"the network request is not supported" on Windows 2000 Server. Can't login

Is this message generated during the login procedure? and or is it some login script kicking in?

i ask because u seem able to login. Or are u using MMC to look at the event logs?

it might be a drivemap that is not supported / up and is failing to map it.

when does it exactly happen?

Please note, we are having the same problem in this question https://www.experts-exchange.com/questions/21439641/W2000-Server-and-denied-Terminal-Services-Access.html .

I have included some info (not solution) about this problem.

I get the same message during login on only 1 of my terminal servers running citrix. Any info please check other post as well.

Thank you.

Dutchclan:
It happen way before any script... it just doesn't authentificate to logon on the machine.
I also forgot to mention that this server **IS** the domain controller.  That's the weirdest thing i've ever seen...

I've called someone today to help me with this problem.  He gave me some tips and apparently one computer on the network got a virus, and it jam our server.  He told me to take a look at our firewall logs to see anything suspicous and i've noticed tons of "Dropped Connection" of people who where trying to access us thru the RPC Mapper.  He told me to check with "netstat -an" to see which IP was ... "Not Dropping" (from the LAN to *) but apparently, the server have tons of ports connecteds to others ports OF ITSELF.  This would mean that my server is the one who have a virus?  Norton Antivirus would have noticed nothing?

Well, that friend who helped me told me that after a while, the service of our domain controller was just shutting down itself ... and that would be the reason why i can't even login on it.

And also, when i forced a scan with Norton Antivirus, and also once when i tried to download the critical updates of Windows, i got a window appearing on the screen saying that a service (LsaSvr? or Rpc something) just failed and the server will reboot automatically in 50 seconds.  This sound like a virus to me.  I've rebooted, in safe mode (without network), and ran a scan, and everything went fine.  No virus found and no premature shutdown.

I don't know if it help someone ...  i'll have to solve this problem soon.  I'll work on that tomorrow and hope i'll find the solution.

1st thing to do is to remain calm and find a sollution for Exchange.

this will give u air to breath. find a way to bring exchange back up. maybe installing a 'temp' exchange on some computer and copy the PRIV1.EDB and PUB1.EDB to the new machine (so the users have all their accouts up ec.)

Maybe u have a system state backup of the server? if so figure out on wich date it all started and replace the system state backup with the one of a previous date. (this might change password settings ec..)

and i`ll be browsing Technet to figure out what procedure is being used to logon to a server (in wich it seams 'logical' to start allot of network services'  )

maybe u should do the same ;)  

This is whats found thus far

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/78cb5d3c-d0b2-4d20-a693-fa66bde1a63b.mspx

The LSA instance is the first layer in the logon sequence. This image shows the windows login routine performed by different methods of login.

<img src="http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/images/trsc_atn_101c.gif">

U might notice that allot of these routine blocks are influanced / influancable by RPC commands (remote procedure call)

Where u should concentrate is where the LSA instance is using network functions.

what u might try is copying the 'dll and exe' files used for this logon routine from a 'simular' good server.

as can be found in the above comment.

If the *RPC service* is the problem u should be able to see this in the event log.

Oke, work arround *knowing u cant logon*...

Start a Client on the domain and run MMC in the start => run... option.

Add a console computer management and assign to to a remote computer (your domain controller). Now find the eventlog option in the mmc console and open the system eventlog. And tell us what u see.
 

This looks very similar to the problem I am facing at the moment, and it seems to have started the same day as yours. So just to shed some light on the conversation to some "anomalies" I spotted in the event viewer of my 2 servers (2 out of 12 what are the odds?) that are experiencing. I can reboot the servers and they will work fine for some time, anywhere from 5 minutes to a few hours, and then I spot en EventID 5000 Source: LsaSrv "The security package negotiate is now disabled. The Exception is the data" (not sure if you need the DWORD data or not but ...)

c0000005 00000000 00000000 7855f218
00000007 00000000 0000000c 00000000
00000000 00000000 00000000 00000000
00000000 00000000 ff027f ffff0000
ffffffff 00000000 01ac0000 00000000

Then of course I get alot of repeating 3034 Events from MrxSmb "The redirector was unable to initialize security context or query context attributes"
And according to a kb article I read from MS only the last dword is important and lists the status:

c00000fe : STATUS_NO_SUCH_PACKAGE

Best of luck to you on getting this resolved quick, and if I have any luck I'll be sure to pass any info on

have u tried to manually stop start the logon - rpc - rpclocator service?

try:

Net stop rpcss
Net stop rpclocator
Net stop netlogon

Netstart rpcss
Netstart rpclocator
Netstart netlogon

Also i found some articles about the *.dit file growing to fast. The seems to be a security update for this, only u have to contact microsoft to aquire it. Also the EVT 5000 messages reffere to that security update. (assuming that the other Evt messages are generated because the LSA service stoped)

gl.
Chris Gralike

restarting the locator and logon services did not seem to fix anything. I am unable to restart the RPC service either in the services applet or at command prompt.

P:\>net stop rpcss
The requested pause or stop is not valid for this service.

More help is available by typing NET HELPMSG 2191.

oke, so the RPC nicely rejects a shutdown. This is correct because shutting down RPC would render the server unstable and might cause a Shutdown (like in the previous messages). In your case a shutdown / stop command is being ignored by the server and this is correct.

The only other network module that is being used by the logon routine is kdcsvc.dll (KDC) wich will open varrious windows sockets. as might be u have succesfully stopped and started the netlogon service, wich would make me guess that that service is functioning also.  

Knowing that the KDC module is being called by either kerberos (kerberos.dll) and or the Directory Services (NTDSA.dll) it might be correct to suggest that the microsoft suggestion about the .dit being / growing to huge. It might be worth a shot to try this article :

http://support.microsoft.com/default.aspx?scid=kb;en-us;831726

wich reffers to the .dit article as being the sollution : kb article 829755

see url :
http://support.microsoft.com/kb/829755/

gl Chris Gralike

I have identical problem at a client of mine.  first i heard about it was 6/2 first thing in the morning, so probably occurred last night.
i get all types of dhcp and dns errors in the system log, nothing special in the app log.
it too is a win 2k server running as a DC with exchange.

it froze only 3 times yesterday, (first i though was a fluke) the last was about 9:00 at night.  my client is out of the office and i have no way in to do a hard reboot until the morning.

but,
this looks very similiar to a virus to me.  maybe a varient on the Klez?  no idea yet.

virus scan yielded nothing though.  and i didn't realize that this was more then a anomally until after hours yesterday, so i wasn't able to check tasks running or registry.  i'll post anything else if i find something.

does anyone have a virus name to query symantec to what actions the virus performs?

I have the same problem with a client.  First noticed a problem the morning of June 2nd.  Windows 2000 server (DC) with exchange 2000 and Norton Corp 9x.  My client loses outlook access from the workstations and some drive mappings.  Rebooting the server will fix the problem but only for a shory period of time.  Terminal services will not allow a login once the problem surfaces.  That error is "The network request is not supported".

I am going over to the clients office this afternoon and will post anything additional that I find.

are you guys getting DNS errors in the sys log, specifically something similiar to:

Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5774
Date:            6/2/2005
Time:            10:01:09 PM
User:            N/A
Computer:      ALPHA
Description:
Registration of the DNS record '1279c546-5d69-4ea6-b4e0-dc2bc8731802._msdcs.domain.com. 600 IN CNAME servername.domain.com.' failed with the following error:
DNS RR set that ought not exist, does exist.  

I have had this same issue on three different clients as of this morning beginning last night. The only thing I noticed with any consistency is that once I stop and restart the IIS service the server seems to be working for a "given amount of time" Can someone else who is having this issue hit that and seem is it has the same effect? In all 3 instances I'm using Trend Server Protect, Windows 2000 Server, SP 4

Roarkinc:
Sorry, i don't get this error

Dutchclan:
Thanks for all your proposals.  This morning i've finished to install all the last Windows updates that was not installed (a lot in fact), and i also updated my Antivirus definition file... it was not old (2005-05-24) but it seems that Norton has released a new definition on 2005-06-01 and 2005-06-02 also... so i'll try them and do a scan.  I'll cross my fingers so it won't stop in the middle of the scan.  I tried the "shutdown -i" but the most that i can put for the time is 600 seconds... a full scan take up to 40 minutes on this server.

BMeyer99:
I've checked your thread, and it seems to be the same.  Just don't put too much accent on the fact that you are using Thin Clients or other stuff like that.  It's just an effect... they use RPC and your RPC is down just like us.

Macery:
I got the same thing than you... just few things are different in the data.
But i have the same events than you.  In fact, i have tons of them and didn't go thru all the list yet.
326, 1000, 1031, 1042, 1047, 2102, 2103, 2104, 2114, 3034, 5000, 7001, 7200, 8026, 8197, 8250, 9098, 9143, 9153, 9317.

Microsoft say to ignore 2102, 2104, 8250.  I've not checked all the others yet.

Event ID 5000:
"The security package negociate..." and my data is
c0000005 00000000 00000000 77f895a9
00000002 00000000 909006e3 0001003f
00000000 00000000 00000000 00000000
00000000 00000000 ffff027f ffff0020
ffffffff 70181c93 06d9001b  70173ad8

I also got another Event ID 5000 (Category Device) that say:
"The security package Kerberos generated an exception.  The package is now disabled.  The exception information is in the data." and the data is very similar:
C0000005 00000000 00000000 77FCC663
00000002 00000001 90909090 0001003F
00000000 00000000 00000000 00000000
00000000 00000000 FFFF027F FFFF0020
FFFFFFFF 70181C93 06D9001B 70173AD8

Let's hope we all find an answer soon... this problem is really bugging me.  Thanks for all your help

Can you guys make a little test to see if i must be scared of what i got on my server?
Go to command prompt and type "netstat -an" and see what kind of connections you have on it?

I have several connections from Myself to Myself.  There's some ports that come up often in the list like:
389, 691, 1026, 3268.

And there's some others like 1201, 1204, 1206,  1215, 1217, 1219... and up.  So it seems to increase, and all of them seems to be connected to the usual ports (389, 691 ... etc).

Is there a new virus in town??  It might be the cause of the failure of the service.  Like a connection stack overflow or something like that.

So please, try the same netstat to see if you got the same thing.  Thanks

I'm not seeing anything too unusual in my netstat -an output, I have a lot of connections to port 80(html) and port 8080(Citrix XML Service) and only a very small number of other ports and connections.

i think i have the problem narrowed down, but i want you guys to varify.

when you go to the DNS management, do you have multiple ips listed for the server, including 1 that is not on the DC?
meaning

servername   HOST    192.168.1.10     <--- correct address
servername   HOST    192.168.1.84     <--- no idea where this address came from


this would explain the slow logins when logins do work, and it would also explain why the computer can't seem to find itself.

so far that's all i have that seems logical.  a restart readded the entry, but the ip doesn't respond to pings.  i will delete it again and try to track it down.

It might be related only to my server since Exchange is on the Domain Controller.  Port 389 and 3268 seems to be attached to LDAP and Exchange.  I've seen an article on Experts Exchange saying that it might be because we have a NDR attack.  It might not have anything to do with this problem... i just wanted to see if it's related or not.

Thanks Macery.

Has anyone else seen a service of serv-u ftp server running that you don't think should be? I'm going to kill the service for now and see what happens.

Roarkinc, I have no other DNS entry like you have.  So i think that you solved your problem, but not ours.  Just wanted to precise that just in case that someone see that and close the case :)

Microaideinc, i don't have any FTP server on this computer, and we don't use Serv-U here.

Since i've finished the critical updates, i didn't had this problem yet.  But i want to wait and see what will happen.
It has been running since 3 hours without problem... maybe just a coincidence.

the serv-u thing is probably a hacker.  i have seen that before.  
i know serv-u is a valid ftp server program (which is great), but i have seen hackers using stripped down versions of the program to make a server a free warez/movie/wahtever server.

all you should need to do is kill the process, delete the executible and  delete the hidden files (unhide files and search for large file sizes).    also, delete all references to serv-u in the registry if you don't use serv-u normally, it won't be an issue.  then run a virus/spyware scan.

i am hoping mine is gone.  further investigation tells me the dns had nothing to do with it.


this is what i did (i will let you know whether it worked, but all of my event log errors are gone)

Microsoft hotfix 828297 (http://support.microsoft.com/default.aspx?scid=kb;en-us;828297)
http://hotfixv4.microsoft.com/Windows%202000/sp5/Fix91875/2195/free/171581_ENU_i386_zip.exe
password = uLhz^lBJ

Microsoft hotfix 829755 (http://support.microsoft.com/kb/829755)
http://hotfixv4.microsoft.com/Windows%202000/sp5/PKG51593/2195/free/149286_ENU_i386_zip.exe
Password: LB*%VnNTES

To fix the problems just look in the register for entrances as %SystemRoot%\
system32\svchost - k rpcss and substitute them for %SystemRoot%\system32\svc
host.exe - k rpcss this difference

disable automatic download of updates  (manual updates still work, i'm just not downloading them before hand)

net time /setsntp:gnomon.cc.columbia.edu

removed all extra entries from the DNS and turned off dynamic updates to the dns zone.

and of course windows updates

i know its pretty random, but it cleared up all my event log errors and warnings.  even in the directory services log.
and we have to have the same issue, they started the same day with the same symptoms.

I have the same problem on 3 servers at different customers.
One SBS 2000 and two windows 2000 servers both with exchange 2000 installed on it.
The SBS and on of the two native windows 2000 servers have "Symantec AV Filtering for MS Exchange" installed, the third one has got McAfee installed on it.
The problems also started from the first of juin.

Hope this will help.

Best Regards Karel

I am having this exact problem at a client of mine and am on the phone with Microsoft now.  Exchange stops responding, then after some time drive mappings stop responding.  I go to the server to check on things and login and I get "The network request is not supported".  After a reboot, things work for a few or several hours then starts again.  The funny thing is this happened 3 weeks ago, but starting around the 1st of June, is acted up every day.

If Microsoft helps with anything I will post it to the website.

Thanks!
Lance

Hi,

I am facing a very similar issue, however there is no Exchange on the box nor is it a DC.  I have 2 web servers that are experiencing Event id: 5000 LsaSrv, and Event id: 3038 MrxSmb.

I am unable to login either locally or through remote desktop ("Network Request is not supported").   I also am unable to map drives etc.

This all started 6/2/2005.  The servers are still serving web stuff but thats about it.

Unplug the network cable, unjoin the domain and rejoin it.  This should fix your problem

log on locally, unjoin and rejoin domain, i meant to say

umpluggin the network cable will let you log in.  you can try locxally and with domain account.

dhaurey: This server **IS** my domain controller :P, can't "logon localy and unjoin"

contacc: you are lucky.  Our server was not able to do anything... it was like if the CPU was working at 100% but once i was able to see the Task Manager (2 minutes after asking for it!), it was showing "Process Idle: 98%"...

The good news is that i didn't had much problems today.  Here's what i did...
   - Forced everybody to update their antivirus definition file thru Symantec Console on our server.
   - Rebooted the server responsible for emails & authentification.
   - Once rebooted, force a shutdown after 10 minutes this way: "shutdown -i".  So i was able
     to update my computer without seeing it crash before it end!
   - Do that several times until all all the updates are done
   - Forced a scan all the computers on the network because the net administrator who was hired before
     me didn't thought it was a good idea to scan the computers at least once a week (Only real-time was
     enough for him.  Well, i must be parano ...).

What we found out is that many persons were infected with NetSky and few variants of Tooso (or Tosoo?).

All theses steps were completed at 10:30AM.  It's 21:15PM and everything still working at the office...
Monday i'll check to see if the server never shutdown in the week-end.  If so, i consider my mission ... almost complete.
I still have to find out why i get so much "Loop back connections" on port 389 and 3268.  If it's generated by NDR, i'll simply limit them...

mine was member server and this worked for me

my solution seems to have worked for me.
i would like to hear back on monday as to what worked for the DC's.

is anyone left who still has a computer going down with this thing?

weird that all would have the same type problem originating on the same day

I have the exact problem. Win2k DC with Exchange 2k, problem started yesterday. And now turned out another problem. Restart doesn't solve the problem.

Here're what I did:
1. Unplug the cable and restart
2. Start exchange services....(somehow they're not started)
4. Use Symantec scan virus...(found some in smtp queue)
5. Connect back to network
6. Everything work fine for over 10 hours
7. Restarted twice, no problem
8. Update from sp3 to sp4, restart found no problem
9. Update all other patches (from windows update), restart
10. When login, "Application popup: SAS window: winlogon.exe - Corrupt File : The file or directory \$Mft is corrupt and unreadable. Please run Chkdsk utility."
11. Running Chkdsk doesn't help

Sad that it's on RAID 5 and I don't have any spare HD. I will try to ghost it, reformat, ghost back then replace "winlogon.exe" tomorrow. I hope can solve the problem.

Seems cloning won't work.. it will clone the problem as well.

Well, just for your information.  I've checked my server logs today and it seems that my problem dissappeared after applying every Windows Update, scan all computers to find Viruses and stuff.  The LSASVR service didn't crashed, and my server didn't freezed or rebooted.  So everything seems to be fine right now.

I'll keep this thread opened until friday and if the problem is not comming back, i'll close it and give some points to people who helped.

I am in the process of applying all updates to my server.  Hopefully by tomorrow I will know if it fixed my problem as well.  It was just strange that all of us had the same problem starting at around the same date.  My server had not had anything change on it for months - no windows updates, patches, etc...

This is a known problem in Windows 2000 and Microsoft have a hotfix available which can be found at http://support.microsoft.com/Default.aspx?kbid=328948. You have to call MS for it, but they will normally not charge for the call if it is just for a patch.

Yeah Right... Call for them even if they could simply put the patch on their server.  Money Money Money...
Anyway, until now, i didn't had the same problem since a week.  So i close this case tomorrow.

I've been experiencing exactly the same problem with Windows 2000 Server SP4.

Applying patches MS04-007/KB828028 and MS04-011/KB835732 (thanks contacc) seems to have done the trick for me (20 hours since I restarted and we are still up and running).

There's an interesting thread at:

http://www.webservertalk.com/message1086590.html

which also suggests that KB828028 is the fix.

Ok... i consider this case solved.

Hello - joining in a bit late...

We just started having the same exact issues Monday of this week - event 5000 - users not able to conect to the Exchange server etc.

We are running Exchange 2000 on a 2000 server.  
Applied all Microsoft updates - this seems to have stopped the server from becomming unresponsive.

We have not experienced any more 5000 errors.

But it seems we have another issue now.

My admin shares on the server dissapeared.  After reboot, they'll appear for a few minutes but then i'll lose them again.

This started happenning after I patched the server.

Any ideas?


 

Hi Javajo,

I don't know if your problem the same as mine but once i solved this problem, i got another one...
i couldn't connect anymore on my server with remote desktop.

I had an error message in my event viewer saying something like "Data Encryption" problem...
it had something to do with RDP.  I've uninstalled the terminal services, and reinstalled them but it didn't solved the problem.

I went to MS Support web site and found that article that solved my problem:
http://support.microsoft.com/default.aspx?scid=kb;en-us;323497

Good luck