Security – How to diagnose the cause of unexpected restarts on a Windows Server 2003 VPS

Securitysql-server-2008unexpected-shutdownvpswindows-server-2003

At first I always assumed this was the host applying updates or doing some maintenance. But after contacting the company, they assure me I would have received prior notice before any such event.

In finding the cause of the restarts, I really am not sure what I should be looking for.

They are seemingly random, sometimes 3-4 times a week, sometimes more or less.

Here's all the security log says. What's happening is I am logged in via RDP but I've been away for some hours and the server should be locked, when suddenly…

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff 
Event ID: 551
Date:  9/11/2010
Time:  1:33:08 PM
User:  VPS01\My_Username
Computer: VPS01
Description:
User initiated logoff:
  User Name: My_Username
  Domain:  VPS01
  Logon ID:  (0x0,0xSOME_ID)


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff 
Event ID: 538
Date:  9/11/2010
Time:  1:33:19 PM
User:  VPS01\My_Username
Computer: VPS01
Description:
User Logoff:
  User Name: My_Username
  Domain:  VPS01
  Logon ID:  (0x0,0xSOME_ID)
  Logon Type: 10


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type: Success Audit
Event Source: SECURITY
Event Category: System Event 
Event ID: 513
Date:  9/11/2010
Time:  1:33:23 PM
User:  N/A
Computer: VPS01
Description:
Windows is shutting down. All logon sessions will be terminated by this shutdown.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type: Success Audit
Event Source: Security
Event Category: System Event 
Event ID: 512
Date:  9/11/2010
Time:  1:37:49 PM
User:  NT AUTHORITY\SYSTEM
Computer: VPS01
Description:
Windows is starting up.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The server runs a webapp using IIS 6 and SQL Server 2008 R2 Standard. We're ready to get out of our beta, but this is really a big problem.

It was doing this since we were doing internal alpha testing (only allowing IIS to serve our IPs).

Thanks for any advice.

Best Answer

The server runs a webapp using IIS 6 and SQL Server 2008 R2 Standard. We're ready to get out of our beta, but this is really a big problem.

Really? You are still in beta? Why the heck did noone think of updating the operating system some point during development to one that is actually current? 2008 R2 is current, 2008 is already 3 years old. YOu di so with SQL Server - but not with the OS. BAD move.

That said: none of the items you showed from the event log give an indication, except that a shutdown was initiated (i.e. not a bluescreen or crash). There is no user assigned, so it looks like either the OS deciding (never seen) or that coming from a driver level (virtualization platform triggering it).

At the current state I would assume it is the host doing something. They may not eve nbe aware of it (though it would show a level of stupitidy) like doing it for a backup (instead of using a non-instrusive approach). I have seen scripts on Hyper-V doing a backup with a system save (hypernation) from the Hyper-V layer.

All I can say with the information provided.

Related Topic