need server 2008sbs 64bit help with HP server

janesssssy · 6 Apr 2009 at 16:14

Hi,

Im clutching at straws here, heres my situation:

I have a HP ML310 server which is only 1 month old, 4x Hotplug SATA disks. 2x 250gb for OS and second partition. & 2x 500gb for data drive.
The OS and second partition is mirrored in windows Server 2008 64. Not using a raid card just the internal SATA.

Server has 4GB Ram also.
Basicly the problem we have is that every week or so the server crashes / hangs. Clients can still browse network shares but no access to exchange. Nor can we access the server using Logmein for remote assistance. Also the server is unresponse so a reboot is the only thing to do.

When we reboot, the disks are all syncing and takes ages. but the server works OK. HP have already replaced both 250GB disks (OS drive) and the motherboard :eek:

- I really dont rate the HP engineer who said I was the clever one who has 3 MCTS - I mean that just felt awkward and its only 3

This is the last event before it crashes:

Log Name: Application
Source: Microsoft-Windows-WMI
Date: 05/04/2009 20:59:14
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: server name.*********.local
Description:
Event filter with query "select * from __instancemodificationevent within 30 where targetinstance isa 'Win32_PerfFormattedData_PerfDisk_LogicalDisk' and targetinstance.PercentFreeSpace < 1 and targetinstance.Name != '_Total'" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041002. Events cannot be delivered through this filter until the problem is corrected.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WMI" Guid="{1edeee53-0afe-4609-b846-d8c0b2075b1f}" EventSourceName="WinMgmt" />
<EventID Qualifiers="49152">10</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-04-05T19:59:14.000Z" />
<EventRecordID>38364</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>server name.*********.local</Computer>
<Security />
</System>
<EventData>
<Data>//./root/CIMV2</Data>
<Data>select * from __instancemodificationevent within 30 where targetinstance isa 'Win32_PerfFormattedData_PerfDisk_LogicalDisk' and targetinstance.PercentFreeSpace < 1 and targetinstance.Name != '_Total'</Data>
<Data>0x80041002</Data>
</EventData>
</Event>

If anyone can shed any light on a possible solution then I will be indebted :cool:

PS - I dont think its a hardware issue as HP have replaced the board and both hard drives.

Additional info:

A full backup is performed every evening to an external 1TB disk

iaind · 6 Apr 2009 at 16:19

The event seems to suggest that the disk is running out of space -how is free space looking? What are you using for backup, is it exchange aware?
Odd that it's causing the disks to resync though... is it onboard RAID?

Skidilliplop · 6 Apr 2009 at 16:44

I'd say that was the windows mirroring going boobs skyward. Really you should be using a hardware RAID solution. I wouldn't put all my email etc in the hands of windows mirrors. I've never really seen it work properly. We had an old NT4 box doing mirroring on it's OS partition and a disk failed. The server hung completely and had to be rebooted because the windows mirroring couldn't handle a live failover

My best advice to you is configure RAID on the motherboard if it'll do it, else buy a decent Controller card and have that do it. Windows mirroring just isn't reliable enough for something like an all in one exchange/file server.

janesssssy · 6 Apr 2009 at 17:05

iaind said:
The event seems to suggest that the disk is running out of space -how is free space looking? What are you using for backup, is it exchange aware?
Odd that it's causing the disks to resync though... is it onboard RAID?

250GB Drive: C:\ 70GB free
250GB Drive: D:\ 131GB free not a lot on this as this was the exchange drive but moved the database to the 500gb drive.

500GB Drive: E:\ 296GB free

Its not onboard raid - raid through windows server (through disk management etc) . I know what people will say about windows raid, but ive used it on over 30 sbs servers and all run perfectly. Although all being server 2003sbs 32bit.

Also in the system event log I get 4 application pop up messages which I think just before the crash:

Log Name: System
Source: Application Popup
Date: 06/04/2009 15:56:27
Event ID: 26
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: server name.********.local
Description:
Application popup: : \SystemRoot\System32\lmimirr.dll failed to load
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Popup" />
<EventID Qualifiers="16384">26</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-04-06T14:56:27.974Z" />
<EventRecordID>79521</EventRecordID>
<Channel>System</Channel>
<Computer>server name.********.local</Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Data>\SystemRoot\System32\lmimirr.dll failed to load</Data>
<Binary>0000000002003000000000001A000040280400C06C0200C000000000000000000000000000000000</Binary>
</EventData>
</Event>

Application popup: : \SystemRoot\System32\lmimirr.dll failed to load seems to be somthing to do with logmein.
Just chasing ghosts I think. At the end of the day, although should be using raid card, windows raid should not be causing this error. I cant just try things as we will litteraly have this problem in months to come

Skidilliplop · 6 Apr 2009 at 17:22

Application popup: : \SystemRoot\System32\lmimirr.dll failed to load

^ That DLL appears to be part of the logical mirroring service.

The long and short of it is something somewhere is causing the mirroring service to screw up. You could spend your time faffing about trying to redicate the conflict. However it is my opinion that it will be quicker and safer to move over to the onboard RAID. You said your hadware was an ML 310? This should have RAID1 support onboard. This is far less susceptable to problems as anything running in software can be interfered with by other software.
Just as a rule running software RAID from the same OS that's running apps is risky. IF you must use Windows RAID run the application instances virtually where the damage they can do to the host OS is limited.

iaind · 6 Apr 2009 at 17:28

From your previous post, it appears you're only mirroring the data drive and not the system drive, is that correct?

It also looks like a lot of data for SBS - how big is the mailbox store?

Shoei · 6 Apr 2009 at 18:50

Never trusted windows to do the RAID stuff.

Looking at the specs for the ML310, its says the following about the storage controller "8-port SAS HBA with RAID in a PCI-X slot (SAS models) or Embedded SATA with integrated SATA RAID 0, 1

Better off using the On-board RAID Controller.

marin · 6 Apr 2009 at 20:29

Another vote for using the On-board RAID Controller.

All the SBS systems I look after either use the On-board RAID or have an additional RAID Card fitted.

I would never use the Windows software RAID in a live customer system.

nrh1703 · 6 Apr 2009 at 21:56

i'll spare you the hardware vs software raid spiel as it's been covered already. although concencus seems to b that it's a disk issue have you run a memory check? there may be one in the motherboard's bios that you can enable or you can download memtest86+ or similar. you're best off leaving it running for a while (overnight at least) so that you can complete all the tests multiple times.

janesssssy · 6 Apr 2009 at 22:35

Skidilliplop said:
Application popup: : \SystemRoot\System32\lmimirr.dll failed to load

^ That DLL appears to be part of the logical mirroring service.

Where did you find that info from?

iaind said:
From your previous post, it appears you're only mirroring the data drive and not the system drive, is that correct?

mirroring the data drives also - the 2x 500GB

Shoei said:
Never trusted windows to do the RAID stuff.

Looking at the specs for the ML310, its says the following about the storage controller "8-port SAS HBA with RAID in a PCI-X slot (SAS models) or Embedded SATA with integrated SATA RAID 0, 1

Better off using the On-board RAID Controller.

RIGHT I Completely agree regarding the onboard raid controller.
Problem I have now is that I have 2x Plex (software raid bootable mbr thingy)

someone please correct me if im wrong, what i need to do is:

1. Break the mirrors
2. Find out which 2 drives I still have data, then reboot the server
3. bootin to the onboard raid controller and mirror the drives with data (select boot drive with data as in step 2)
4. Pray!

Can I use the hardware raid for the 2x 250GB hard drives and software for the 2x 500GB? or is it not worth the hassle. Im guessing the answer....

Or may be start from scratch so to speak. Ive got good backups and could hardware raid the server, reload the server with all updates and restore the server from a backup.... GAH going to sleep now

Ev0 · 6 Apr 2009 at 22:36

btw you've starred out the computer name, however it's listed somewhere in the rest of the event details

janesssssy · 6 Apr 2009 at 22:46

I know, plus its a local domain. So pointless starring it out

Ev0 · 6 Apr 2009 at 23:51

better safe than sorry

Being a local domain doesn't matter to a social engineer, who would know now the company, how their systems are setup and what problems they are having, all good info to blag your way in

JonnyT · 7 Apr 2009 at 00:15

As far as I can tell, the lmimirr.dll is associated with LogMeIn - it is described as the LogMeIn Logical Mirroring Service and not anything to do with RAID mirroring.

Are you running any Anti-Virus software on the server (I hope so?!). What type? There are known issues with AV software detecting LogMeIn files as being false positives for spyware/trojans.

** EDIT **

The error (0x80041002) in the OP's first post is an indication that WMI is not installed/configured/working correctly rather than an indication of a fault with the storage.

janesssssy · 7 Apr 2009 at 12:14

Exactly what I thought, Logmein mirror sevice.
The server is running NOD32 version 4

JonnyT · 7 Apr 2009 at 12:36

janesssssy said:
Exactly what I thought, Logmein mirror sevice.
The server is running NOD32 version 4

It's being detected as a false positive by NOD32. Try excluding the following files in the NOD32 control panel.

LogMeIn.exe
LogMeIn.dll
rainst.exe
ramaint.exe
raabout.exe
LogMeInSystray.exe
LogMeInSystray.dll
rntfywnd.dll
ra_reboot.exe
LMIGuardian.exe
LMIGuardianDll.dll
LMIGuardianEvt.dll
rainfo.sys
template.rab
LMIinit.dll
rahook.dll
rahook9x.dll
ra16app.exe
ra16dll.dll
LMImirr.sys
LMImirr.dll
LMImirr2.dll
LMImirr.inf
LMImirr.cat
radpms.sys
radpms.inf
radpms.cat
racodec.ax
LMIRfsDriver.sys
LMIRfsClientNP.dll
LMIport.dll
LMIprinter.dll
LMIprinterui.dll
LMIproc.dll
LMIprinternt.dll
LMIprinteruint.dll
LMIprocnt.dll
MonitoringScript.txt
ra_sc.exe
ra.inc
WatchProcess.sma
CheckCDrive.sma
Email.sma
File.sma
Ping.sma
Processes.sma
Services.sma
openssl.exe
zip.exe
dbghelp.dll
unicows.dll
psapi.dll
WapClients.cfg

janesssssy · 7 Apr 2009 at 13:13

Thanks for getting back, Done that. Also checking the WMIdiag log, Theres a few errors which i will correct later today.

Like files missing:

WMI REPORT: BEGIN
49623 12:36:30 (0) ** INFO: Environment: .................................................................................................. 1 ITEM(S)!
49624 12:36:30 (0) ** INFO: => 1 incorrect shutdown(s) detected on:
49625 12:36:30 (0) ** - Shutdown on 02 April 2009 12:42:51 (GMT-0).
49626 12:36:30 (0) **
49627 12:36:30 (0) ** System drive: ....................................................................................................... C:, (Disk #0 Partition #1).
49628 12:36:30 (0) ** Drive type: ......................................................................................................... IDE (GB0250EAFJF ATA Device).
49629 12:36:30 (0) ** INFO: The following UNEXPECTED binary files are/is found in the WBEM folder: ........................................ 2 FILE(S)!
49630 12:36:30 (0) ** - DNSPROV.DLL, 294400 bytes, 19/01/2008 14:42:24
49631 12:36:30 (0) ** - SERVERCOMPPROV.DLL, 40960 bytes, 19/01/2008 14:40:20
49632 12:36:30 (0) ** => This list is provided for information. Unexpected binary file(s) in 'C:\WINDOWS\SYSTEM32\WBEM\'
49633 12:36:30 (0) ** do not necessarily represent an error. For instance, the file(s) listed can be added by
49634 12:36:30 (0) ** any applications implementing WMI providers.
49635 12:36:30 (0) ** => NO ACTION is required.
49636 12:36:30 (0) **
49637 12:36:30 (1) !! ERROR: The following WMI system file(s) is/are missing: ............................................................. 3 ERROR(S)!
49638 12:36:30 (0) ** - C:\Windows\System32\WBEM\framedyn.dll
49639 12:36:30 (0) ** - C:\Windows\System32\WBEM\provthrd.dll
49640 12:36:30 (0) ** - C:\Windows\System32\WBEM\wbemcomn.dll
49641 12:36:30 (0) ** => Recopy from a working system the missing WMI system files to 'C:\WINDOWS\SYSTEM32\WBEM\'
49642 12:36:30 (0) **
49643 12:36:30 (0) ** There are no missing WMI repository files: .......................................................................... OK.
49644 12:36:30 (0) ** WMI repository state: ............................................................................................... CONSISTENT.
49645 12:36:30 (0) ** BEFORE running WMIDiag:
49646 12:36:30 (0) ** The WMI repository has a size of: . 32 MB.
49647 12:36:30 (0) ** - Disk free space on 'C:': ..
67159 MB.
49648 12:36:30 (0) ** - INDEX.BTR, 5201920 bytes, 07/04/2009 08:24:09
49649 12:36:30 (0) ** - MAPPING1.MAP, 93572 bytes, 07/04/2009 08:22:09
49650 12:36:30 (0) ** - MAPPING2.MAP, 93572 bytes, 07/04/2009 08:24:10
49651 12:36:30 (0) ** - OBJECTS.DATA, 28147712 bytes, 07/04/2009 08:24:09
49652 12:36:30 (0) ** AFTER running WMIDiag:
49653 12:36:30 (0) ** The WMI repository has a size of: ................................................................................... 32 MB.
49654 12:36:30 (0) ** - Disk free space on 'C:': .......................................................................................... 67152 MB.
49655 12:36:30 (0) ** - INDEX.BTR, 5201920 bytes, 07/04/2009 08:24:09
49656 12:36:30 (0) ** - MAPPING1.MAP, 93572 bytes, 07/04/2009 08:22:09
49657 12:36:30 (0) ** - MAPPING2.MAP, 93572 bytes, 07/04/2009 08:24:10
49658 12:36:30 (0) ** - OBJECTS.DATA, 28147712 bytes, 07/04/2009 08:24:09
49659 12:36:30 (0) **

49660 12:36:30 (0) ** INFO: Windows Firewall status: ...................................................................................... ENABLED.
49661 12:36:30 (0) ** Windows Firewall Profile: ........................................................................................... DOMAIN.
49662 12:36:30 (0) ** Windows Firewall 'Windows Management Instrumentation (WMI)' GROUP rule: ............................................. ENABLED.
49663 12:36:30 (0) ** Windows Firewall 'Windows Management Instrumentation (ASync-In)' rule: .............................................. ENABLED.
49664 12:36:30 (0) ** Windows Firewall 'Windows Management Instrumentation (WMI-Out)' rule: ............................................... ENABLED.
49665 12:36:30 (0) ** Windows Firewall 'Windows Management Instrumentation (WMI-In)' rule: ................................................ ENABLED.
49666 12:36:30 (0) ** Windows Firewall 'Windows Management Instrumentation (DCOM-In)' rule: ............................................... ENABLED.
49667 12:36:30 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
49668 12:36:30 (2) !! WARNING: DCOM Status: ............................................................................................... WARNING!
49669 12:36:30 (2) !! WARNING: => The DCOM Default Impersonation is NOT set to 'Identify'.
49670 12:36:30 (0) ** This could prevent WMI to work correctly.
49671 12:36:30 (0) ** You can fix the DCOM configuration by:
49672 12:36:30 (0) ** - Executing the 'DCOMCNFG.EXE' command.
49673 12:36:30 (0) ** - Expanding 'Component Services' and 'Computers' nodes.
49674 12:36:30 (0) ** - Editing properties of 'My Computer' node.
49675 12:36:30 (0) ** - Editing the 'Default properties' tab.
49676 12:36:30 (0) ** - Set the 'Default Impersonation level' listbox to 'Identify'.
49677 12:36:30 (0) ** From the command line, the DCOM configuration can be corrected with the following command:
49678 12:36:30 (0) ** i.e. 'REG.EXE Add HKLM\SOFTWARE\Microsoft\Ole /v LegacyImpersonationLevel /t REG_DWORD /d 2 /f'
49679 12:36:30 (0) **
49680 12:36:30 (0) ** WMI registry setup: ................................................................................................. OK.
49681 12:36:30 (0) ** INFO: WMI service has dependents: ................................................................................... 1 SERVICE(S)!
49682 12:36:30 (0) ** - Internet Connection Sharing (ICS) (SHAREDACCESS, StartMode='Disabled')
49683 12:36:30 (0) ** => If the WMI service is stopped, the listed service(s) will have to be stopped as well.
49684 12:36:30 (0) ** Note: If the service is marked with (*), it means that the service/application uses WMI but
49685 12:36:30 (0) ** there is no hard dependency on WMI. However, if the WMI service is stopped,
49686 12:36:30 (0) ** this can prevent the service/application to work as expected.
49687 12:36:30 (0) **
49688 12:36:30 (0) ** RPCSS service: ...................................................................................................... OK (Already started).
49689 12:36:30 (0) ** WINMGMT service: .................................................................................................... OK (Already started).
49690 12:36:30 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
49691 12:36:30 (0) ** WMI service DCOM setup: ............................................................................................. OK.
49692 12:36:30 (0) ** WMI components DCOM registrations: .................................................................................. OK.
49693 12:36:30 (0) ** WMI ProgID registrations: ........................................................................................... OK.
49694 12:36:30 (2) !! WARNING: WMI provider DCOM registrations missing for the following provider(s): ..................................... 1 WARNING(S)!
49695 12:36:30 (0) ** - ROOT/HPQ, WbemEventConsumer ({44AA92D6-C186-401A-82EC-4C7B0E42ABD2})
49696 12:36:30 (0) ** Provider DLL: 'WMI information not available (This could be the case for an external application or a third party WMI provider)'
49697 12:36:30 (0) ** => This is an issue because there are still some WMI classes referencing this list of providers
49698 12:36:30 (0) ** while the DCOM registration is wrong or missing. This can be due to:
49699 12:36:30 (0) ** - a de-installation of the software.
49700 12:36:30 (0) ** - a deletion of some registry key data.
49701 12:36:30 (0) ** - a registry corruption.
49702 12:36:30 (0) ** => You can correct the DCOM configuration by:
49703 12:36:30 (0) ** - Executing the 'REGSVR32.EXE <Provider.DLL>' command.
49704 12:36:30 (0) ** Note: You can build a list of classes in relation with their WMI provider and MOF file with WMIDiag.
49705 12:36:30 (0) ** (This list can be built on a similar and working WMI Windows installation)
49706 12:36:30 (0) ** The following command line must be used:
49707 12:36:30 (0) ** i.e. 'WMIDiag CorrelateClassAndProvider'
49708 12:36:30 (2) !! WARNING: Re-registering with REGSVR32.EXE all DLL from 'C:\WINDOWS\SYSTEM32\WBEM\'
49709 12:36:30 (0) ** may not solve the problem as the DLL supporting the WMI class(es)
49710 12:36:30 (0) ** can be located in a different folder.
49711 12:36:30 (0) ** You must refer to the class name to determine the software delivering the related DLL.
49712 12:36:30 (0) ** => If the software has been de-installed intentionally, then this information must be
49713 12:36:30 (0) ** removed from the WMI repository. You can use the 'WMIC.EXE' command to remove
49714 12:36:30 (0) ** the provider registration data.
49715 12:36:30 (0) ** i.e. 'WMIC.EXE /NAMESPACE:\\ROOT\HPQ path __Win32Provider Where Name='HPMemberOfWDCollProv' DELETE'
49716 12:36:30 (0) ** => If the namespace was ENTIRELY dedicated to the intentionally de-installed software,
49717 12:36:30 (0) ** the namespace and ALL its content can be ENTIRELY deleted.
49718 12:36:30 (0) ** i.e. 'WMIC.EXE /NAMESPACE:\\ROOT path __NAMESPACE Where Name='HPQ' DELETE'
49719 12:36:30 (0) ** - Re-installing the software.
49720 12:36:30 (0) **
49721 12:36:30 (0) ** WMI provider CIM registrations: ..................................................................................... OK.
49722 12:36:30 (0) ** WMI provider CLSIDs: ................................................................................................ OK.
49723 12:36:30 (2) !! WARNING: Some WMI providers EXE/DLL file(s) are missing: ............................................................ 1 WARNING(S)!
49724 12:36:30 (0) ** - ROOT/MICROSOFTACTIVEDIRECTORY, ReplProv1, replprov.dll
49725 12:36:30 (0) ** => This will make any operations related to the WMI class supported by the provider(s) to fail.
49726 12:36:30 (0) ** This can be due to:
49727 12:36:30 (0) ** - the de-installation of the software.
49728 12:36:30 (0) ** - the deletion of some files.
49729 12:36:30 (0) ** => If the software has been de-installed intentionally, then this information must be
49730 12:36:30 (0) ** removed from the WMI repository. You can use the 'WMIC.EXE' command to remove
49731 12:36:30 (0) ** the provider registration data.
49732 12:36:30 (0) ** i.e. 'WMIC.EXE /NAMESPACE:\\ROOT\MICROSOFTACTIVEDIRECTORY path __Win32Provider Where Name='ReplProv1' DELETE'
49733 12:36:30 (0) ** => If not, you must restore a copy of the missing provider EXE/DLL file(s) as indicated by the path.
49734 12:36:30 (0) ** You can retrieve the missing file from:
49735 12:36:30 (0) ** - A backup.
49736 12:36:30 (0) ** - The Windows CD.
49737 12:36:30 (0) ** - Another Windows installation using the same version and service pack level of the examined system.
49738 12:36:30 (0) ** - The original CD or software package installing this WMI provider.
49739 12:36:30 (0) **
49740 12:36:30 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
49741 12:36:30 (0) ** INFO: User Account Control (UAC): ................................................................................... DISABLED.
49742 12:36:30 (0) ** INFO: Local Account Filtering: ...................................................................................... ENABLED.
49743 12:36:30 (0) ** => WMI tasks remotely accessing WMI information on this computer and requiring Administrative
49744 12:36:30 (0) ** privileges MUST use a DOMAIN account part of the Local Administrators group of this computer
49745 12:36:30 (0) ** to ensure that administrative privileges are granted. If a Local User account is used for remote
49746 12:36:30 (0) ** accesses, it will be reduced to a plain user (filtered token), even if it is part of the Local Administrators group.
49747 12:36:30 (0) **
49748 12:36:30 (0) ** WMI namespace security for 'ROOT/HPQ': .............................................................................. MODIFIED.
49749 12:36:30 (1) !! ERROR: Default trustee 'NT AUTHORITY\AUTHENTICATED USERS' has been REMOVED!
49750 12:36:30 (0) ** - REMOVED ACE:
49751 12:36:30 (0) ** ACEType: &h0
49752 12:36:30 (0) ** ACCESS_ALLOWED_ACE_TYPE
49753 12:36:30 (0) ** ACEFlags: &h12
49754 12:36:30 (0) ** CONTAINER_INHERIT_ACE
49755 12:36:30 (0) ** INHERITED_ACE
49756 12:36:30 (0) ** ACEMask: &h13
49757 12:36:30 (0) ** WBEM_ENABLE
49758 12:36:30 (0) ** WBEM_METHOD_EXECUTE
49759 12:36:30 (0) ** WBEM_WRITE_PROVIDER
49760 12:36:30 (0) **
49761 12:36:30 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
49762 12:36:30 (0) ** Removing default security will cause some operations to fail!
49763 12:36:30 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
49764 12:36:30 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
49765 12:36:30 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
49766 12:36:30 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
49767 12:36:30 (0) ** A specific WMI application can always require a security setup different
49768 12:36:30 (0) ** than the WMI security defaults.
49769 12:36:30 (0) **

janesssssy · 7 Apr 2009 at 13:13

49770 12:36:30 (0) ** WMI namespace security for 'ROOT/HPQ/DEFAULT': ...................................................................... MODIFIED.
49771 12:36:30 (1) !! ERROR: Default trustee 'NT AUTHORITY\AUTHENTICATED USERS' has been REMOVED!
49772 12:36:30 (0) ** - REMOVED ACE:
49773 12:36:30 (0) ** ACEType: &h0
49774 12:36:30 (0) ** ACCESS_ALLOWED_ACE_TYPE
49775 12:36:30 (0) ** ACEFlags: &h12
49776 12:36:30 (0) ** CONTAINER_INHERIT_ACE
49777 12:36:30 (0) ** INHERITED_ACE
49778 12:36:30 (0) ** ACEMask: &h13
49779 12:36:30 (0) ** WBEM_ENABLE
49780 12:36:30 (0) ** WBEM_METHOD_EXECUTE
49781 12:36:30 (0) ** WBEM_WRITE_PROVIDER
49782 12:36:30 (0) **
49783 12:36:30 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
49784 12:36:30 (0) ** Removing default security will cause some operations to fail!
49785 12:36:30 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
49786 12:36:30 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
49787 12:36:30 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
49788 12:36:30 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
49789 12:36:30 (0) ** A specific WMI application can always require a security setup different
49790 12:36:30 (0) ** than the WMI security defaults.
49791 12:36:30 (0) **
49792 12:36:30 (0) ** WMI namespace security for 'ROOT/HPQ/TESTEVENT': .................................................................... MODIFIED.
49793 12:36:30 (1) !! ERROR: Default trustee 'NT AUTHORITY\AUTHENTICATED USERS' has been REMOVED!
49794 12:36:30 (0) ** - REMOVED ACE:
49795 12:36:30 (0) ** ACEType: &h0
49796 12:36:30 (0) ** ACCESS_ALLOWED_ACE_TYPE
49797 12:36:30 (0) ** ACEFlags: &h12
49798 12:36:30 (0) ** CONTAINER_INHERIT_ACE
49799 12:36:30 (0) ** INHERITED_ACE
49800 12:36:30 (0) ** ACEMask: &h13
49801 12:36:30 (0) ** WBEM_ENABLE
49802 12:36:30 (0) ** WBEM_METHOD_EXECUTE
49803 12:36:30 (0) ** WBEM_WRITE_PROVIDER
49804 12:36:30 (0) **
49805 12:36:30 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
49806 12:36:30 (0) ** Removing default security will cause some operations to fail!
49807 12:36:30 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
49808 12:36:30 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
49809 12:36:30 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
49810 12:36:30 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
49811 12:36:30 (0) ** A specific WMI application can always require a security setup different
49812 12:36:30 (0) ** than the WMI security defaults.
49813 12:36:30 (0) **
49814 12:36:30 (0) ** WMI namespace security for 'ROOT/INTEROP': .......................................................................... MODIFIED.
49815 12:36:30 (1) !! ERROR: Default trustee 'NT AUTHORITY\AUTHENTICATED USERS' has been REMOVED!
49816 12:36:30 (0) ** - REMOVED ACE:
49817 12:36:30 (0) ** ACEType: &h0
49818 12:36:30 (0) ** ACCESS_ALLOWED_ACE_TYPE
49819 12:36:30 (0) ** ACEFlags: &h12
49820 12:36:30 (0) ** CONTAINER_INHERIT_ACE
49821 12:36:30 (0) ** INHERITED_ACE
49822 12:36:30 (0) ** ACEMask: &h13
49823 12:36:30 (0) ** WBEM_ENABLE
49824 12:36:30 (0) ** WBEM_METHOD_EXECUTE
49825 12:36:30 (0) ** WBEM_WRITE_PROVIDER
49826 12:36:30 (0) **
49827 12:36:30 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
49828 12:36:30 (0) ** Removing default security will cause some operations to fail!
49829 12:36:30 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
49830 12:36:30 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
49831 12:36:30 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
49832 12:36:30 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
49833 12:36:30 (0) ** A specific WMI application can always require a security setup different
49834 12:36:30 (0) ** than the WMI security defaults.
49835 12:36:30 (0) **
49836 12:36:30 (0) **
49837 12:36:30 (0) ** DCOM security warning(s) detected: .................................................................................. 0.
49838 12:36:30 (0) ** DCOM security error(s) detected: .................................................................................... 0.
49839 12:36:30 (0) ** WMI security warning(s) detected: ................................................................................... 0.
49840 12:36:30 (0) ** WMI security error(s) detected: ..................................................................................... 4.
49841 12:36:30 (0) **
49842 12:36:30 (0) ** Overall DCOM security status: ....................................................................................... OK.
49843 12:36:30 (1) !! ERROR: Overall WMI security status: ................................................................................. ERROR!
49844 12:36:30 (0) ** - Started at 'Root' --------------------------------------------------------------------------------------------------------------
49845 12:36:30 (0) ** INFO: WMI permanent SUBSCRIPTION(S): ................................................................................ 16.
49846 12:36:30 (0) ** - ROOT/SUBSCRIPTION, NTEventLogEventConsumer.Name="SCM Event Log Consumer".
49847 12:36:30 (0) ** 'select * from MSFT_SCMEventLogEvent'
49848 12:36:30 (0) ** - ROOT/HPQ, CpuThreshEventConsumer.Name="Cpu Threshold Event Consumer".
49849 12:36:30 (0) ** 'select * from __instancemodificationevent within 30 where targetinstance isa 'Win32_PerfFormattedData_PerfOS_Processor' and targetinstance.PercentProcessorTime > 99 and targetinstance.Name != '_Total''
49850 12:36:30 (0) ** - ROOT/HPQ, DiskThreshEventConsumer.Name="Disk Threshold Event Consumer".
49851 12:36:30 (0) ** 'select * from __instancemodificationevent within 30 where targetinstance isa 'Win32_PerfFormattedData_PerfDisk_LogicalDisk' and targetinstance.PercentFreeSpace < 1 and targetinstance.Name != '_Total''
49852 12:36:30 (0) ** - ROOT/HPQ, HealthDriverEventConsumer.Name="Health Event Consumer".
49853 12:36:30 (0) ** 'select * from HP_PowerSupplyEvent'
49854 12:36:30 (0) ** - ROOT/HPQ, HealthDriverEventConsumer.Name="Health Event Consumer".
49855 12:36:30 (0) ** 'select * from HP_ASRStateChangeEvent'
49856 12:36:30 (0) ** - ROOT/HPQ, HealthDriverEventConsumer.Name="Health Event Consumer".
49857 12:36:30 (0) ** 'select * from HP_FanEvent'
49858 12:36:30 (0) ** - ROOT/HPQ, HealthDriverEventConsumer.Name="Health Event Consumer".
49859 12:36:30 (0) ** 'select * from HP_TempSensorFailureEvent'
49860 12:36:30 (0) ** - ROOT/HPQ, HealthDriverEventConsumer.Name="Health Event Consumer".
49861 12:36:30 (0) ** 'select * from HP_UIDStateChangeEvent'
49862 12:36:30 (0) ** - ROOT/HPQ, MemoryEventConsumer.Name="Memory Event Consumer".
49863 12:36:30 (0) ** 'select * from HP_IMLUpdatedEvent'
49864 12:36:30 (0) ** - ROOT/HPQ, ProcEventConsumer.Name="Processor Event Consumer".
49865 12:36:30 (0) ** 'select * from HP_IMLUpdatedEvent'
49866 12:36:30 (0) ** - ROOT/HPQ, HPAlertIndicationConsumer.Name="HP_AlertIndication to EventLog".
49867 12:36:30 (0) ** 'SELECT * FROM HP_AlertIndication'
49868 12:36:30 (0) ** - ROOT/HPQ, HPAlertIndicationConsumer.Name="HP_AlertIndication to EventLog".
49869 12:36:30 (0) ** 'SELECT * FROM HP_ThresholdIndication'
49870 12:36:30 (0) ** - ROOT/HPQ, SNMPEventConsumer.Name="SNMP Agent WindowNTLog Event Consumer".
49871 12:36:30 (0) ** 'SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.SourceName='Foundation Agents' AND TargetInstance.Logfile='System' AND TargetInstance.EventCode='400''
49872 12:36:30 (0) ** - ROOT/HPQ, SNMPEventConsumer.Name="SNMP Agent WindowNTLog Event Consumer".
49873 12:36:30 (0) ** 'SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.SourceName='MsiInstaller' AND TargetInstance.Logfile='Application' AND TargetInstance.EventCode='11724''
49874 12:36:30 (0) ** - ROOT/HPQ, SysEventConsumer.Name="System Event Consumer".
49875 12:36:30 (0) ** 'select * from HP_ASRStateChangeEvent'
49876 12:36:30 (0) ** - ROOT/HPQ, TestEventConsumer.Name="Test Event Consumer".
49877 12:36:30 (0) ** 'select * from __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'HP_TestEvent''
49878 12:36:30 (0) **
49879 12:36:30 (0) ** WMI TIMER instruction(s): ........................................................................................... NONE.
49880 12:36:30 (0) ** INFO: WMI namespace(s) requiring PACKET PRIVACY: .................................................................... 5 NAMESPACE(S)!
49881 12:36:30 (0) ** - ROOT/CIMV2/SECURITY/MICROSOFTTPM.
49882 12:36:30 (0) ** - ROOT/CIMV2/TERMINALSERVICES.
49883 12:36:30 (0) ** - ROOT/MICROSOFTIISV2.
49884 12:36:30 (0) ** - ROOT/WEBADMINISTRATION.
49885 12:36:30 (0) ** - ROOT/SERVICEMODEL.
49886 12:36:30 (0) ** => When remotely connecting, the namespace(s) listed require(s) the WMI client to
49887 12:36:30 (0) ** use an encrypted connection by specifying the PACKET PRIVACY authentication level.
49888 12:36:30 (0) ** (RPC_C_AUTHN_LEVEL_PKT_PRIVACY or PktPrivacy flags)
49889 12:36:30 (0) ** i.e. 'WMIC.EXE /NODE:"CASASERVER" /AUTHLEVELktprivacy /NAMESPACE:\\ROOT\SERVICEMODEL Class __SystemSecurity'
49890 12:36:30 (0) **
49891 12:36:30 (0) ** WMI MONIKER CONNECTIONS: ............................................................................................ OK.
49892 12:36:30 (0) ** WMI CONNECTIONS: .................................................................................................... OK.
49893 12:36:30 (1) !! ERROR: WMI GET operation errors reported: ........................................................................... 4 ERROR(S)!
49894 12:36:30 (0) ** - Root/CIMV2, Win32_PerfFormattedData_BITS_BITSNetUtilization, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
49895 12:36:30 (0) ** MOF Registration: 'C:\WINDOWS\SYSTEM32\WBEM\WMIPERFINST.MOF'
49896 12:36:30 (0) ** - Root/CIMV2, Win32_PerfRawData_BITS_BITSNetUtilization, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
49897 12:36:30 (0) ** MOF Registration: 'C:\WINDOWS\SYSTEM32\WBEM\WMIPERFINST.MOF'
49898 12:36:30 (0) ** - Root/CIMV2, Win32_PerfFormattedData_TermService_TerminalServices, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
49899 12:36:30 (0) ** MOF Registration: 'C:\WINDOWS\SYSTEM32\WBEM\WMIPERFINST.MOF'
49900 12:36:30 (0) ** - Root/CIMV2, Win32_PerfRawData_TermService_TerminalServices, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
49901 12:36:30 (0) ** MOF Registration: 'C:\WINDOWS\SYSTEM32\WBEM\WMIPERFINST.MOF'
49902 12:36:30 (0) ** => When a WMI performance class is missing (i.e. 'Win32_PerfRawData_TermService_TerminalServices'), it is generally due to
49903 12:36:30 (0) ** a lack of buffer refresh of the WMI class provider exposing the WMI performance counters.
49904 12:36:30 (0) ** You can refresh the WMI class provider buffer with the following command:
49905 12:36:30 (0) **
49906 12:36:30 (0) ** i.e. 'WINMGMT.EXE /SYNCPERF'
49907 12:36:30 (0) **
49908 12:36:30 (0) ** WMI MOF representations: ............................................................................................ OK.
49909 12:36:30 (0) ** WMI QUALIFIER access operations: .................................................................................... OK.
49910 12:36:30 (0) ** WMI ENUMERATION operations: ......................................................................................... OK.
49911 12:36:30 (0) ** WMI EXECQUERY operations: ........................................................................................... OK.
49912 12:36:30 (2) !! WARNING: WMI GET VALUE operation errors reported: ................................................................... 5 WARNING(S)!
49913 12:36:30 (0) ** - Root, Instance: __EventConsumerProviderCacheControl=@, Property: ClearAfter='00000000000030.000000:000' (Expected default='00000000000500.000000:000').
49914 12:36:30 (0) ** - Root, Instance: __EventProviderCacheControl=@, Property: ClearAfter='00000000000030.000000:000' (Expected default='00000000000500.000000:000').
49915 12:36:30 (0) ** - Root, Instance: __EventSinkCacheControl=@, Property: ClearAfter='00000000000015.000000:000' (Expected default='00000000000230.000000:000').
49916 12:36:30 (0) ** - Root, Instance: __ObjectProviderCacheControl=@, Property: ClearAfter='00000000000030.000000:000' (Expected default='00000000000500.000000:000').
49917 12:36:30 (0) ** - Root, Instance: __PropertyProviderCacheControl=@, Property: ClearAfter='00000000000030.000000:000' (Expected default='00000000000500.000000:000').
49918 12:36:30 (0) **
49919 12:36:30 (0) ** WMI WRITE operations: ............................................................................................... NOT TESTED.
49920 12:36:30 (0) ** WMI PUT operations: ................................................................................................. NOT TESTED.
49921 12:36:30 (0) ** WMI DELETE operations: .............................................................................................. NOT TESTED.
49922 12:36:30 (0) ** WMI static instances retrieved: ..................................................................................... 2367.
49923 12:36:30 (0) ** WMI dynamic instances retrieved: .................................................................................... 0.
49924 12:36:30 (0) ** WMI instance request cancellations (to limit performance impact): ................................................... 1.
49925 12:36:30 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
49926 12:36:30 (0) ** # of Event Log events BEFORE WMIDiag execution since the last 20 day(s):
49927 12:36:30 (0) ** DCOM: ............................................................................................................. 0.
49928 12:36:30 (0) ** WINMGMT: .......................................................................................................... 0.
49929 12:36:30 (0) ** WMIADAPTER: ....................................................................................................... 0.
49930 12:36:30 (0) **
49931 12:36:30 (0) ** # of additional Event Log events AFTER WMIDiag execution:
49932 12:36:30 (0) ** DCOM: ............................................................................................................. 0.
49933 12:36:30 (0) ** WINMGMT: .......................................................................................................... 0.
49934 12:36:30 (0) ** WMIADAPTER: ....................................................................................................... 0.
49935 12:36:30 (0) **
49936 12:36:30 (0) ** 4 error(s) 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found
49937 12:36:30 (0) ** => This error is typically a WMI error. This WMI error is due to:
49938 12:36:30 (0) ** - a missing WMI class definition or object.
49939 12:36:30 (0) ** (See any GET, ENUMERATION, EXECQUERY and GET VALUE operation failures).
49940 12:36:30 (0) ** You can correct the missing class definitions by:
49941 12:36:30 (0) ** - Manually recompiling the MOF file(s) with the 'MOFCOMP <FileName.MOF>' command.
49942 12:36:30 (0) ** Note: You can build a list of classes in relation with their WMI provider and MOF file with WMIDiag.
49943 12:36:30 (0) ** (This list can be built on a similar and working WMI Windows installation)
49944 12:36:30 (0) ** The following command line must be used:
49945 12:36:30 (0) ** i.e. 'WMIDiag CorrelateClassAndProvider'
49946 12:36:30 (0) ** Note: When a WMI performance class is missing, you can manually resynchronize performance counters
49947 12:36:30 (0) ** with WMI by starting the ADAP process.
49948 12:36:30 (0) ** - a WMI repository corruption.
49949 12:36:30 (0) ** In such a case, you must rerun WMIDiag with 'WriteInRepository' parameter
49950 12:36:30 (0) ** to validate the WMI repository operations.
49951 12:36:30 (0) ** Note: ENSURE you are an administrator with FULL access to WMI EVERY namespaces of the computer before
49952 12:36:30 (0) ** executing the WriteInRepository command. To write temporary data from the Root namespace, use:
49953 12:36:30 (0) ** i.e. 'WMIDiag WriteInRepository=Root'
49954 12:36:30 (0) ** - If the WriteInRepository command fails, while being an Administrator with ALL accesses to ALL namespaces
49955 12:36:30 (0) ** the WMI repository must be reconstructed.
49956 12:36:30 (0) ** Note: The WMI repository reconstruction requires to locate all MOF files needed to rebuild the repository,
49957 12:36:30 (0) ** otherwise some applications may fail after the reconstruction.
49958 12:36:30 (0) ** This can be achieved with the following command:
49959 12:36:30 (0) ** i.e. 'WMIDiag ShowMOFErrors'
49960 12:36:30 (0) ** Note: The repository reconstruction must be a LAST RESORT solution and ONLY after executing
49961 12:36:30 (0) ** ALL fixes previously mentioned.
49962 12:36:30 (2) !! WARNING: Static information stored by external applications in the repository will be LOST! (i.e. SMS Inventory)

forry109 · 13 Apr 2009 at 19:47

I have had a simular issue with one of the SBS 2008 boxes that I installed, it sounds like the same fix might work for you.

There is a memory leak issue with the server 2008 WMI services.
The wmiprvse.exe process will eat and eat memory until the server dies.
It ended up killing my server once every 4 days or so.
It looks like your using the HP WMI addon, which makes the services work harder and use more memory.

Try installing this hotfix, it may solve your issues:
http://support.microsoft.com/kb/958124

I would also grab another 4GB memory if you can.
My server started off with 4GB but SBS 2008 is such a memory hog it ended up paging most of the time, upgrading the 8Gb has made the server run much better.

I also agree with what was been said above, the ML310 should have hardware RAID on board, and it will be much better than the software RAID you currently have setup.