Windows 2003 SBS Crashing/Restarting Randomly

First time poster so go easy and I apologize if this is the wrong forum... I'm a MCSE and having a major problem with one of my client's server. It's a 2003 SBS SP1 running exchange, Symantec corp 9.0, isa 2004, etc. It has been working fine up until about a month ago when it started randomly rebooting. The main errors I see in the event viewer are a lot of Master browser errors (election's being forced),

Error code 0000000a, parameter1 c0000000, parameter2 00000002, parameter3 00000000, parameter4 e0829ef3

The reason supplied by user HORIZON\Staff for the last unexpected shutdown of this computer is: System Failure: Stop error
Reason Code: 0x805000f
Bug ID:
Bugcheck String: 0x0000000a (0xc0000000, 0x00000002, 0x00000000, 0xe0829ef3)
Comment: 0x0000000a (0xc0000000, 0x00000002, 0x00000000, 0xe0829ef3)

As of this moment, I have ran all updates, defragged and really nothing else. I do have a minidump log, however I hope someone can point out to me what the heck is causing this error.


Loading Dump File [C:\WINDOWS\Minidump\Mini111105-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Kernel base = 0xe0800000 PsLoadedModuleList = 0xe08af988
Debug session time: Fri Nov 11 13:02:13.270 2005 (GMT-8)
System Uptime: 4 days 2:07:25.056
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
.........................................................................................................................
Loading unloaded module list
.........
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {c0000000, 2, 0, e0829ef3}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*** WARNING: Unable to verify timestamp for serial.sys
*** ERROR: Module load completed but symbols could not be loaded for serial.sys
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*** WARNING: Unable to verify timestamp for serenum.sys
*** ERROR: Module load completed but symbols could not be loaded for serenum.sys
*** WARNING: Unable to verify timestamp for acfva.sys
*** ERROR: Module load completed but symbols could not be loaded for acfva.sys
Probably caused by : serial.sys ( serial+c569 )

Followup: MachineOwner
---------

0: kd> .reload /f @ "\SystemRoot\system32\DRIVERS\USBD.SYS "
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
0: kd> .symfix
No downstream store given, using C:\Program Files\Debugging Tools for Windows\sym
0: kd> .reload
Loading Kernel Symbols
.........................................................................................................................
Loading unloaded module list
.........
Loading User Symbols
0: kd> !analyze
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {c0000000, 2, 0, e0829ef3}

Unable to load image \SystemRoot\system32\DRIVERS\acfva.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for acfva.sys
*** ERROR: Module load completed but symbols could not be loaded for acfva.sys
Probably caused by : serial.sys ( serial!SerialResizeBuffer+95 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: c0000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: e0829ef3, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: c0000000

CURRENT_IRQL: 2

FAULTING_IP:
nt!MiIsPoolLargeSession+3c
e0829ef3 8b80000000c0 mov eax,[eax+0xc0000000]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from e089b4ba to e0829ef3

TRAP_FRAME: e08a310c -- (.trap ffffffffe08a310c)
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=fb1121d0 edi=e08b75c0
eip=e0829ef3 esp=e08a3180 ebp=e08a3180 iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!MiIsPoolLargeSession+0x3c:
e0829ef3 8b80000000c0 mov eax,[eax+0xc0000000] ds:0023:c0000000=????????
Resetting default scope

STACK_TEXT:
e08a3180 e089b4ba 00000000 00000000 fb1121d0 nt!MiIsPoolLargeSession+0x3c
e08a31d8 f5c8d569 00000000 00000000 e0a79090 nt!ExFreePoolWithTag+0x1ce
e08a320c f5c8d5a3 fb1121d0 f7843b08 f7843b08 serial!SerialResizeBuffer+0x95
e08a3260 f5c8dc81 001121d0 fb1121d0 fb112118 serial!SerialStartRead+0x2b
e08a3278 f5c8da00 fb1121d0 f7843b08 fb112274 serial!SerialStartOrQueue+0x67
e08a32a0 e083f9d0 00000000 f7843b08 f7843b08 serial!SerialRead+0x74
e08a32b4 f65785b7 f96e4153 fb0b6f38 00000000 nt!IofCallDriver+0x45
e08a32c8 e083f9d0 f9734508 00843b08 f97310d9 serenum!Serenum_DispatchPassThrough+0x65
e08a32dc f3258615 f97310d4 e08a3304 f325d186 nt!IofCallDriver+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
e08a32e8 f325d186 f9734508 f96e4008 f972e000 acfva+0x615
e08a3304 f325cfbf f96e4008 e08a3340 e083ec8a acfva+0x5186
e08a3310 e083ec8a 00000000 f96e4008 f972e000 acfva+0x4fbf
e08a3340 f5c8c616 fb0ddb78 fb0b0bf8 00000000 nt!

 

IopfCompleteRequest+0xcd
e08a33e4 e083f9d0 fb112118 f96e4008 f96e4008 serial!SerialIoControl+0xb64
e08a33f8 f65785b7 fb0ddb78 f96e4008 f96e4150 nt!IofCallDriver+0x45
e08a340c f65787c6 fb0ddac0 006e4008 f97345c0 serenum!Serenum_DispatchPassThrough+0x65
e08a3430 e083f9d0 fb0ddac0 00000000 f96e4008 serenum!Serenum_IoCtl+0x72
e08a3444 f6578787 f3260fa0 fb0b6f38 00000000 nt!IofCallDriver+0x45
e08a3460 e083f9d0 f9734508 f96e4008 e08a350c serenum!Serenum_IoCtl+0x33
e08a3474 f3258615 e08a349c e08a34a0 f325d312 nt!IofCallDriver+0x45
e08a3480 f325d312 f9734508 001b006c f972e000 acfva+0x615
e08a34a0 f325cf60 00000000 00000014 f9733104 acfva+0x5312
e08a34c8 f325d1d3 f972e000 e08a34e4 f3260fc3 acfva+0x4f60
e08a34d4 f3260fc3 00000000 f973107c e08a35a8 acfva+0x51d3
e08a34e4 e084fd3e f97310a4 f973107c 30640b09 acfva+0x8fc3
e08a35a8 e083e567 00000000 00000000 0258f742 nt!KiTimerExpiration+0x548
e08a3600 e083ac1f 00000000 0000000e 00000000 nt!KiRetireDpcList+0x65
e08a3604 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x37


FOLLOWUP_IP:
serial!SerialResizeBuffer+95
f5c8d569 5f pop edi

SYMBOL_STACK_INDEX: 2

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: serial!SerialResizeBuffer+95

MODULE_NAME: serial

IMAGE_NAME: serial.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 42435b2d

STACK_COMMAND: .trap ffffffffe08a310c ; kb

FAILURE_BUCKET_ID: 0xA_serial!SerialResizeBuffer+95

BUCKET_ID: 0xA_serial!SerialResizeBuffer+95

Followup: MachineOwner
---------

0: kd> lm N T
Unknown option 'N'
Unknown option 'T'
start end module name
de000000 de1cf000 win32k (deferred)
de1cf000 de1e5000 dxg (deferred)
de1e5000 de23b680 ati2drad (deferred)
e0800000 e0a75000 nt # (pdb symbols) C:\Program Files\Debugging Tools for Windows\sym\ntkrnlmp.pdb\D11928D0A382448AA96E545C81E4DD172\ntkrnlmp.pdb
e0a75000 e0aa1000 hal (deferred)
f2d42000 f2d6c000 Fastfat (deferred)
f2d6c000 f2d7d980 naveng (deferred)
f2d7e000 f2e1f8c0 navex15 (deferred)
f3258000 f3269980 acfva T (no symbols)
f3602000 f362f000 RDPWD (deferred)
f3b69000 f3b73000 MODEMCSA (deferred)
f4381000 f438e000 Modem (deferred)
f4c85000 f4c87e40 mdmxsdk (deferred)
f4ca1000 f4cf1000 HTTP (deferred)
f5011000 f506f000 srv (deferred)
f5301000 f5330d80 exifs (deferred)
f5421000 f542a000 ndisuio (deferred)
f5471000 f5486000 Cdfs (deferred)
f5486000 f5497000 Fips (deferred)
f5497000 f550d000 mrxsmb (deferred)
f550d000 f553d000 rdbss (deferred)
f553d000 f5567000 afd (deferred)
f5567000 f55b8480 fweng (deferred)
f55b9000 f55ea000 netbt (deferred)
f55ea000 f564b000 tcpip (deferred)
f564b000 f5664000 ipsec (deferred)
f57a0000 f57b2f00 SYMEVENT (deferred)
f57b3000 f5802000 savrt (deferred)
f5802000 f580c000 Dxapi (deferred)
f5812000 f581b5a0 dump_aac (deferred)
f5822000 f582c000 dump_diskdump (deferred)
f5832000 f583d000 TDTCP (deferred)
f5862000 f586f000 netbios (deferred)
f5892000 f58a0000 ipfltdrv (deferred)
f59ea000 f59fe000 usbhub (deferred)
f5a55000 f5a95000 update (deferred)
f5a95000 f5acc000 rdpdr (deferred)
f5acc000 f5b22000 wlbs (deferred)
f5b22000 f5b2f000 Npfs (deferred)
f5b32000 f5b3d000 Msfs (deferred)
f5b42000 f5b4e000 vga (deferred)
f5bc2000 f5bd6000 psched (deferred)
f5bd6000 f5be9000 raspptp (deferred)
f5be9000 f5c03000 ndiswan (deferred)
f5c03000 f5c18000 rasl2tp (deferred)
f5c18000 f5c40000 ks (deferred)
f5c40000 f5c54000 redbook (deferred)
f5c54000 f5c69000 cdrom (deferred)
f5c69000 f5c81000 parport (deferred)
f5c81000 f5c96000 serial # (pdb symbols) C:\Program Files\Debugging Tools for Windows\sym\serial.pdb\D20AF6722E1948C181282EFA45E032191\serial.pdb
f5c96000 f5ca9000 i8042prt (deferred)
f5ca9000 f5cc4000 VIDEOPRT (deferred)
f5cc4000 f5d17d80 ati2mpad (deferred)
f5d18000 f5d42000 USBPORT (deferred)
f5d42000 f5d5ac00 e1000325 (deferred)
f6200000 f621f000 Mup (deferred)
f621f000 f6255000 NDIS (deferred)
f6255000 f62ea000 Ntfs (deferred)
f62ea000 f6311000 KSecDD (deferred)
f6311000 f6327000 sis (deferred)
f6327000 f634c000 fltmgr (deferred)
f634c000 f635f000 CLASSPNP (deferred)
f635f000 f637e000 SCSIPORT (deferred)
f637e000 f63a3000 adpu320 (deferred)
f63a3000 f63bf000 atapi (deferred)
f63bf000 f63e9000 volsnap (deferred)
f63e9000 f6415000 dmio (deferred)
f6415000 f643c000 ftdisk (deferred)
f643c000 f6452000 pci (deferred)
f6452000 f6486000 ACPI (deferred)
f64a7000 f64b0000 WMILIB (deferred)
f64b7000 f64c6000 isapnp (deferred)
f64c7000 f64d4000 PCIIDEX (deferred)
f64d7000 f64e7000 MountMgr (deferred)
f64e7000 f64f0000 ACPIEC (deferred)
f64f7000 f6502000 PartMgr (deferred)
f6507000 f65105a0 aac (deferred)
f6517000 f6527000 disk (deferred)
f6527000 f6533000 Dfs (deferred)
f6537000 f6541000 crcdisk (deferred)
f6567000 f6570000 watchdog (deferred)
f6577000 f6581000 serenum (pdb symbols) C:\Program Files\Debugging Tools for Windows\sym\SerEnum.pdb\AA89DCB18202420795C5A8E7096868A01\SerEnum.pdb
f6587000 f6596000 termdd (deferred)
f6597000 f65a2000 ptilink (deferred)
f65b7000 f65c5000 NDProxy (deferred)
f65d7000 f65e2000 fdc (deferred)
f65f7000 f6601000 flpydisk (deferred)
f6617000 f6624000 wanarp (deferred)
f6647000 f6650000 mssmbios (deferred)
f6657000 f6660000 raspti (deferred)
f6667000 f6670000 hidusb (deferred)
f6677000 f6682000 TDI (deferred)
f6697000 f66a7000 Savrtpel (deferred)
f66a7000 f66b5000 HIDCLASS (deferred)
f66c7000 f66d6000 raspppoe (deferred)
f66d7000 f66e6000 intelppm (deferred)
f66e7000 f66f0000 ndistapi (deferred)
f66f7000 f6701000 kbdclass (deferred)
f6707000 f6715000 msgpc (deferred)
f6717000 f6721000 mouclass (deferred)
f6727000 f672f000 kdcom (deferred)
f672f000 f6737000 BOOTVID (deferred)
f6737000 f673e000 intelide (deferred)
f673f000 f6746000 dmload (deferred)
f6747000 f674f000 OPRGHDLR (deferred)
f67b7000 f67be000 dxgthk (deferred)
f67ef000 f67f6000 parvdm (deferred)
f67f7000 f67fe380 0exabyte2 (deferred)
f67ff000 f6804180 usbuhci (deferred)
f6807000 f680f000 audstub (deferred)
f6827000 f682d300 HIDPARSE (deferred)
f682f000 f6837000 mouhid (deferred)
f6867000 f686f000 Fs_Rec (deferred)
f6877000 f687e000 Null (deferred)
f687f000 f6886000 Beep (deferred)
f688f000 f6897000 mnmdd (deferred)
f689f000 f68a7000 RDPCDD (deferred)
f68a7000 f68af000 rasacd (deferred)
f68b7000 f68b9800 compbatt (deferred)
f68bb000 f68be900 BATTC (deferred)
f69bd000 f69be280 swenum (deferred)
f69c1000 f69c2580 USBD (deferred)

Unloaded modules:
f2e48000 f2e5a000 naveng.sys
f2e5a000 f2efc000 navex15.sys
f2f74000 f2f86000 naveng.sys
f2f86000 f3028000 navex15.sys
f5684000 f5696000 naveng.sys
f5696000 f5738000 navex15.sys
f5852000 f5860000 imapi.sys
f698b000 f698e000 scsichng.sys
f681f000 f6827000 Sfloppy.SYS

 

Was that dump obtained from the problem server and when it had an internet connection? Doesn't look like it and surely makes for a difficult (and maybe faulty) read.

My best guess is the Symantec app(s) is causing your problem since I've seen a few similar issues that did wind up being exactly that. I'd get rid of it and see if things get back to normal. Could have been a security patch/ hotfix that it is choking on or something.

Unless you've added hardware or updated drivers lately, my only other thought is a piece of hardware going bad.

 

Yes it was obtained from the server while it had internet access.

The only thing which has been added in the last 2-3 months is an external serial port modem used for server faxing.

Would you recommend removing the Symantec Exchange security too along with the Corp edition?

 

You are going to need some security suite but these days, I'm getting less and less fond of Symantec's products. And there is always a chance that it isn't really the guilty party although I'd bet on it.

Other than using GoBack on my own PC (since they haven't messed with the code to any extent since buying the product) I will not allow any of their stuff on any machine I control. And I sadly say this as a person who happily used Peter Norton's utilities starting with some fairly early verson of DOS.

I can't really suggest a good replacement from first hand experience since I don't work with SBS at all but we have some folks on here who do and can probably say what has been good for them.

 

I'll try and remove symantec and see what happens. In the interm, I've turned off all intel, apc and unnecessary services. I also went through all active services and disabled "rebooting" the server when a fail occurs. My gut feeling is leaning towards bad memory though.

 

As stated above... is it possible for the serial.sys or the modem which is attatched to the serial port the cause of the rebooting? It seems to be mentioned quite a bit in the dumplog... This was the only new thing recently added. What's weird too, after the reboot, the modem doesn't showup until you go into the device manager and refresh the page. Any possible thoughts?