Windows Server 2008 R2 RDS Farm servers crashing at random?

Hi

I noticed the other day we have had a few crashes since the 29th of May at various, random (so it seems) times on differing servers. We have a 6 server farm (Virtualised) and each of the servers have crashed at some point, some more than others. Typically it will happen twice or 3 times on the one day (as if the one user is trying the same thing over and over) and then not again for days or weeks.

Just prior to May 29th we did have some new MFD's rollout with new drivers and I'm thinking it could be the issue. I have had a look at the mini dump files and they all come back with win32k as the module but the process name is either winword.exe, excel.exe or powerpnt.exe.

I can upload the dumps somewhere if someone could take a look or have a look at the one inserted below.

Any further info required, just let me know. Any help appreciated. Thanks.

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Temp\Dump Files\RDS5\071513-24593-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: Server, suite: Enterprise TerminalServer
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`01600000 PsLoadedModuleList = 0xfffff800`01843670
Debug session time: Mon Jul 15 08:13:55.767 2013 (UTC + 10:00)
System Uptime: 0 days 4:08:04.731
Loading Kernel Symbols
...............................................................
................................................................
...
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff9600024e8a2, fffff880077e9ea0, 0}

Probably caused by : win32k.sys ( win32k!RBRUSH::vRemoveRef+12 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff9600024e8a2, Address of the instruction which caused the bugcheck
Arg3: fffff880077e9ea0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
win32k!RBRUSH::vRemoveRef+12
fffff960`0024e8a2 f08301ff        lock add dword ptr [rcx],0FFFFFFFFh

CONTEXT:  fffff880077e9ea0 -- (.cxr 0xfffff880077e9ea0)
rax=0000000000000005 rbx=0000000001c60000 rcx=0000000001c60000
rdx=0000000000000000 rsi=fffff900c0000330 rdi=fffff900c2385c38
rip=fffff9600024e8a2 rsp=fffff880077ea880 rbp=0000000000000000
 r8=0000000000000000  r9=0000000000ffffff r10=fffff900c2546bb0
r11=fffff900c0000de0 r12=fffff900c241d670 r13=0000000000000001
r14=fffff900c2385630 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
win32k!RBRUSH::vRemoveRef+0x12:
fffff960`0024e8a2 f08301ff        lock add dword ptr [rcx],0FFFFFFFFh ds:002b:00000000`01c60000=????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR:  0x3B

PROCESS_NAME:  WINWORD.EXE

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 0000000000000000 to fffff9600024e8a2

STACK_TEXT:  
fffff880`077ea880 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : win32k!RBRUSH::vRemoveRef+0x12


FOLLOWUP_IP: 
win32k!RBRUSH::vRemoveRef+12
fffff960`0024e8a2 f08301ff        lock add dword ptr [rcx],0FFFFFFFFh

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  win32k!RBRUSH::vRemoveRef+12

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  51aeb1a7

STACK_COMMAND:  .cxr 0xfffff880077e9ea0 ; kb

FAILURE_BUCKET_ID:  X64_0x3B_win32k!RBRUSH::vRemoveRef+12

BUCKET_ID:  X64_0x3B_win32k!RBRUSH::vRemoveRef+12

Followup: MachineOwner
---------