My file server just went belly up and I can't seem to figure out why. Perhaps I'm naive but when these things happen I can typically look through my System, Application or Security Event Viewer log and find the culprit – but no luck this time.
While I was out of the office I received an Icinga notification stating that the E:\ drive on my server was warning that it no information was available for that drive.
I logged onto the server to see the E:\ drive was there, but there was no "storage graph" located under it like there normally is, and clicking on it hung the OS. I then tried to reboot the server and the hanging continued. I issued a stop-computer server -Force command, which seemed like it was starting to work however the screen hung stating "Please wait for the System Event Notification Service". I had to do a hard shutdown on the server, which is never a good thing.
My question is if there are no diagnostics in the event viewer, is there anywhere I can go post-incident that can show me what caused the crash? I've never had a server lock up on me in the fashion this one did so I'd like to know what the root problem was.
Best Answer
FYI - for any VMWare guest, if you want to get a memory dump, you can take a snapshot, then use vmss2core.exe to extract the memory to a traditional windows memory dump file that can be read using windbg, and therefore MS support or other qualified people.
Converting a snapshot file to memory dump using the vmss2core tool (2003941)
http://kb.vmware.com/kb/2003941
You should remove the snapshot after the dump has been created, copied, and converted. This is usually preferrable to the environmental 1/0 switch if you actually want to investigate the current state of the system at the time of a hang. This is also simpler and less intrusive if you just want to get a memory dump of a running system without using the Windows keyboard sequence to force a blue screen, which would only work optimally if the desired memory dump were enabled and the keyboard sequence was enabled.