First let’s understand what silent quits means:
When a silent exit occurs, the JIT debugger is never invoked because the process itself asked to be terminated. For example, two Win32 Application Programming Interface (API) functions that perform this action are TerminateProcess and ExitProcess.
Note: Although this article is for Exchange these functions are Windows (Win32) related.
What about graceful shutdown, what is that? That’s simple: a service received an expected command to gracefully stop.
The scenario of this article was based on a real case where customer had to manually start Firewall Service every day, it was “apparently” quitting every night. The problem with a silent quitting is that debugger will not catch; therefore there will be no dump file to analyze. Even knowing that we tried to get a dump and of course the result was a 1st chance exception dump, no second chance. Therefore we got useless data.
After researching more and more we found out that Telephony Service was set to disable and ISA Server Control depends on Remote Access Connection Manager that depends on Telephony Service:
Figure 1 – ISA Server Control Dependencies.
Looking the System Log, there following sequence of events were showing up:
Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7040
Time: 10:09:05 PM
User: NT AUTHORITY\SYSTEM
The start type of the Telephony service was changed from demand start to disabled.
Event ID: 7035
Time: 10:09:06 PM
The Microsoft Firewall service was successfully sent a stop control.
Event ID: 7036
Time: 10:09:16 PM
The Microsoft Firewall service entered the stopped state.
Time: 10:09:17 PM
The Microsoft ISA Server Control service was successfully sent a stop control.
The Microsoft ISA Server Control service entered the stopped state.
Time: 10:09:18 PM
The Remote Access Connection Manager service was successfully sent a stop control.
In the application log we got the prove that this was not a silent exit, it was actually a graceful shutdown:
Event Source: Microsoft ISA Server Control
Event ID: 14181
The ISA Server Control service was stopped gracefully.
Event Source: Microsoft Firewall
Event ID: 14182
The Firewall service was stopped gracefully.
If those services are stopping every night and the administrator needs to manually start those, this leads to a conclusion that something (a process) is stopping it. For a domain joined ISA the first thing you shoul check is Group Policy. A simple thing that can be done without impact the production just to check if ISA Server is receiving any policy is run the command RSOP.MSC. The result for this case was shown in Figure 2:
Figure 2 – RSOP.MSC result.
Bingo !!! Now everything makes sense. What was happen here was that ISA Server was inside of an OU that has a policy which was disabling those services. To fix that we created a new OU, moved ISA Server to this new OU and block inheritance in this OU.
Sometimes IT administrators using their best of intention disable some services that are considered not necessary from a Windows perspective (attempting to hardening). However, for ISA Server this needs to be carefully done since it can stop Firewall Service which will cause downtime in your Internet access. Before do this, review the article below that has a list of services that ISA Server depends on: