Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Win 2000 hangs on startup with "applying your personal settings" after running Windows Update

Posted on 2004-10-24
27
Medium Priority
?
806 Views
Last Modified: 2008-01-09
I've just run Windows Update on a Windows 2000 Server and installed several security patches.  After the requested restart I attempt to login but it hangs while displaying "Loading your personal settings ...".

Any ideas how I can get to login?
0
Comment
Question by:ASM2A
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 8
  • 4
  • +1
27 Comments
 
LVL 49

Assisted Solution

by:sunray_2003
sunray_2003 earned 400 total points
ID: 12392732
Could be tricky one..

Can you log into safe mode ?
If yes , go into "safe mode with networking" and go to windows update page.
Check all the recent updates you had made. Note them down
go to control panel --> add/remove programs and remove those..

Restart and check if you can go into normal mode.

If yes , then post here or research about those updates which might have some issues..

All the best

SR
0
 

Author Comment

by:ASM2A
ID: 12394016
What I was able to do eventually was to login to Directory Services Restore Mode and use Veritas Backup Exec to restore the system state from a current tape backup.

Before that I chose to boot Win2k into "last good configuration" which allowed me to login as administrator but with no LAN connection and no sound card and an unfamiliar desktop theme.  The PC is a multimedia software development workstation as well as being DC - the O/S installed is SBS 2000 SP4.

The server is ok now after the restore, but no thankx at all to the Windows Update "Security" patch which I suspect to somehow have trashed the Domain Controller files.

The updates installed were in this order:

IE6 hotfix KB834707
Win2k hotfix KB841356
Win2k hotfix KB840987
Win2k hotfix KB841533
Win2k hotfix KB824151

There was another driver update applied in the same session, titled:

Intel network software update released on August 19 2004.

Something in this lot has caused my problem.  For now the problem is gone without any obvious adverse changes in system operation.  So, don't run windows Update without a tested backup restore tool at hand!

Thankx for your interest.  ASM2A
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12394150
Let  me check and see if there is any known bug in one of these fixes.
in the meantime , depending on the priority of the updates , you may want to install each hotfix ONE by ONE to find out the bad one.

That is one of the easiest ways to figure out. Make sure to restart the machine each time when you install one update.

Thanks
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 49

Expert Comment

by:sunray_2003
ID: 12394167
Here is one issue with KB824151

http://www.forum4designers.com/message133401.html

SR
0
 

Author Comment

by:ASM2A
ID: 12394191

All Windows updates remain installed at present.

I've learnt more:

The Active Directory is still damaged.  If I try to open an AD management console, I get a message like this:

"Naming information cannot be located because: The network path was not found.  Contact your system administrator to verify that your domain is properly configured and is currently online."

Well I'm in strife for sure since I am the sysadmin, and I haven't a clue what to fix or how - other than trying your recommendation and uninstalling the patches & hotfixes one by one.  I'll try that later if no more direct repair is at hand.  ASM2A.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 12395113
Please run a dcdiag and post the results here...
0
 

Author Comment

by:ASM2A
ID: 12396105
I did not have the dcdiag utility, so I located it at Microsoft, downloaded and installed it on the server, but when I attempt to run it I get:

"The procedure entry point DslsMangledDnW could not be located in the dynamic link library NTDSAPI.DLL"

I check the installed NTDSAPI.DLL and find its version 5.0.2195.6666.

Any further suggestions?  ASM2A
0
 

Author Comment

by:ASM2A
ID: 12396741
Its a new day (here in Australia),  and I have revised information:

The problem opening the MMC was caused by ZoneAlarm Security suite blocking access to the server via the loopback address, which I fixed, so I can now access and edit user profiles etc ok.

But I definitely still can't run Dcdiag.exe, and today I find I can NO longer login in " Directory Services Restore Mode" - it rejects the administrator password!  I discovered this when I tried to use the Ntdsutil tool to check the AD files.

But I can still login in "normal" mode and use the server.

This is all very puzzling - any advice will be welcome.

ASM2A.
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12396748
Hmm.. Problem keeps coming , doesn't it ?

check to see in the task manager if dcdiag.exe is already running and make sure zonealarm has not blocked it..
temporarily turn off ZA and check running dcdiag...

I guess the password for restore mode should be the same as what you are using to login to normal mode. If it doesnot work try NOT giving any password (blank) and see if it would allow you
0
 
LVL 18

Expert Comment

by:exx1976
ID: 12396801
Well, I guess my biggest question in this whole problem here is why in the WORLD is ZoneAlarm (of ALL things!) installed on a server, let alone a DC?!?!  That has got to be the single goofiest thing I have EVER heard.  I would uninstall that piece of #@%@ right away.  Zone Alarm is great for home users on home machines, but it has NO place in the corporate world.  And if this thing is your machine at home, then I still stand by my original statement that it has no place on a server, and I suggest you get a real firewall (you can run OpenBSD on a 486 with two NICs with no problems, or, you can purchase a NetGear "black box" for like $50...)

Either way, remove ZoneAlarm and lets see what happens then.


-exx
0
 

Author Comment

by:ASM2A
ID: 12397336
Last first - exx:

I observe your surprise at having ZA on the server, but then its not an ordinary server - its both corporate (used for software development and in-house testing) and residential (we operate an IT Consultancy from a home "IT Lab" in a "remote" non-urban location since 1985!).

Due to my limited formal training with Win2k, but due to my 35yrs+ as a senior IT developer, I use this configuration and trust it.  Because of the previous easy vulnerability of Win2k, we have taken "user friendly" extra steps to ensure the server can't be hijacked.

In any case, I have firewall on the dial-on-demand ISDN internet router, so I can safely shutdown zlclient.exe for these tests.

At no time can I run Dcdiag.exe - it always fails with the error: "The procedure entry point DslsMangledDnW could not be located in the dynamic link library NTDSAPI.DLL".

Yo sunray!

The failed attempts to login in " Directory Services Restore Mode" are way scary.  I had trouble with this machine when it was near new in 2001 - it needed a "system state" restore and couldn't be logged in in any mode - an O/S reinstal was required.  Due to that experience and the very secure physical circumstances of the server it is operated without a password on administrator!  So there is not much I can do to test it out with your suggestion.

I notice when I return to "normal" login after giving up trying to get on in DSR mode (I have to hard reset the machine to get control) that the login dialog no longer pre-selects my domain.  I have to select it (only one choice), then press the good old <Enter> to login as administrator.  That's all I have noticed apart from there being two slightly different modes offered to me when I choose DSR mode from the text mode boot screen reached by <F8>.  Sometimes I get prompted for a domain and then shown progress text,  othertimes it just goes straight to the DSR mode banner and checks the boot drive (a Mylex AR170 Raid 0).

I'm still puzzled, but I've got a "live" system - apparently until it gets corrupt again and needs a System State restore, then I'll get nausea and plan an O/S reinstall.  So don't anyone lose any blood over it, but feel free to guide me to the explanation/fix/workaround.  ASM2A.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 12397657
Again, lt me voice my surprise!  A RAID 0 being the boot disk for a DC??  I don't mean to pick on your experience or anything, but I would like to think that if/when my company ever contracts anything out, it is not to someone who uses RAID 0 anywhere, let alone a boot drive on a DC...

However, with that being said..  What service pack level is this server at?  I checked the srver that I am writing this from and found the version to also be 5.0.2195.6666 with a file size of 57,616 Bytes, however I also noticed that this file was present in the Service Pack uninstall folder..  As such, it seems likely that this file is replaced by a service pack.  Perhaps you should re-install your latest service pack and give it another go.

Alternativly, if you would like a copy of my file, I would be more than happy to email it to you.  Just give me an email address.  After we can get DCDIAG running, I'm sure it will shed some more light on what's going on.


-exx
0
 

Author Comment

by:ASM2A
ID: 12398931
Surprise, surprise!  Its a considered choice to have the PC configured as it is.  I agree this is NOT the approach guaranteed to give the most stable and easily managed "live production" server.  As I described earlier the DC is used for the full gamut of tasks from .NET and OpenInsight development to video production, and among the past "learning" benefits are in fact situations with an un-bootable RAID array (driver conflict).  BTW the IT lab here has UPS and telecoms shielding as well as its physical security well considered.  The Win2k server was built in July 2001 with a 1.7Ghz P4 CPU, 1024Mb fast RDRAM and 2 x 30Gb UW SCSI 10k rpm HDD with hardware RAID0 which means its a real smooth performer even with the latest apps.

I could go on about the history of computing with (as I mentioned) 35yrs+ "hands on" running computers - starting with mainframes, minis, then weak as p**s PC's for 15yrs, now every household owns a "supercomputer" (with a 2nd rate minicomputer OS) - its no wonder I choose to have grunt to spare in my DC "workstation".  After all, its a boy thing!

The server reports Windows 5.00.2195 SP4, its up-to-date with all critical updates applied.

The copy of NTDSAPI.dll which is running from c:\winnt\system32 here is ver 5.00.2195.6666 and size 57,616 - just like yours.

There is a copy of this file in c:\winnt\ServicePackFiles\i386 - file stamped 6/20/2003.

There is another version 5.0.2195.4827, also size 57616, in c:\winnt\$NTServicePackUninstall$ - file stamped 7/23/2002.

Over to you.  ASM2A
0
 
LVL 20

Assisted Solution

by:Debsyl99
Debsyl99 earned 400 total points
ID: 12399242
Hi

Just throwing my two pence into the equation:

All this means: "The procedure entry point DslsMangledDnW could not be located in the dynamic link library NTDSAPI.DLL"
Is that you're running the wrong version of dcdiag for your service pack level - Try download the sp4 support tools from here, which includes dcdiag, and run it again - it should work. (That error frightened the life out of me first time I saw it!)
Windows 2000 SP4 Support Tools
http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/supporttools.asp

Deb :))
0
 
LVL 18

Expert Comment

by:exx1976
ID: 12399379
Hey hey!  Deb strikes again!  Good call...  I didn't even think to have him check that, I was already just so convinced that something might possibly be wrong due to the upgrade problems, and have just taken it for granted that he had downloaded the proper version...  *sigh*


As for the hardware..  Might I suggest that you get another machine without so much "grunt", as you put it, and make that your DC??  Leave this one to do the job you want it to do (multimedia software development, I think you said..)

With that said, I also think there is a possibility that it's time for a new machine..  My desktop at home, which I use for video capture/DVD Authoring, is a 2.4Ghz machine with 1024Mb of RAM and 18GBx4 RAID 5 U160 10k SCSI array (hardware, of course)..  So yes, I know all about "grunt".

Please follow the link that Deb was nice enough to provide and grab the latest version of support tools, and let use know the otuput of DCDiag.


-exx
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12399400
No probs guys ;-) - Seen the nasty little blighter error before so I knew what it was - I'll chip in if help is required and I can offer it, but otherwise I'll let you take this one from here,

Deb :))
0
 

Author Comment

by:ASM2A
ID: 12406688
Thankx Deb, you knew that it was the wrong version of dcdiag!

I had found it by searching the MS support site for "dcdiag" and of course the page I found is out of date, whereas the page with the "updated Windows 2000 Support Tools" contains no reference to DCDIAG - its easy to get the wrong version with such a clever support setup.

Anyway, I installed the new tools, shutdown Zonealarm, ran dcdiag, and got this report:

----------------------------------------------------------------------------------------

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\PC01
      Starting test: Connectivity
         2d60c19e-4a4b-42be-b097-bcf800c84584._msdcs.PICOM.picom.com.au's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name

         (2d60c19e-4a4b-42be-b097-bcf800c84584._msdcs.PICOM.picom.com.au)

         couldn't be resolved, the server name (pc01.PICOM.picom.com.au)

         resolved to the IP address (203.0.155.22) and was pingable.  Check

         that the IP address is registered correctly with the DNS server.
         ......................... PC01 failed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\PC01
      Skipping all tests, because server PC01 is
      not responding to directory service requests
   
   Running enterprise tests on : PICOM.picom.com.au
      Starting test: Intersite
         ......................... PICOM.picom.com.au passed test Intersite
      Starting test: FsmoCheck
         ......................... PICOM.picom.com.au passed test FsmoCheck

----------------------------------------------------------------------------------------------

Of course this brings up the topic of DNS, of which I have studied very little indeed (which some will be sure is a sign of laziness) so I'll plead ignorant and guilty in advance!  I'll also offer a plausible defence such as "precision executive time management" but don't expect any sympathy at all.

Can any of you gurus offer a quick explanation of my server's name resolution problem?

To exx, sure it would be safer to have a standalone DC, but again its a case of competing needs and limited resources.  If I can sort out this current untidiness then there is a good chance I can continue with the one server doing all its jobs efficiently for the next few months at least.

-ASM2A
0
 
LVL 18

Accepted Solution

by:
exx1976 earned 1200 total points
ID: 12414397
Yes, indeed, yuo do have a DNS issue there.  It would appear that not all your keys are in DNS properly.

What is the IP Address that your server points to for it's primary DNS server?  It should be it's own IP address.

Secondly, stop and restart the NetLogon service.  This should re-populate your DNS with all the proper entries.  If it does not, then you can also try   Start -> Run  "ipconfig /registerdns"

Let us know the results of those two..

Also, look in your DNS server..  If you drill down into the servername, then the ForwardLookupSone, then the domain name, you should see entries for _msdcs _sites and _tcp.  Underneath each of those you should see multiple entries, which is where all of your server entries will reside for AD.

Once we get the system responding to Directory Services requests, we'll need to run DCDiag again so that we can analyze the rest of the output..


-exx
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12414666
Hi
Echo Dodgy DNS theory for sure exx1976,
Just another chip-in - I'd maybe like to see the results of an ipconfig /all from the server and a client - check ad-integration and dynamic updates maybe too, ensure they're enabled, restart netlogon, maybe even run netdiag /fix - never hurts to check the basics  - what do you think exx1976, would you agree?

Deb :))

0
 
LVL 18

Expert Comment

by:exx1976
ID: 12414738
Indeed.
0
 

Author Comment

by:ASM2A
ID: 12421220
Hi folks.  I followed those recommended steps, so here is some data.  

Firstly, ipconfig /all on the DC server:

---------------------------------------------------------------------------------------
Windows 2000 IP Configuration

      Host Name . . . . . . . . . . . . : pc01
      Primary DNS Suffix  . . . . . . . : PICOM.picom.com.au
      Node Type . . . . . . . . . . . . : Broadcast
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : PICOM.picom.com.au
                                          picom.com.au
                                          com.au

Ethernet adapter Local Area Connection 3:

      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Intel(R) PRO/100 S Desktop Adapter
      Physical Address. . . . . . . . . : 00-02-B3-33-66-27
      DHCP Enabled. . . . . . . . . . . : No
      IP Address. . . . . . . . . . . . : 203.0.155.22
      Subnet Mask . . . . . . . . . . . : 255.255.255.240
      Default Gateway . . . . . . . . . : 203.0.155.17
      DNS Servers . . . . . . . . . . . : 61.88.31.4
                                          61.88.31.6
---------------------------------------------------------------------------------------------

Next, ipconfig /all on a Win98 "client" (not logging in on the server, configured more as a peer):
----------------------------------------------------------------------------------------------
Windows 98 IP Configuration

      Host Name . . . . . . . . . : PC99
      DNS Servers . . . . . . . . : 61.88.31.4
                                    61.88.31.6
      Node Type . . . . . . . . . : Broadcast
      NetBIOS Scope ID. . . . . . :
               IP Routing Enabled. . . . . : No
      WINS Proxy Enabled. . . . . : No
      NetBIOS Resolution Uses DNS : Yes

0 Ethernet adapter :

      Description . . . . . . . . : D-Link DFE-530TX PCI Fast Ethernet Adapter
      Physical Address. . . . . . : 00-50-BA-AB-69-97
      DHCP Enabled. . . . . . . . : No
      IP Address. . . . . . . . . : 203.0.155.18
      Subnet Mask . . . . . . . . : 255.255.255.240
      Default Gateway . . . . . . : 203.0.155.17
      Primary WINS Server . . . . :
      Secondary WINS Server . . . :
      Lease Obtained. . . . . . . :
      Lease Expires . . . . . . . :
----------------------------------------------------------------------------------------------

Now, about the DNS server.  On the DC server its "disabled", so the ones in use are 30kms up the highway at our ISP - scoastnet.com.au.  The decision not to run a DNS server in-house was forced on us by the economics back in 2001/7 - don't ever come to Oz looking for cheap or even fair telecoms services!  We couldn't afford the traffic of syncing the DNS database since our monopoly supplier was then charging us a long distance toll for our ISDN internet calls.  The internet gateway is now accessible at "local call" cost, so we could change this strategy now, if necessary.

I also followed the steps recommended by exx, then re-run dcdiag but get the same report as shown above.

Please comment.  ASM2A
0
 
LVL 18

Expert Comment

by:exx1976
ID: 12424781
The reason for this is that you MUST run DNS in order to get Active Directory up and running.  What you need to do is configure a local active directory integrated zone, and then point your DC at itself for the primary DNS server and remove the secondary DNS server.  Then, in your DNS Server, simply configure the forwarders to point to your ISP.  Your workstations should also point to your DC for DNS.

This is why you don't have a functional DC, you weren't able to create those records at your ISP since they probably don't support DDNS.

After you have done this, stop and start the netlogon service to create all the proper DNS entries, and then let us know what happens.

-exx
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12424806
Second that.........He's dead right :))
0
 

Author Comment

by:ASM2A
ID: 12451371
Thankx again for the advice.  I prepared properly by reading quite a lot and preparing checklists etc before installing the DNS server.  I tried each of your suggested tweaks and lo, the Forward Lookup Zones are now populated and name resolution is working ok.

So I run dcdiag again, with much more expansive results:
---------------------------------------------------------------------------------------

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\PC01
      Starting test: Connectivity
         ......................... PC01 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\PC01
      Starting test: Replications
         ......................... PC01 passed test Replications
      Starting test: NCSecDesc
         ......................... PC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... PC01 passed test NetLogons
      Starting test: Advertising
         ......................... PC01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... PC01 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... PC01 passed test RidManager
      Starting test: MachineAccount
         ......................... PC01 passed test MachineAccount
      Starting test: Services
            IsmServ Service is stopped on [PC01]
            SMTPSVC Service is stopped on [PC01]
         ......................... PC01 failed test Services
      Starting test: ObjectsReplicated
         ......................... PC01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... PC01 passed test frssysvol
      Starting test: kccevent
         ......................... PC01 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC0001B58
            Time Generated: 10/30/2004   14:16:02
            Event String: The QoS Packet Scheduler service failed to start

         An Error Event occured.  EventID: 0xC0040001
            Time Generated: 10/30/2004   14:17:28
            Event String: Unable to auto-configure library unit Changer0.

         An Error Event occured.  EventID: 0xC0001B6E
            Time Generated: 10/30/2004   14:18:52
            Event String: The Backup Exec 8.x Job Engine service hung on

         An Error Event occured.  EventID: 0xC0001B59
            Time Generated: 10/30/2004   14:18:52
            Event String: The Backup Exec 8.x Agent Browser service depends

         An Error Event occured.  EventID: 0xC0001B72
            Time Generated: 10/30/2004   14:18:52
            Event String: The following boot-start or system-start

         ......................... PC01 failed test systemlog
   
   Running enterprise tests on : PICOM.picom.com.au
      Starting test: Intersite
         ......................... PICOM.picom.com.au passed test Intersite
      Starting test: FsmoCheck
         ......................... PICOM.picom.com.au passed test FsmoCheck
---------------------------------------------------------------------------------------

Although I don't know much about these test results, it looks a lot more wholesome than before.

Finally, I used instructions in Q239803 to set a non-null SAM psw and can now successfully boot into Directory Services Recovery mode.

I'll welcome your comments again.  ASM2A.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 12459059
Everything is, indeed, all set now.  The errors you are seeing there are all backup related (except the QoS packet one, but I doubt you'd be using it on a network of that size anyway).

I'd get in touch with Veritas about your backup issues.

Aside from that, good job!  You're all set.


-exx
0
 

Author Comment

by:ASM2A
ID: 12461897
Thankx again for the assistance!

I won't worry about the Veritas issue since the backup always runs even though it reports service failures on reboot, and its not the current version anyway.

As you point out, I don't have much incentive to pursue the
0
 

Author Comment

by:ASM2A
ID: 12461904
... QOS issue at present.

Regards.  ASM2A.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This week I attended a Startup Week Chattanooga talk on Gender Diversity in Technology. Check out what I learned.
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question