No announcement yet.

Services is stopping with user N/A

  • Filter
  • Time
  • Show
Clear All
new posts

  • Services is stopping with user N/A

    Server: Windows Server 2003 SP1 R2
    Domain mode: 2003

    The server this issue resides on is the only domain controller in the domain.
    Suddenly, severeal major services is entering the stopped state. Example:

    Event Type: Information
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7036
    Date: 22.12.2006
    Time: 07:09:42
    User: N/A
    Computer: DC01
    The Windows Management Instrumentation service entered the stopped state.

    Some of the services this is happening to:
    Network Connections service, Kerberos Key Distribution Center service, DNS Server service, Logical Disk Manager service, The Cryptographic Services service, The Terminal Server Licensing service.

    And a lot the server have to be restarted. This happens 3-4 times a day.
    After it happens a lot of events is recorded, like:

    Event Type: Error
    Event Source: NETLOGON
    Event Category: None
    Event ID: 5723
    Date: 22.12.2006
    Time: 01:38:35
    User: N/A
    Computer: DC01
    The session setup from computer '047797420361' failed because the security database does not contain a trust account '047797420361$' referenced by the specified computer.

    If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem:

    If '047797420361$' is a legitimate machine account for the computer '047797420361', then '047797420361' should be rejoined to the domain.

    If '047797420361$' is a legitimate interdomain trust account, then the trust should be recreated.

    Otherwise, assuming that '047797420361$' is not a legitimate account, the following action should be taken on '047797420361':

    If '047797420361' is a Domain Controller, then the trust associated with '047797420361$' should be deleted.

    If '047797420361' is not a Domain Controller, it should be disjoined from the domain.

    0000: 8b 01 00 c0 ‹..

    Event Type: Error
    Event Source: Kerberos
    Event Category: None
    Event ID: 7
    Date: 31.01.2007
    Time: 06:06:42
    User: N/A
    Computer: DC01
    The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client DC01$ in realm DOMAIN.LOCAL had a PAC which failed to verify or was modified. Contact your system administrator.

    0000: 61 00 00 c0 a..

    When the server is restarted, the same happens after some hours.

    What could this caused by?

    The server is running Norman AV, and I`ve also did a search with Trend Housecall, but no viruses or malicious items were found...

  • #2
    Re: Services is stopping with user N/A

    Hi, jering.
    I apologize in front, but I have to ask: the first event you posted is dated December 22nd, 2006. Almost 6 weeks ago! During all this time, the DC was restarted 3-4 times a day?
    the only domain controller in the domain
    ?? Hmmmmmmmmm...
    AFAIK, events 7035 and 7036 are related to starting and stopping services. The real issue here is that the service that was stopped was WMI. The Security Center and the Windows Firewall depend on this service. There's a good chance that the following events happen because of this, it might be that the crash of the WMI will make other services to crash too, like a domino. On the other hand, it might be that the WMI is a domino piece in the middle, and something bigger (like the RPC, for instance) crashes before that.
    What would I do first is to check that the Recovery of this service is set on Restart the service (see the attached screenshot).
    Second, I think you should do a deeper examination into the Event Viewer logs. Try to see what where the last line logged before the server got to the situation that it was needed a restart. More than that, filter the events and search for EventID 7036 (event 7035 is the Start Signal for a service to start. 7036 is the change in it's state). Look only at the last ones. Try to see if in the Application log you have something during the same time +/- one minute.
    I feel that the info you posted is not enough. I'm in darkness here and I need your help to find the switch.
    Last edited by sorinso; 9th November 2007, 21:08.

    Sorin Solomon

    In order to succeed, your desire for success should be greater than your fear of failure.


    • #3
      Re: Services is stopping with user N/A

      During all this time, the DC was restarted 3-4 times a day?
      Believe it or not, this has been done for 5-6 months (!!).

      I was asked to look at the issue today.

      I don`t have access to the server from where I am now, so I`ll check the things you suggested tomorrow.