to hear back (that was 4 days ago).  IPv6 has been disabled for 5 days now and we've had no incidents.  I don't really understand what could be crashing RPC in the IPv6 stack, but quite honestly, I don't really care what it was if the problem is resolved...
    Sr System Engineer
    Sunday, June 26, 2011 3:20 PM
  • Hey guys, it's been a week, so I figured I would update everybody.

    The only thing that occurred with PSS is they had me install the hotfix already mentioned in this thread (2401588).  We still have not disabled IPv6, but have not had any crashes since.  I am still hesitant to call it fixed, but we have not had any crashes since.

    Thanks everybody for your responses, it has been helpful to attack this problem from many angles.

     

    Matt

    Tuesday, June 28, 2011 8:19 PM
  • I would like to weigh in on this issue.  I have had the RPC crash and reboot problem happening on a SBS 2011 migration as well.  I have only had it in place for about 3 weeks.  It happened a week after implementation, about a week later, then on Sunday and again Monday of this week (6/28/2011).  I found this thread and attempted the Hotfix installs, both told me they were not applicable.

    Yesterday I disabled IPv6 and have not had a reboot since.  I am running mine on a VMWare ESXi box with the base Intel 1000 Network adapter driver for the VM.

    Just wanted to let you know someone else has this issue.

    Thanks.

    Tuesday, June 28, 2011 8:36 PM
  • It's between the hotfix and IPv6 then. Our clients server is still rock solid, no issues whatsoever. 

    D.wiseman, please do not install the hot fix yet - see if IPv6 solves the issue for you and if not then install the hotfix and see if it reoccurs... I'd be really interested in the answer!

    Thanks for everyone's input. 

    Tuesday, June 28, 2011 9:28 PM
  • I hope the hotfix did it for you, Matt, but I'd keep a close eye on it.  I had installed every available update through Microsoft Update Thursday, 6/16, then installed the hotfix described in http://support.microsoft.com/kb/2401588/en-us on Friday, 6/17.  It crashed and rebooted twice on Tuesday, 6/21, so I disabled IPv6 that night and it has been running smooth since then.
    Sr System Engineer
    Wednesday, June 29, 2011 12:58 PM
  • Looks to me like IPv6 is the culprit, or at least the network stack is causing some other dependency to fault. If anyone with IPv6 enabled but has the hotfix installed does NOT have this issue any more please report back. 

    If however you have not installed the hotfix, is it possible you could try disabling IPv6 to see if it resolves the issue? 

    Wednesday, June 29, 2011 3:24 PM
  • No issues on the SBS server since it restarted on its own on June 7.  This server has IPv6 enabled as do our other SBS 2011 servers.  They are all fine.  Three of the four SBS 2011 servers our clients have were installed in migration mode.  This server was a migration server.

    Derek, if I remember, you have multiple SBS 2011 servers?  Just one with issues?  Was it a migration server?


    Jeff
    Thursday, June 30, 2011 12:56 PM
  • Any updates anyone?
    Monday, July 4, 2011 6:49 PM
  • We just had another crash with our SBS - Will try disabling IPv6, will report back in a few weeks and update everyone.
    Tuesday, July 5, 2011 3:58 AM
  • Had two servers crash this week.  One crashed on the 4th around 5:00 am and the other at 7:00 pm on the 5th.  Both systems were unresponsive and had to be forcibly shut down so there are no details in the event logs.  Both systems have the hotfix and are fully patched.  Both use IPv6.
    Jeff
    Friday, July 8, 2011 7:04 PM
  • Sorry for the delay in updating.

     

    Since the install of KB982293 I have not had a crash at all with our server. IPv6 is still enabled (for me, disabling it is NOT a fix, just a work around)

    System has been stable since, no issues or errors.

    Wednesday, July 13, 2011 4:41 AM
  • Sorry I have not updated in some time.  Since the disable of IPv6, I have not had a shutdown or RPC crash.  I tried to apply hotfix, but was given the "not applicable" warning prior to the IPv6 disabling.
    Thursday, July 14, 2011 1:52 PM
  • Has anyone fixed this yet. I just started having this problem out of the blue on Monday. I first tried the disabling of IP6. That did not work. I just installed the 2 hotfixes this morning. Hopefully that will take care of it but if anyone has any further insight on this, I would appreciate some feedback. DB
    Wednesday, August 24, 2011 4:53 PM
  • Remote procedure call service crashes on a computer that is running Windows Server 2003 SP2, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2
    http://support.microsoft.com/default.aspx?scid=kb;en-US;2401588

    Svchost.exe process that has the WMI service crashes in Windows Server 2008 R2 or in Windows 7
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;982293  (which is included in SP1 so if you've already installed that you won't need it)

     

    is all that you need to fix this.

     

    Also have a look at http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/thread/16cac6e4-ffb5-4920-b48e-0f484ae8c8ff.

     

    Disabling IPV6 will cause further problems so as early as possible enable it back again. Provided you have disabled it properly. For more information on disabling IPv6 on SBS2008 and onwards have a look at this http://blogs.technet.com/b/sbs/archive/2008/10/24/issues-after-disabling-ipv6-on-your-nic-on-sbs-2008.aspx.

     

    Wednesday, August 24, 2011 5:06 PM
  • Thanks for the reply. Installed the hotfixes this morning. So far so good. Properly disabled IPv6 last night. Does not seem to affect my environment which is SBS 2011. What kind of problems will disabled IPv6 cause down the road? Thanks.
    Wednesday, August 24, 2011 7:18 PM
  • As I mentioned before you can have a look at the following blog http://blogs.technet.com/b/sbs/archive/2008/10/24/issues-after-disabling-ipv6-on-your-nic-on-sbs-2008.aspx..
    Wednesday, August 24, 2011 7:21 PM
  • If you disable IPv6 properly you should not experience any issues at all. We have it disabled on all SBS 2011 boxes until we figure out what is the actual cause of this issue. I am undecided if it's the hotfixes fixing this or the IPv6 disable.

     

     

    Thursday, August 25, 2011 1:53 AM
  • I'm having the same problem.  I've had two ntdll.dll RPC crashes.  Once today (9/13) and the last was a week ago today (9/6).  I've not had any crashes related to rpcrt4.dll.  Is it recommended that I use both hotfixes, regardless?
    Tuesday, September 13, 2011 5:33 PM
  • yes  by all means you need two hotfixes in place.
    Tuesday, September 13, 2011 6:49 PM
  • Hmm, after thinking that the issue was sorted. the problem has returned for me after installing both hotfixes.

    Not a good sign really and the "fix" of disabling ipv6 isnt really an option. 

    Thursday, September 15, 2011 11:57 PM
  • James k McPherson,
    I am postitive this is still a IPv6 issue, although installing the hotfixes has sorted the issue for some around here... If you do not use IPv6 internally, it is safe to disable it LONG AS it's done correctly. 
    Friday, September 16, 2011 12:00 AM
  • I had two SBS 2011 servers with the hotfixes installed, freeze within the last week.  The origininal server that started all of this for me had been fine since July 4, but stopped functioning again yesterday.  We have five clients with SBS 2011 servers and only two have had the issue.  They all use IPv6.
    Jeff
    Friday, September 16, 2011 12:00 PM
  • Can you email me with your email address to susan-at-msmvps.com so I can get a support case set up for yuo?

    Tuesday, September 27, 2011 2:42 AM
  • Holy mother...

    I'm wondering how I missed this thread or I'd have jumped in a long time ago. Something definately isn't right here, my company has migrated 6 SBS 2011 machines and no one has had a single problem, in all cases but one the migrations went smoothly. IPv6 is enabled and the servers are either Dell or Virtual (running Oracle Box on a Linux host). Personally I have installed an additional 4 SBS boxes again without any issues...

    I'm just covering bases here, but everyone's tried the standard 'Fix my network' wizard, the 'SBS 2011 Best Practices Analyzer' and running 'dcdaig' right? In addition make sure you have your anti-virus exceptions programmed properly -you may want to call support for your product and verify what it automatically excludes and what not. For a complete comprehensive list (with refrence links) see http://thenonapeptide.blogspot.com/2009/08/sbs-2008-standard-edition-antivirus.html

    Thursday, September 29, 2011 1:56 AM
  • GreenlightTech,

    We did everything such as the fix my network wizard, dcdiag, BPA, etc. We have also done several installs and only the one has had this issue.

    As for antivirus, it was a new server so no scanner was present at the time.  

    Thursday, September 29, 2011 10:14 AM
  • The Diva has a Microsoft support case open for me.  I am working with an engineer on it today.  I will post findings.
    Jeff
    Thursday, September 29, 2011 11:45 AM
  • This just started happening to my SBS2011 server this morning!
    Friday, September 30, 2011 3:19 PM
  • Hi Greg,

    What hardware is your server using?  Do you have service pack 1 installed?  There is a hotfix you can install that might help.  Please install this hotfix, http://support.microsoft.com/default.aspx?scid=kb;en-US;2401588, and see if that helps. 

    What is your antivirus software?

    I actually have a support case open with Microsoft thanks to the SBS Diva.  I started working with the engineer yesterday and will post results as things progress.  The engineer collected lots of information and I installed additional items for him today.


    Jeff
    Friday, September 30, 2011 3:38 PM
  • Please see this post http://www.vistax64.com/vista-networking-sharing/103973-rpc-service-crash-when-share-accessed.html

    Can anyone see/test to find out if this is actually completely random or something is triggering it? If we can find out what's triggering it then we'll be a lot close to solving this issue.

    Jeff, any word on Microsoft?

    Sunday, October 2, 2011 1:24 PM
  • Hi Jeff,

    Did you get anywhere with MS?  We are seeing this problem now...

    Friday, October 21, 2011 4:27 PM
  • I was on vacation last week and the customer has not had downtime for me.

    The server froze again today.  I had run the WSUS cleanup wizard earlier this morning and was idle when it locked up on me.  The items the Microsoft engineer wanted me to try partially worked.  I tried to create a dump file but the keyboard did not work.  I ran through a checklist, collected the information and sent it to the engineer but have not heard anything yet. 

    All services stopped functioning.  I sent a test email and requested a delivery receipt that did not return to me until the server was forcibly restarted.  Windows Explorer stopped and everyone lost their work.  The only thing I could do was ping the system.  I will post any results that the engineer finds.


    Jeff
    Wednesday, October 26, 2011 7:56 PM
  • As of 11:00am today this problem has started occuring on one of our customers sbs 2011 servers.

     

    This server has been fine up until today.  No updates were added and nothing was changed on the server for it to begin this issue.

    We have been through this thread with a fine tooth comb for answers, the hotfixes mentioned are not for sbs 2011.

    We have just been through the process of disabling IPv6, but following the last reboot the same issues are back again.

    Any clues as to where the servers are going wrong?

    Tuesday, November 1, 2011 2:33 PM
  • Sorry for the late response, but that hotfix seems to have fixed it. I haven't had a crash since.
    Tuesday, November 1, 2011 2:42 PM
  • SBS2011 is built off of 2008 R2, so install that hotfix above and see how it goes!
    Tuesday, November 1, 2011 2:43 PM
  • Quick update: We have disabled IPv6 - Server still had RPC issues following this. We installed hotfix http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=2401588&kbln=en-us#step1 - Restarted and have not had a crash again ....yet! We did also however find a PC on the network that was heavily infected with multiple infections. We found the machine as 2 minutes before the RPC error was recorded on the server, an error was recorded from kerberos with regards to the infected machine. Will keep you posted.
    Tuesday, November 1, 2011 3:56 PM
  • As of 11:00am today this problem has started occuring on one of our customers sbs 2011 servers.

     

    This server has been fine up until today.  No updates were added and nothing was changed on the server for it to begin this issue.

    We have been through this thread with a fine tooth comb for answers, the hotfixes mentioned are not for sbs 2011.

    We have just been through the process of disabling IPv6, but following the last reboot the same issues are back again.

    Any clues as to where the servers are going wrong?


    The hotfixes ARE for SBS 2011.  One might already be on your box because it's included in Sp1, the other one is not in SP1.
    Tuesday, November 1, 2011 4:08 PM
  • I just ran across this thread. We have several SBS 11 servers... one just recently picked up this problem. Has been running fine since 7/16/2011 SBS 2011 w/ SP1 and all MS updates No local antivirus ShadowProtect 4.1.5 Virtualized on PowerEdge T710 running Win2K8-R2 w/SP1 Server has rebooted with Event ID 1074 listed at 5pm 4 times since 11/30/2011 No backups around 5pm at all, not sure why it's always at 5. Will install only KB2401588 hotfix and report back! -Tim
    Thursday, December 8, 2011 1:41 AM
  • Same here.  The server has the latest firmware and BIOS.  I did that after the server was unresponsive the first two times.  The server is gracefully restarting on its own. 


    After it comes back up, are you prompted for the reason of the restarte (i.e. like what happens after a crash or power failure).

     

    I've had that happen twice in the last three months and I couldn't see anything in the logs - sounds like this might be a candidate :(

     

    EDIT: I dont' think it's hardware either - running SBS 2011 in a HyperV instance with 24GB of RAM with dual quad Xeons on mirrod SAS drives (physical server has 32GB RAM)

    • Edited by E Eskam Sunday, December 11, 2011 7:02 PM
    Sunday, December 11, 2011 7:00 PM
  • I can't recall I did, nope. However, I'm wondering if we can find something similar between machines. Don't tell me it's an HP ML350 G6? If you have the exact eventID I will check for the RPC overflow. 

    One of the steps we're taking is to virtualise the machine for testing but we're a little concerned that it only happens maybe under load.  If you do find a fix let me know, and I'll post what the fix is here also (if we find one). 


    sorry to butt in at this late stage, i infact have a client with a sbs2011 server HP ML350 G6

    It unexpectantly reboots varing amounts, once a day, 10 times a day, fine for 4 days that kind of thing...

    It was all perfect from July to november then its been since then, i cant remember what updates were put on when but its fully updated now, i tried that kb patch but its still dont it...

     

    ive also had the UPS changed to a pure signwave model, new ram, new psu backplane, motherboard, psus, its now looking like a software issue.

    there is nothing in the logs around the time it reboots, and infact sometimes on reboot it cycles round rebooting one time for 2 hours then was fine for 4 days, bizarre...., im not sure if its a blue screen as im not at it, but it doesnt say in log, ilo2 reports a:-

    Informational iLO 2 01/12/2012 11:42 01/12/2012 11:42 1 On-board clock set; was previously [NOT SET].

    Caution iLO 2 [NOT SET]  [NOT SET]  1 Power restored to iLO 2.

     

    for every reboot, i dont know if it logs this because of the reboot or if this is the issue, hp say its because of the reboot, if i soft boot the system this doesnt appear

    anyone got any starting blocks?

    many thanks

    scott

     

     


    Thursday, January 19, 2012 4:23 PM
  • Our client also had ML 350 G6 but I don't feel this is a HP specific issue, there are reports of it happening on Dell models. The iLO2 event log is most likely due to the reboot procedure which is pretty much unexpected rather than a fully clean shutdown. 

    Have you tried properly disabling IPv6 and updating the network adaptor drivers/firmware? This fixed it for our client. 

    I realise people are on the fence about disabling IPv6 but in our testing this resolved the issue. It is entirely possible you have a separate issue though. I assume you have the RPC error logged discussed here?? or is it a BSOD automatic reboot?

    Thursday, January 19, 2012 4:32 PM
  • May I also add, that our client had no additional software besides the HP drivers (not even system management homepage). Since IPv6 was disabled and the hot fix applied, the server has never rebooted itself outside of our patch management windows. 

    I note some users say IPv6 didn't help, but I think both the hotfix install and IPv6 disable are required to reach stability. 

    Thursday, January 19, 2012 4:35 PM
  • Given that it just started, I'd make sure you are seeing exactly the same symptoms of RPC service crashing in the event logs triggering the reboot.  Unless you see that in the event logs - and you say you see nothing in the event logs - it may be hardware related? 
    Thursday, January 19, 2012 5:17 PM
  • It's been a while since I posted about the Microsoft recommendations and I apologize for the delay. The server has been stable since October 26. It is completely patched and has hotfixes. The engineer had me update the network card to the latest version. It was one update behind. I disabled all offloading items in the advanced properties for the network card in device manager. The server has four network cards but only one was active. The other three were disabled but they were still listed ahead of the active card in the binding order. The client is now using the latest Symantec version, 12, instead of 11.0.6. I would venture to say others are using different antivirus software so the common thread could be the network card settings. Install the hotfixes and then check the items related to the network card.
    Jeff
    Thursday, January 19, 2012 8:43 PM
  • i cant see anything about RPC in logs, im not even sure its a BSOD, im trying to get a monitor onto the box so a member of staff can try and catch what its doing.
    Friday, January 20, 2012 1:52 PM
  • Given that it just started, I'd make sure you are seeing exactly the same symptoms of RPC service crashing in the event logs triggering the reboot.  Unless you see that in the event logs - and you say you see nothing in the event logs - it may be hardware related? 
    the only hardware not changed is the processor and drive array...
    Friday, January 20, 2012 1:54 PM
  • You can try the ipv6 and the hotfixes, but unless you see the rpc error in the event logs, it may not be this either.
    Friday, January 20, 2012 2:25 PM
  • May I also add, that our client had no additional software besides the HP drivers (not even system management homepage). Since IPv6 was disabled and the hot fix applied, the server has never rebooted itself outside of our patch management windows. 

    I note some users say IPv6 didn't help, but I think both the hotfix install and IPv6 disable are required to reach stability. 

    is this what to follow? my client has vpn and remote desktops which i know uses ip6 at the moment, will this break? thanks scott To disable certain IPv6 components yourself, follow these steps: 1. Click Start Collapse this imageExpand this image Start button , type regedit in the Start Search box, and then click regedit.exe in the Programs list. 2. In the User Account Control dialog box, click Continue. 3. In Registry Editor, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters \ 4. Double-click DisabledComponents to modify the DisabledComponents entry. Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps: 1. In the Edit menu, point to New, and then click DWORD (32-bit) Value. 2. Type DisabledComponents, and then press ENTER. 3. Double-click DisabledComponents. 5. Type any one of the following values in the Value data: field to configure the IPv6 protocol to the desired state, and then click OK: 1. Type 0 to enable all IPv6 components. (Windows default setting) 2. Type 0xffffffff to disable all IPv6 components, except the IPv6 loopback interface. This value also configures Windows to prefer using Internet Protocol version 4 (IPv4) over IPv6 by modifying entries in the prefix policy table. For more information, see Source and Destination Address Selection (http://technet.microsoft.com/library/bb877985.aspx) . 3. Type 0x20 to prefer IPv4 over IPv6 by modifying entries in the prefix policy table. 4. Type 0x10 to disable IPv6 on all nontunnel interfaces (on both LAN and Point-to-Point Protocol [PPP] interfaces). 5. Type 0x01 to disable IPv6 on all tunnel interfaces. These include Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6to4, and Teredo. 6. Type 0x11 to disable all IPv6 interfaces except for the IPv6 loopback interface. Advanced steps Important The following steps are for advanced users only. To prefer IPv6 over IPv4 in prefix policies, follow these steps: 1. Find the current value data of DisabledComponents. 2. Change the data tobinary data. It will be a 32-bit binary value. 3. Find the sixth bit of the data, and then set it to 0. Do not change any other bits. For example, if the current data is 11111111111111111111111111111111, the new data should be 11111111111111111111111111011111. 4. Change the data from binary to hexadecimal. 5. Set the hexadecimal value as the new value data for DisabledComponents. To enable IPv6 on all nontunnel interfaces, follow these steps: 1. Find the current value data of DisabledComponents. 2. Change the data tobinary data. It will be a 32-bit binary value. 3. Find the fifth bit of the data, and then set it to 0. Do not change any other bits. For example, if the source data is 11111111111111111111111111111111, the new data should be 11111111111111111111111111101111. 4. Change the data from binary to hexadecimal. 5. Set the hexadecimal value as the new value data for DisabledComponents. To enable all IPv6 tunnel interfaces, follow these steps: 1. Find the current value data of DisabledComponents. 2. Change the data tobinary data. It will be a 32-bit binary value. 3. Find the first bit of the data, and then set it to 0. Do not change any other bits. For example, if the source data is 11111111111111111111111111111111, the new data should be 11111111111111111111111111111110. 4. Change the data from binary to hexadecimal. 5. Set the hexadecimal value as the new value data for DisabledComponents. To enable all IPv6 interfaces except for the IPv6 loopback interface, follow these steps: 1. Find the current value data of DisabledComponents. 2. Change the data tobinary data. It will be a 32-bit binary data 3. Find the first bit of the data and the fifth bit of the data, and then set them both to 0. Do not touch any other bits. For example, if current data is 11111111111111111111111111111111, the new data should be 11111111111111111111111111101110. 4. Change the data from binary to hexadecimal. 5. Set the hexadecimal value as the new value data for DisabledComponents. Notes * Using a value other than 0x0 or 0x20 will cause the Routing and Remote Access service to fail after this change goes into effect. * You must restart your computer for these changes to take effect.
    Friday, January 27, 2012 10:08 AM
  • Scott, yes it is. Please take a backup of the registry before making these changes. 

    http://support.microsoft.com/kb/929852
    Friday, January 27, 2012 10:20 AM
  • hi got into a bit of bother after changing registry made the following change:- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters DisabledComponents = &h11 (17 dec) 0x00000011 i also ran Internet Connection Wizard although i didnt have option for Fix My Network wizard, only repair network which it didnt find anything wrong. i also removed the whole key at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ipv6 when i rebooted and logged in, i just got the sbs2011 windows console wizard screen, but no icons on the desktop i waited 15 mins but nothing appeared, i tried to terminate explorer and relaunch but nothing. also i couldnt run regedit or any other app, i booted to safe mode and reversed and finally it returned working im not sure if it was just taking time, but it was 2am last night and i started flapping what with an office full of workers coming in the morning. i couldnt login to a remote desktop and exchange was down as aswell and pretty much everything else. it was as if boot had stalled and was away looking for something. maybe i never gave it enough time?, im not aware of the server taking that long to bring up the desktop, im sure it was instant before at the server although the sql database and remote desktop etc took a while after login
    Monday, January 30, 2012 10:19 AM
  • Scott,

    I've only ever seen this happen on one server after disabling IPv6, which was an SBS 2008 box.

    Whenever I have done this I have used the Fix It tool (http://support.microsoft.com/kb/929852): Disable IPv6

    I expect it just runs the registry changes but for some reason I've had more success with it. You might also want to ensure that no other software is running on boot, such as Antivirus tools, etc. 

    I would also ensure that you unbind IPv6 from properties once you have carried out this procedure (I'm not sure you are actually required or supposed to do this but sometimes it works better when it's not bound - you can try both ways). I would also recommend you run Fix My Network wizard before disabling IPv6.

    Also ensure you disable any other redundant network adaptors (in the BIOS if possible) and after you have made the changes please ensure that the adaptor has not reset to DHCP which is a common reason why the procedure fails. 

     

    To run the Fix My Network Wizard

    1. Open the Windows SBS Console.

    2. On the navigation bar, click Network, and then click Connectivity.

    3. In the task pane, click Fix my network.

    4. Follow the instructions in the wizard. You can click each potential problem that the wizard lists to get more information about the problem.

     


    Monday, January 30, 2012 1:55 PM
  • Hi, we also in the Netherlands have this particular problem with one of our servers. What did we do:

    1st server clean install, no problems is running 25 days in a row now (vds).

    2nd server clean install, mailbox migration from exchange 2003 to sbs2011. Some mailboxes are 8+ GB.

    We tried all the suggestions above. But with no luck. First we thougth we found de solution mention in the forum. After we had to copy an old mailbox from exchange 2003 to exchange 2010, everythings goes fine until the sync is completed, we do this at night. The next morning when 25+ people login, the server is giving the event id 1000, several times. We are frustrated... We don't see what is wrong...

    What did we do:

    Disable IPv6
    Installed SP1
    Several hotfixes (KB2401588, KB929852, KB982293, and all the normal updates)

    Monday, February 27, 2012 10:49 PM
  • Raymond, if you are still getting this after installing KB2401588 and SP1 and disabling ipv6 (the right way), there's nothing else we have to try.  you need to call support to get this properly investigated as we've got nothing else for you here.

    If you are still getting an event 1000 and the specific error of faulting module rpcrt4.dll specifically then call support.

    You didn't say it was rebooting, just an event 1000?  As that's different symptoms all together and it not the rpc crashing issue noted here.

    Please start a new thread with your exact symptoms.

    Monday, February 27, 2012 11:06 PM
  • Hi Susan,

    Sorry for the lack of info i send above, but it is in fact the same event id 1000:

    Naam van toepassing met fout: svchost.exe, versie: 6.1.7600.16385, tijdstempel: 0x4a5bc3c1
    Naam van module met fout: ntdll.dll, versie: 6.1.7601.17725, tijdstempel: 0x4ec4aa8e
    Uitzonderingscode: 0xc0000005
    Foutoffset: 0x00000000000506a1
    Id van proces met fout: 0x318
    Starttijd van toepassing met fout: 0x01ccf524efa6342c
    Pad naar toepassing met fout: C:\Windows\system32\svchost.exe
    Pad naar module met fout: C:\Windows\SYSTEM32\ntdll.dll
    Rapport-id: 580b10cb-6160-11e1-8a39-0018717af824

    Sorry for the dutch language but you get the point. And when i recieve this particular error, the server reboots within 15 minutes.

    The problem is we are evaluating this system for a costumer of ours, and the last time that i called Microsoft with a newly installed server, they said i had to pay 170 euro/dollars, that is not acceptable for us, we sell Microsoft products, maybe not to much to be big retailer, but 170 euro/dollars...

    But other than the 170 euro/dollars, i thought maybe it is/was related to exchange/sharepoint.

    Tuesday, February 28, 2012 12:08 AM
  • Not exactly no.  The KB referring to the rpc crashing specifically points to rpcrt4.dll  The one at the top of this post that started it all, as well as yours is ntdll.dll which is a different dll.  As far as I'm aware (and I'll double check) the rpc crashing one refers to rpcrt4.  But I'll confirm.

    If it's a bug in the code, they will comp the case back.

    In the meantime I'd check that you have the latest drivers for the network cards on your system.


     
    Tuesday, February 28, 2012 12:12 AM
  • I have this issue as well. SBS 2011 SP1 migrated from SBS 2003. RPC crashing due to ntdll.dll fault. Have installed 2401588 but not disabled IPv6 yet. That will be next if it happens again. Has anyone had success with the hotfix only?

    Wednesday, February 29, 2012 3:01 AM
  • Install both hotfix's suggested by Mohit earlier:

    http://support.microsoft.com/default.aspx?scid=kb;en-US;2401588 

    Svchost.exe process that has the WMI service crashes in Windows Server 2008 R2 or in Windows 7
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;982293  (which is included in SP1 so if you've already installed that you won't need it)

    And also install sp1 + all new updates

     

    Wednesday, February 29, 2012 3:27 AM
  • Luckily I found this thread, these server reboots are driving me nuts!

    My issue is also the RPC service crashing and causing a graceful reboot of the server... if a reboot in the middle of the day could be considered graceful.

    I'll try the two hotfixes this evening and post my results here when I know more.


    --- Scott Young

    Tuesday, March 6, 2012 9:28 PM
  • Great thread guys and gals, thanks a lot. It's too bad this is still a problem with seemingly official Microsoft response or resolution.

    Quick background: I did a SBS 2003 to SBS 2011 migration about a month ago. The server first crashed about 17 days ago, and again today with the RPC error and the svchost/ntdll.dll error. I tried to install the hotfixes mentioned in this thread, but they both said they did not apply to my server. I have auto updates running every Sunday morning so my server is fully up to date.

    As of right now, I disabled IPv6 using the registry method so hopefully this works. The problem is, I won't know for sure for several weeks as the problem does not happen often. Hopefully I won't have to call MS. I am a partner, but I would hate to burn a support call on something that should be acknowledged and fixed by MS.

    Wednesday, March 21, 2012 1:05 AM
  • Review those hotfixes again - one is indeed included in Win2k8 sp1 so if you have that you have it.  The other -is-not-.  Make certain you chose the X64 version of the patch not the x86.  Please go back and double check that you got the x64 version and I know that one is included in sp1, one is not.

    Wednesday, March 21, 2012 1:12 AM
  • PLEASE HELP!!! I have researched the same exact problems as above for months!!! Have an SBS2011 Standard server. (I believe the core is SBS 2008R2) It randomly reboots on its own. In going through the logs the indicators seem the same as above. SVCHOST.exe comes up as a faulting application (and an APP crash) with the faulting module ntdll.dll. (version 6.1.7600.16915) ALSO the RPC Endpoint Mapper service then terminates unexpectedly. It tries to restart? (event 7031)and doesn't, then I notice:  Windows must now restart because the Remote Procedure Call (RPC) service terminate unexpectedly (event 1074).  We got this server in May 2011.. I have been logging the random shutdowns... It has been like once a month for awhile.. then a few times a month, then might be good for a week or so.. the past couple weeks more and more. Yesterday it happened 3 times!!! Before I sometimes noticed it happened after I would bring a new PC to the network.. or if I had connected my laptop to the network in the office after not logging off correctly from home after remoting. BUT, neither of those things have been happening the past few weeks... I have checked all the computers on our network for viruses (symantec enterprise)Our first warning that it is happening, is when outlook tells us that it is no longer connected to exchange... then I know it is happening. It takes like 45min for it to try and repair itself and then it reboots. When I first notice the outlook thing, I try to log onto the server in hopes to perhaps start the service that has stopped... but the RPC has failed and won't let me. OK, after much poring through logs, different forums.. I find this forum is addressing my exact issue to a T! and applying the fixes KB982293 and KB2401588 seems to be the answer! So, I come in today on a saturday in hopes to apply these fixes!!! (during off hours for our company as I figure it may require a reboot or two) Now, my problem is that when I click the link for both of these... "The system is currently unavailable. Please try back later, or contact support if you want immediate assistance.http://support.microsoft.com/contactus/?ws=support" I tried that link... and it goes to never never land... Susan Bradley, you seem to be pretty knowledgeable and tied with Microsoft... what do I do now?
    Saturday, April 28, 2012 4:43 PM
  • This is really a great thread and I appreciate all of the time and effort that's gone into the troubleshooting.  I've been struggling with this situation on one of our customer's servers for about 5 weeks now.  That situation being SBS2011 SP1, event 1000 when RPC crashes and causes graceful restart, faulting application name svchost.exe, faulting module name ntdll.dll and finally the server's back up within 25 minutes or so.

    I've seen to it that both hotfixes are in place and IPV6 has been disabled the "correct" way.

    What I've noticed and is interesting/significant is that if I filter the application log on event id 1000 and event source "application error", ALL of the events (id 1000) happen on the 1/2 hour.  In other words, in ALL cases the event id is logged at 10:00:05 (example) or 3:30:22.  In NO case (out of the 30 or so restarts total) is the id logged longer than 26 seconds after the 1/2 hour mark.

    Keep in mind that there may be other event id 1000's logged but I'm only talking about the ones with "faulting applicatin name svchost.exe".

    I say this significant but have no clue why.  I've been through tasks, etc. to find an app. that runs on the 1/2 hour and may be causing or contributing to this and can't find anything.

    I'm a partner and don't want to use a support call if it can be helped.

    Does this help anyone?  Has anyone ever heard from MS of a resolution?

    Monday, May 7, 2012 2:31 PM
  • If you've installed sp1 and the hotfix.  If you've disabled IPv6 (the right way) and you STILL are getting an event "Faulting application svchost.exe version <var><version></var>, faulting module rpcrt4.dll," that's the RPC one.  If you are seeing ntdll.dll that may be another issue.

    What you see in this thread is the resolution for this issue.  Two hotfixes (one included in sp1) and worst case - disable Ipv6.

    If it's still a bug in need of a hotfix, you'll get a comp'd case. 

    Bottom line, you need to open a case.  This is all the resolution fixes we got.

    Monday, May 7, 2012 4:08 PM
  • Are there news about this problem? The SBS 2011 server of a customer worked fine for about 4 months until yesterday. The RPC-Service crashed yesterday at 12:00:47 and today at 15:00:35pm. I'll try to install both hotfixes and disable IPv6...

    Name der fehlerhaften Anwendung: svchost.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc3c1
    Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.17725, Zeitstempel: 0x4ec4aa8e
    Ausnahmecode: 0xc0000005
    Fehleroffset: 0x00000000000506a1
    ID des fehlerhaften Prozesses: 0x34c
    Startzeit der fehlerhaften Anwendung: 0x01cd41c959ea8f61
    Pfad der fehlerhaften Anwendung: C:\Windows\system32\svchost.exe
    Pfad des fehlerhaften Moduls: C:\Windows\SYSTEM32\ntdll.dll
    Berichtskennung: 51e631f3-aef5-11e1-92bc-000c29d8f4bf

    Wednesday, June 6, 2012 2:18 PM
  • I would install the hotfixes and not disable IPv6.  I disabled offloading on the network card and have had no issues since.


    Jeff

    Wednesday, June 6, 2012 2:37 PM
  • Wow this thread is getting long. Interestingly enough, I also agree to try the hotfixes first but funny thing is the issue re-courrs on one server for us when IPv6 is enabled again. Something somewhere isn't very happy but I also do recall this server having a funny network card driver from HP, had to download a backdated version for it to work properly. Also worth noting for the record, we have had better success by disabling the secondary onboard NIC from the BIOS if your server has two. Sometimes switching it off in windows doesn't cut it. 

    I do feel this issue is related to the network stack somewhere, maybe Microsoft have fixed it for the most part but maybe certain configurations still trigger the issue. Oh well... at least SBS 2011 is an improvement in every other respect. 

    I will add though, I have NEVER seen this issue on WS2008R2 in the 1000s of machines we have installed so I think it's still fairly specific to SBS even though the patches don't seem to be. 
    Wednesday, June 6, 2012 2:42 PM
  • We had a problem very similar to this that caused our Server 2008 R2 Remote Desktop server to have problems.

    It seems like there was a problem with an earlier hotfix after 2008 R2 SP1 is installed.

    Please see the following thread for the solution

    http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/2d07a7fe-be2a-424a-8b64-2d80c5bce8c8

    ____________________________________

    Good luck all.

    Chris


    Monday, June 11, 2012 8:06 AM
  • We had a problem very similar to this that caused our Server 2008 R2 Remote Desktop server to have problems.

    It seems like there was a problem with an earlier hotfix after 2008 R2 SP1 is installed.

    Please see the following thread for the solution

    http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/2d07a7fe-be2a-424a-8b64-2d80c5bce8c8

    ____________________________________

    Good luck all.

    Chris


    Hopefully, this info helps some people, but it is a completely different kind of issue than what is going on in this thread.
    Monday, June 11, 2012 3:14 PM
  • I'm so glad I found this thread (which is possibly the longest thread I've ever come across on these forums).

    One of our customer's SBS 2011 servers started exhibiting this exact same problem recently. The server has been in production since July 2011. The problem first occurred on May 15 (2012) and again on June 11.

    Service Pack 1 is already installed but hotfix KB 2401588 isn't, so that's the first thing I'll install. I'll be sure to update this thread if the server does or doesn't restart again in the next month or so.

    In this particular case the SBS server is a virtual guest and it was a new installaiton of SBS 2011, not a migration. The underlying hardware (not that it should matter) is an HP ProLiant ML350 G6 running Windows Server 2008 R2 SP1 and the Hyper-V role.

    Just to confirm the symptoms, the following three events occur on the SBS server, causing it to restart:

    Log Name:      Application
    Source:        Application Error
    Date:          11/06/2012 12:00:32 p.m.
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      myserver.mydomain.local
    Description:
    Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
    Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
    Exception code: 0xc0000005
    Fault offset: 0x00000000000506a1
    Faulting process id: 0x3d8
    Faulting application start time: 0x01cd471a4e11d248
    Faulting application path: C:\Windows\system32\svchost.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll

    Log Name:      System
    Source:        Service Control Manager
    Date:          11/06/2012 12:00:33 p.m.
    Event ID:      7031
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      myserver.mydomain.local
    Description:
    The Remote Procedure Call (RPC) service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

    Log Name:      System
    Source:        Service Control Manager
    Date:          11/06/2012 12:00:33 p.m.
    Event ID:      7031
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      myserver.mydomain.local
    Description:
    The RPC Endpoint Mapper service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

    Wednesday, June 13, 2012 12:12 AM
  • Am I the only one reporting this on a non-SBS machine? This is an HP DL360 G6 running 2008 R2 SP1, with IPv6 already disabled. Our issue started on June 9th, and has rebooted each day, except Monday. Interestingly enough, there is an application Update error for Kaspersky (8.0 Enterprise) minutes before each reboot, so I will drop down that rabbit hole as well.

    I will try hotfix 2401588 and update here.

    Wednesday, June 13, 2012 4:53 PM
  • Am I the only one reporting this on a non-SBS machine? This is an HP DL360 G6 running 2008 R2 SP1, with IPv6 already disabled. Our issue started on June 9th, and has rebooted each day, except Monday. Interestingly enough, there is an application Update error for Kaspersky (8.0 Enterprise) minutes before each reboot, so I will drop down that rabbit hole as well.

    I will try hotfix 2401588 and update here.

    The Kaspersky hole wasnt very deep -- it was actually after the svchost app error, so just a result. My actual error, that eventually kicks off the stateful reboot when the RPC service crashes, is:

    Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
    Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
    Exception code: 0xc0000005
    Fault offset: 0x000000000002baad
    Faulting process id: 0x2fc
    Faulting application start time: 0x01cd47852bb181c4
    Faulting application path: C:\Windows\system32\svchost.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report Id: fca8858e-b378-11e1-b963-1cc1de705268

    Which isnt exactly detailed in KB2401588, but I installed it anyways. The machine is also a PSP or two behind, so I will update that as well.

    Wednesday, June 13, 2012 5:34 PM
  • It just happened to our SBS 2011 Standard server today !!!

    It powered down for no reason - I have added nothing, just done the normal automatic updates the last being the Exchange 2010 SPAM updates a couple of days ago.

    First time this has happended but during the day was a shock and should NEVER HAPPEN !

    I thought it might have been caused by our EATON UPS - but there is nothing in any logs but the following

    Here is the error - any thoughts anyone as it does not appear to be exactly what others are seeing... IF this is a bug, MS better be quick with a solution.

    Log Name: System

    Source: USER32

    Event ID: 1074

    The process c:\Windows\system32\winlogon.exe (servername) has initiated the power off of computer servername on behalf of user NY AUTHORITY\SYSTEM for the following reason: No title for this reason could be found

    Reason Code: 0500ff

    Shutdown Type: power off

    Comment:

    Thursday, June 28, 2012 10:38 AM
  • Hey Guys,

    I was just checking to see if there was a general concensus of applying the hotfixes and then... that will help stop the random crashing in this scenario? I also have a SBS 2011 Server running on an HP Proliant ML 350 G6 server that is having the same random reboots. I see a number of idea's about network things to possibly change, but no smoking gun to stop it more permanently. Any thoughts suggestions?  

    Wednesday, July 18, 2012 7:51 PM
  • @ Daniel Martinovich.

    Do you have same events and symptoms as mentioned in this post? Without relevant event logs and symptoms it is almost impossible to suggest anything on your issue.

    Wednesday, July 18, 2012 8:37 PM
  • Install SP1 and the other hotfix.  Then make the changes to the network card settings that I posted in one of the later entries by me in this thread.  I did not disable IPv6 and have had a stable server for over eight months.  The SBS Diva opened a Microsoft case for me and these changes worked. 

    Jeff

    Wednesday, July 18, 2012 9:07 PM
  • Hi BigredFan,

    Well I found your post from earlier and installed the hotfixes. I found that the latest HP driver for my network card has already disabled the offloading by default. I will also report back in the coming weeks to let anyone else know if this has helped. So far a week in and no reboots.

    Wednesday, July 25, 2012 4:12 PM
  • Dear All,

    Thanks for everyone's efforts on this, much appreciated, as like you guys I too have been immensely frustrated by this issue, and it's taken a heap of digging about on the web to turn up this thread (which so far has proved to be the only useful resource).

    Our customer has an HP ProLiant DL380 G7, SBS2011 Standard which was a clean install in migration mode so we could upgrade from their old SBS2003 box, brand new last November.

    System had been running fine for months when it suddenly rebooted without warning, and the event log showed that the system had a forced restart caused by an unexpected failure of the RPC service. App log also showed faulting ntdll.dll causing svchost.exe to crash, but no indications as to what was actually causing this occur.

    I am going to try and get the two hotfixes (2401588 & 982293) installed this evening, and also dbl-check that all the BIOS & hardware drivers are up to date as well.

    I'm reluctant to disable IPv6, as I know that SBS2011 relies heavily on it, and fear this could cause further complications (even if accompished by the recommended registry edit method). Not least because of an increasing number of Win7 clients on the network.

    I will report back here on how things go, but I won't regard this issue as being properly fixed until at least two months have elapsed without it occurring, due to the random frequency of it (and even two months might not be enough to be 100% sure).

    Last week it happened three times during the day on Monday, and once on Friday. Prior to that it had done it perhaps twice in four months. Twice in four months is annoying, but not painful enough to panic about, but after last weeks outages the client properly got annoyed, and reasonably so.

    Can't say I'm jumping for joy either, bearing in mind the time that's been consumed investigating and attempting to fix, time which the client is not willing to pay for (nor the 199GBP PSS fee that we'll have to pay if these hotfixes don't work).

    As an aside, does anyone know whether it's possible to change the default recovery behaviour of the RPC service so that it tries to restart the service before resorting to restarting the entire server? And only resorts to that after several failed attempts to restart the service?

    That would be a be big help, as restarting the entire server on the first service failure kind of feels like a 'sledgehammer' option!


    Monday, October 22, 2012 3:55 PM
  • One of the hotfixes is included in SP1 so ensure you have SP1 on the box.

    There's a right way and a wrong way to disable ipv6.

    http://blogs.technet.com/b/sbs/archive/2008/10/24/issues-after-disabling-ipv6-on-your-nic-on-sbs-2008.aspx

    Scroll down on that blog post and the right way is documented there.

    Monday, October 22, 2012 4:00 PM
  • For anyone experiencing this issue, make sure you are running SP1 and install the 2401588 hotfix!

    Even if the "faulting module" in your error is different. This hotfix also seems to fix the ntdll.dll faulting module issue. The 982293 hotfix does not apply to SP1.

    Do NOT uninstall or deactivate IPv6, or adjust your network card settings UNLESS you continue to have this problem AFTER installing 2401588.

    Some people have had had this issue go way after disabling IPv6, but some have not. However, I don't think in this thread has reported that the issue has continued after installing 2401588.

    • Edited by Bulbous Monday, October 22, 2012 11:24 PM
    Monday, October 22, 2012 4:08 PM
  • yep, already had SP1 installed, and totally up to date with Windows Updates. Also had latest BIOS on the server.

    Have spent this evening checking for additional HP firmware & drivers and making sure that's all totally up to date, disabled TCP Offloading for both IPv4 & IPv6 and installed KB2401588 (KB982293 not applicable).

    Server restarted fine, all svcs auto-started fine, so will just have to monitor for now and see how it goes - if it happens again, think I'll have no option but to call PSS, unless someone else finds the definitive cure in the meantime and posts it here (she says offering up a little prayer!).

    What's clear from this thread is that the only commonality to this issue is SBS2011. We have reports of it happening on different hardware chassis & virtual machines, and with and without additional 3rd-party apps, but it doesn't seem to be affecting 'plain' Server2008 hosts.

    I'm still not happy about the idea of disabling IPv6 -

    "From Microsoft's perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be. Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled."

    The above quote is direct from Microsoft and is a caveat they have posted with the instructions for modding the registry to disable IPv6.

    I would still much rather try and hack the registry to change the default recovery behaviour of the RPC service - has no one else considered or attempted this?

    Although this would obviously also just be a workaround, rather than the optimal solution of actually fixing the root cause of whatever is causing RPC to terminate unexpectedly.

    Monday, October 22, 2012 11:08 PM
  • Samantha,

    The SBS Diva opened a PSS case for me last year and I worked with a Microsoft engineer.  I followed his advice 100% and have not had any issues since.  I did not disable IPv6 either.  Essentially, I have the hotfix and SP1 installed on the server.  I updated my network card's driver and disabled all offloading tasks on the network card.  We also changed the binding order because a disabled nic was listed first.  I hope this helps.


    Jeff

    Tuesday, October 23, 2012 12:21 PM
  • Hi,

    I have had the same problem as described above so i wont go into details.

    I have tried to apply the KB Hotfix KB2401588 but it reports it is not the my OS version. I am running SBS 2011 Standard on SP 1.

    I know for a fact i should not be disabling IPv6 so thats not an option,but most people seem to say this. I still have the problem, does anyone have a fix?

    Thanks

    Wednesday, January 15, 2014 2:35 PM
  • Aindale, I would check the OS version when you requested the hotfix since you can pick multiple versions.  Did you change the network card driver's settings as listed above?  I had two that had issues before I made those changes and none since.

    Jeff

    Wednesday, January 15, 2014 3:10 PM
  • I have had this same problem as well. Happened for the first time in front of me this morning and to be honest scared the crap out of me. I am using Windows SBS 2011 SP1 on an HP ProLiant ML350 G6 tower. I received the following error 

    ----------------------------------

    Log Name: System

    Source: USER32

    Date: 1/28/2014 10:00:50 AM

    Event ID: 1074

    Task Category: None

    Level: Information

    Keywords: Classic

    User: SYSTEM

    Computer: Servername.domain.local

    Description:

    The process C:\Windows\system32\services.exe ([Server Name]) has initiated the restart of computer [Server name] on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found

    Reason Code: 0x30006

    Shutdown Type: restart

    Comment: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly

    ----------------------------------

    I have seen the remote procedure call fail on a few computers on our domain but that was for explorer.exe and probably has nothing in common here. So far this is an isolated incident but I have come in and server restarted itself overnight without any updates being added so I suspect this has been going on for a while. Hopefully it will not happen again but I fear that it will.


    • Edited by Amna Umen Tuesday, January 28, 2014 9:03 PM
    Tuesday, January 28, 2014 8:50 PM
  • Given that you have SP1 and the fix for this specific old issue is in SP1 then any of the suggestions in this thread probably will not work.  I'd recommend you start a brand new thread so that it gets new eyeballs looking at the issue.  In the meantime, what antivirus is installed?  You can also do a search back on this error code and see if it's happened in the past.

    Unfortunately TechNet isn't coming back, sorry folks :-(

    Tuesday, January 28, 2014 8:55 PM
  • Hm, I thought I read above that some people with SP1 were still having this problem. Regardless I use AVG 2012 Business Edition.
    Thursday, January 30, 2014 8:36 PM