Solved

Win 2000 hangs on startup with "applying your personal settings" after running Windows Update

Posted on 2004-10-24
789 Views
Last Modified: 2008-01-09
I've just run Windows Update on a Windows 2000 Server and installed several security patches.  After the requested restart I attempt to login but it hangs while displaying "Loading your personal settings ...".

Any ideas how I can get to login?
0
Question by:ASM2A
    27 Comments
     
    LVL 49

    Assisted Solution

    by:sunray_2003
    Could be tricky one..

    Can you log into safe mode ?
    If yes , go into "safe mode with networking" and go to windows update page.
    Check all the recent updates you had made. Note them down
    go to control panel --> add/remove programs and remove those..

    Restart and check if you can go into normal mode.

    If yes , then post here or research about those updates which might have some issues..

    All the best

    SR
    0
     

    Author Comment

    by:ASM2A
    What I was able to do eventually was to login to Directory Services Restore Mode and use Veritas Backup Exec to restore the system state from a current tape backup.

    Before that I chose to boot Win2k into "last good configuration" which allowed me to login as administrator but with no LAN connection and no sound card and an unfamiliar desktop theme.  The PC is a multimedia software development workstation as well as being DC - the O/S installed is SBS 2000 SP4.

    The server is ok now after the restore, but no thankx at all to the Windows Update "Security" patch which I suspect to somehow have trashed the Domain Controller files.

    The updates installed were in this order:

    IE6 hotfix KB834707
    Win2k hotfix KB841356
    Win2k hotfix KB840987
    Win2k hotfix KB841533
    Win2k hotfix KB824151

    There was another driver update applied in the same session, titled:

    Intel network software update released on August 19 2004.

    Something in this lot has caused my problem.  For now the problem is gone without any obvious adverse changes in system operation.  So, don't run windows Update without a tested backup restore tool at hand!

    Thankx for your interest.  ASM2A
    0
     
    LVL 49

    Expert Comment

    by:sunray_2003
    Let  me check and see if there is any known bug in one of these fixes.
    in the meantime , depending on the priority of the updates , you may want to install each hotfix ONE by ONE to find out the bad one.

    That is one of the easiest ways to figure out. Make sure to restart the machine each time when you install one update.

    Thanks
    0
     
    LVL 49

    Expert Comment

    by:sunray_2003
    Here is one issue with KB824151

    http://www.forum4designers.com/message133401.html

    SR
    0
     

    Author Comment

    by:ASM2A

    All Windows updates remain installed at present.

    I've learnt more:

    The Active Directory is still damaged.  If I try to open an AD management console, I get a message like this:

    "Naming information cannot be located because: The network path was not found.  Contact your system administrator to verify that your domain is properly configured and is currently online."

    Well I'm in strife for sure since I am the sysadmin, and I haven't a clue what to fix or how - other than trying your recommendation and uninstalling the patches & hotfixes one by one.  I'll try that later if no more direct repair is at hand.  ASM2A.
    0
     
    LVL 18

    Expert Comment

    by:exx1976
    Please run a dcdiag and post the results here...
    0
     

    Author Comment

    by:ASM2A
    I did not have the dcdiag utility, so I located it at Microsoft, downloaded and installed it on the server, but when I attempt to run it I get:

    "The procedure entry point DslsMangledDnW could not be located in the dynamic link library NTDSAPI.DLL"

    I check the installed NTDSAPI.DLL and find its version 5.0.2195.6666.

    Any further suggestions?  ASM2A
    0
     

    Author Comment

    by:ASM2A
    Its a new day (here in Australia),  and I have revised information:

    The problem opening the MMC was caused by ZoneAlarm Security suite blocking access to the server via the loopback address, which I fixed, so I can now access and edit user profiles etc ok.

    But I definitely still can't run Dcdiag.exe, and today I find I can NO longer login in " Directory Services Restore Mode" - it rejects the administrator password!  I discovered this when I tried to use the Ntdsutil tool to check the AD files.

    But I can still login in "normal" mode and use the server.

    This is all very puzzling - any advice will be welcome.

    ASM2A.
    0
     
    LVL 49

    Expert Comment

    by:sunray_2003
    Hmm.. Problem keeps coming , doesn't it ?

    check to see in the task manager if dcdiag.exe is already running and make sure zonealarm has not blocked it..
    temporarily turn off ZA and check running dcdiag...

    I guess the password for restore mode should be the same as what you are using to login to normal mode. If it doesnot work try NOT giving any password (blank) and see if it would allow you
    0
     
    LVL 18

    Expert Comment

    by:exx1976
    Well, I guess my biggest question in this whole problem here is why in the WORLD is ZoneAlarm (of ALL things!) installed on a server, let alone a DC?!?!  That has got to be the single goofiest thing I have EVER heard.  I would uninstall that piece of #@%@ right away.  Zone Alarm is great for home users on home machines, but it has NO place in the corporate world.  And if this thing is your machine at home, then I still stand by my original statement that it has no place on a server, and I suggest you get a real firewall (you can run OpenBSD on a 486 with two NICs with no problems, or, you can purchase a NetGear "black box" for like $50...)

    Either way, remove ZoneAlarm and lets see what happens then.


    -exx
    0
     

    Author Comment

    by:ASM2A
    Last first - exx:

    I observe your surprise at having ZA on the server, but then its not an ordinary server - its both corporate (used for software development and in-house testing) and residential (we operate an IT Consultancy from a home "IT Lab" in a "remote" non-urban location since 1985!).

    Due to my limited formal training with Win2k, but due to my 35yrs+ as a senior IT developer, I use this configuration and trust it.  Because of the previous easy vulnerability of Win2k, we have taken "user friendly" extra steps to ensure the server can't be hijacked.

    In any case, I have firewall on the dial-on-demand ISDN internet router, so I can safely shutdown zlclient.exe for these tests.

    At no time can I run Dcdiag.exe - it always fails with the error: "The procedure entry point DslsMangledDnW could not be located in the dynamic link library NTDSAPI.DLL".

    Yo sunray!

    The failed attempts to login in " Directory Services Restore Mode" are way scary.  I had trouble with this machine when it was near new in 2001 - it needed a "system state" restore and couldn't be logged in in any mode - an O/S reinstal was required.  Due to that experience and the very secure physical circumstances of the server it is operated without a password on administrator!  So there is not much I can do to test it out with your suggestion.

    I notice when I return to "normal" login after giving up trying to get on in DSR mode (I have to hard reset the machine to get control) that the login dialog no longer pre-selects my domain.  I have to select it (only one choice), then press the good old <Enter> to login as administrator.  That's all I have noticed apart from there being two slightly different modes offered to me when I choose DSR mode from the text mode boot screen reached by <F8>.  Sometimes I get prompted for a domain and then shown progress text,  othertimes it just goes straight to the DSR mode banner and checks the boot drive (a Mylex AR170 Raid 0).

    I'm still puzzled, but I've got a "live" system - apparently until it gets corrupt again and needs a System State restore, then I'll get nausea and plan an O/S reinstall.  So don't anyone lose any blood over it, but feel free to guide me to the explanation/fix/workaround.  ASM2A.
    0
     
    LVL 18

    Expert Comment

    by:exx1976
    Again, lt me voice my surprise!  A RAID 0 being the boot disk for a DC??  I don't mean to pick on your experience or anything, but I would like to think that if/when my company ever contracts anything out, it is not to someone who uses RAID 0 anywhere, let alone a boot drive on a DC...

    However, with that being said..  What service pack level is this server at?  I checked the srver that I am writing this from and found the version to also be 5.0.2195.6666 with a file size of 57,616 Bytes, however I also noticed that this file was present in the Service Pack uninstall folder..  As such, it seems likely that this file is replaced by a service pack.  Perhaps you should re-install your latest service pack and give it another go.

    Alternativly, if you would like a copy of my file, I would be more than happy to email it to you.  Just give me an email address.  After we can get DCDIAG running, I'm sure it will shed some more light on what's going on.


    -exx
    0
     

    Author Comment

    by:ASM2A
    Surprise, surprise!  Its a considered choice to have the PC configured as it is.  I agree this is NOT the approach guaranteed to give the most stable and easily managed "live production" server.  As I described earlier the DC is used for the full gamut of tasks from .NET and OpenInsight development to video production, and among the past "learning" benefits are in fact situations with an un-bootable RAID array (driver conflict).  BTW the IT lab here has UPS and telecoms shielding as well as its physical security well considered.  The Win2k server was built in July 2001 with a 1.7Ghz P4 CPU, 1024Mb fast RDRAM and 2 x 30Gb UW SCSI 10k rpm HDD with hardware RAID0 which means its a real smooth performer even with the latest apps.

    I could go on about the history of computing with (as I mentioned) 35yrs+ "hands on" running computers - starting with mainframes, minis, then weak as p**s PC's for 15yrs, now every household owns a "supercomputer" (with a 2nd rate minicomputer OS) - its no wonder I choose to have grunt to spare in my DC "workstation".  After all, its a boy thing!

    The server reports Windows 5.00.2195 SP4, its up-to-date with all critical updates applied.

    The copy of NTDSAPI.dll which is running from c:\winnt\system32 here is ver 5.00.2195.6666 and size 57,616 - just like yours.

    There is a copy of this file in c:\winnt\ServicePackFiles\i386 - file stamped 6/20/2003.

    There is another version 5.0.2195.4827, also size 57616, in c:\winnt\$NTServicePackUninstall$ - file stamped 7/23/2002.

    Over to you.  ASM2A
    0
     
    LVL 20

    Assisted Solution

    by:Debsyl99
    Hi

    Just throwing my two pence into the equation:

    All this means: "The procedure entry point DslsMangledDnW could not be located in the dynamic link library NTDSAPI.DLL"
    Is that you're running the wrong version of dcdiag for your service pack level - Try download the sp4 support tools from here, which includes dcdiag, and run it again - it should work. (That error frightened the life out of me first time I saw it!)
    Windows 2000 SP4 Support Tools
    http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/supporttools.asp

    Deb :))
    0
     
    LVL 18

    Expert Comment

    by:exx1976
    Hey hey!  Deb strikes again!  Good call...  I didn't even think to have him check that, I was already just so convinced that something might possibly be wrong due to the upgrade problems, and have just taken it for granted that he had downloaded the proper version...  *sigh*


    As for the hardware..  Might I suggest that you get another machine without so much "grunt", as you put it, and make that your DC??  Leave this one to do the job you want it to do (multimedia software development, I think you said..)

    With that said, I also think there is a possibility that it's time for a new machine..  My desktop at home, which I use for video capture/DVD Authoring, is a 2.4Ghz machine with 1024Mb of RAM and 18GBx4 RAID 5 U160 10k SCSI array (hardware, of course)..  So yes, I know all about "grunt".

    Please follow the link that Deb was nice enough to provide and grab the latest version of support tools, and let use know the otuput of DCDiag.


    -exx
    0
     
    LVL 20

    Expert Comment

    by:Debsyl99
    No probs guys ;-) - Seen the nasty little blighter error before so I knew what it was - I'll chip in if help is required and I can offer it, but otherwise I'll let you take this one from here,

    Deb :))
    0
     

    Author Comment

    by:ASM2A
    Thankx Deb, you knew that it was the wrong version of dcdiag!

    I had found it by searching the MS support site for "dcdiag" and of course the page I found is out of date, whereas the page with the "updated Windows 2000 Support Tools" contains no reference to DCDIAG - its easy to get the wrong version with such a clever support setup.

    Anyway, I installed the new tools, shutdown Zonealarm, ran dcdiag, and got this report:

    ----------------------------------------------------------------------------------------

    Domain Controller Diagnosis

    Performing initial setup:
       Done gathering initial info.

    Doing initial required tests
       
       Testing server: Default-First-Site-Name\PC01
          Starting test: Connectivity
             2d60c19e-4a4b-42be-b097-bcf800c84584._msdcs.PICOM.picom.com.au's server GUID DNS name could not be resolved to an
             IP address.  Check the DNS server, DHCP, server name, etc
             Although the Guid DNS name

             (2d60c19e-4a4b-42be-b097-bcf800c84584._msdcs.PICOM.picom.com.au)

             couldn't be resolved, the server name (pc01.PICOM.picom.com.au)

             resolved to the IP address (203.0.155.22) and was pingable.  Check

             that the IP address is registered correctly with the DNS server.
             ......................... PC01 failed test Connectivity

    Doing primary tests
       
       Testing server: Default-First-Site-Name\PC01
          Skipping all tests, because server PC01 is
          not responding to directory service requests
       
       Running enterprise tests on : PICOM.picom.com.au
          Starting test: Intersite
             ......................... PICOM.picom.com.au passed test Intersite
          Starting test: FsmoCheck
             ......................... PICOM.picom.com.au passed test FsmoCheck

    ----------------------------------------------------------------------------------------------

    Of course this brings up the topic of DNS, of which I have studied very little indeed (which some will be sure is a sign of laziness) so I'll plead ignorant and guilty in advance!  I'll also offer a plausible defence such as "precision executive time management" but don't expect any sympathy at all.

    Can any of you gurus offer a quick explanation of my server's name resolution problem?

    To exx, sure it would be safer to have a standalone DC, but again its a case of competing needs and limited resources.  If I can sort out this current untidiness then there is a good chance I can continue with the one server doing all its jobs efficiently for the next few months at least.

    -ASM2A
    0
     
    LVL 18

    Accepted Solution

    by:
    Yes, indeed, yuo do have a DNS issue there.  It would appear that not all your keys are in DNS properly.

    What is the IP Address that your server points to for it's primary DNS server?  It should be it's own IP address.

    Secondly, stop and restart the NetLogon service.  This should re-populate your DNS with all the proper entries.  If it does not, then you can also try   Start -> Run  "ipconfig /registerdns"

    Let us know the results of those two..

    Also, look in your DNS server..  If you drill down into the servername, then the ForwardLookupSone, then the domain name, you should see entries for _msdcs _sites and _tcp.  Underneath each of those you should see multiple entries, which is where all of your server entries will reside for AD.

    Once we get the system responding to Directory Services requests, we'll need to run DCDiag again so that we can analyze the rest of the output..


    -exx
    0
     
    LVL 20

    Expert Comment

    by:Debsyl99
    Hi
    Echo Dodgy DNS theory for sure exx1976,
    Just another chip-in - I'd maybe like to see the results of an ipconfig /all from the server and a client - check ad-integration and dynamic updates maybe too, ensure they're enabled, restart netlogon, maybe even run netdiag /fix - never hurts to check the basics  - what do you think exx1976, would you agree?

    Deb :))

    0
     
    LVL 18

    Expert Comment

    by:exx1976
    Indeed.
    0
     

    Author Comment

    by:ASM2A
    Hi folks.  I followed those recommended steps, so here is some data.  

    Firstly, ipconfig /all on the DC server:

    ---------------------------------------------------------------------------------------
    Windows 2000 IP Configuration

          Host Name . . . . . . . . . . . . : pc01
          Primary DNS Suffix  . . . . . . . : PICOM.picom.com.au
          Node Type . . . . . . . . . . . . : Broadcast
          IP Routing Enabled. . . . . . . . : No
          WINS Proxy Enabled. . . . . . . . : No
          DNS Suffix Search List. . . . . . : PICOM.picom.com.au
                                              picom.com.au
                                              com.au

    Ethernet adapter Local Area Connection 3:

          Connection-specific DNS Suffix  . :
          Description . . . . . . . . . . . : Intel(R) PRO/100 S Desktop Adapter
          Physical Address. . . . . . . . . : 00-02-B3-33-66-27
          DHCP Enabled. . . . . . . . . . . : No
          IP Address. . . . . . . . . . . . : 203.0.155.22
          Subnet Mask . . . . . . . . . . . : 255.255.255.240
          Default Gateway . . . . . . . . . : 203.0.155.17
          DNS Servers . . . . . . . . . . . : 61.88.31.4
                                              61.88.31.6
    ---------------------------------------------------------------------------------------------

    Next, ipconfig /all on a Win98 "client" (not logging in on the server, configured more as a peer):
    ----------------------------------------------------------------------------------------------
    Windows 98 IP Configuration

          Host Name . . . . . . . . . : PC99
          DNS Servers . . . . . . . . : 61.88.31.4
                                        61.88.31.6
          Node Type . . . . . . . . . : Broadcast
          NetBIOS Scope ID. . . . . . :
                   IP Routing Enabled. . . . . : No
          WINS Proxy Enabled. . . . . : No
          NetBIOS Resolution Uses DNS : Yes

    0 Ethernet adapter :

          Description . . . . . . . . : D-Link DFE-530TX PCI Fast Ethernet Adapter
          Physical Address. . . . . . : 00-50-BA-AB-69-97
          DHCP Enabled. . . . . . . . : No
          IP Address. . . . . . . . . : 203.0.155.18
          Subnet Mask . . . . . . . . : 255.255.255.240
          Default Gateway . . . . . . : 203.0.155.17
          Primary WINS Server . . . . :
          Secondary WINS Server . . . :
          Lease Obtained. . . . . . . :
          Lease Expires . . . . . . . :
    ----------------------------------------------------------------------------------------------

    Now, about the DNS server.  On the DC server its "disabled", so the ones in use are 30kms up the highway at our ISP - scoastnet.com.au.  The decision not to run a DNS server in-house was forced on us by the economics back in 2001/7 - don't ever come to Oz looking for cheap or even fair telecoms services!  We couldn't afford the traffic of syncing the DNS database since our monopoly supplier was then charging us a long distance toll for our ISDN internet calls.  The internet gateway is now accessible at "local call" cost, so we could change this strategy now, if necessary.

    I also followed the steps recommended by exx, then re-run dcdiag but get the same report as shown above.

    Please comment.  ASM2A
    0
     
    LVL 18

    Expert Comment

    by:exx1976
    The reason for this is that you MUST run DNS in order to get Active Directory up and running.  What you need to do is configure a local active directory integrated zone, and then point your DC at itself for the primary DNS server and remove the secondary DNS server.  Then, in your DNS Server, simply configure the forwarders to point to your ISP.  Your workstations should also point to your DC for DNS.

    This is why you don't have a functional DC, you weren't able to create those records at your ISP since they probably don't support DDNS.

    After you have done this, stop and start the netlogon service to create all the proper DNS entries, and then let us know what happens.

    -exx
    0
     
    LVL 20

    Expert Comment

    by:Debsyl99
    Second that.........He's dead right :))
    0
     

    Author Comment

    by:ASM2A
    Thankx again for the advice.  I prepared properly by reading quite a lot and preparing checklists etc before installing the DNS server.  I tried each of your suggested tweaks and lo, the Forward Lookup Zones are now populated and name resolution is working ok.

    So I run dcdiag again, with much more expansive results:
    ---------------------------------------------------------------------------------------

    Domain Controller Diagnosis

    Performing initial setup:
       Done gathering initial info.

    Doing initial required tests
       
       Testing server: Default-First-Site-Name\PC01
          Starting test: Connectivity
             ......................... PC01 passed test Connectivity

    Doing primary tests
       
       Testing server: Default-First-Site-Name\PC01
          Starting test: Replications
             ......................... PC01 passed test Replications
          Starting test: NCSecDesc
             ......................... PC01 passed test NCSecDesc
          Starting test: NetLogons
             ......................... PC01 passed test NetLogons
          Starting test: Advertising
             ......................... PC01 passed test Advertising
          Starting test: KnowsOfRoleHolders
             ......................... PC01 passed test KnowsOfRoleHolders
          Starting test: RidManager
             ......................... PC01 passed test RidManager
          Starting test: MachineAccount
             ......................... PC01 passed test MachineAccount
          Starting test: Services
                IsmServ Service is stopped on [PC01]
                SMTPSVC Service is stopped on [PC01]
             ......................... PC01 failed test Services
          Starting test: ObjectsReplicated
             ......................... PC01 passed test ObjectsReplicated
          Starting test: frssysvol
             ......................... PC01 passed test frssysvol
          Starting test: kccevent
             ......................... PC01 passed test kccevent
          Starting test: systemlog
             An Error Event occured.  EventID: 0xC0001B58
                Time Generated: 10/30/2004   14:16:02
                Event String: The QoS Packet Scheduler service failed to start

             An Error Event occured.  EventID: 0xC0040001
                Time Generated: 10/30/2004   14:17:28
                Event String: Unable to auto-configure library unit Changer0.

             An Error Event occured.  EventID: 0xC0001B6E
                Time Generated: 10/30/2004   14:18:52
                Event String: The Backup Exec 8.x Job Engine service hung on

             An Error Event occured.  EventID: 0xC0001B59
                Time Generated: 10/30/2004   14:18:52
                Event String: The Backup Exec 8.x Agent Browser service depends

             An Error Event occured.  EventID: 0xC0001B72
                Time Generated: 10/30/2004   14:18:52
                Event String: The following boot-start or system-start

             ......................... PC01 failed test systemlog
       
       Running enterprise tests on : PICOM.picom.com.au
          Starting test: Intersite
             ......................... PICOM.picom.com.au passed test Intersite
          Starting test: FsmoCheck
             ......................... PICOM.picom.com.au passed test FsmoCheck
    ---------------------------------------------------------------------------------------

    Although I don't know much about these test results, it looks a lot more wholesome than before.

    Finally, I used instructions in Q239803 to set a non-null SAM psw and can now successfully boot into Directory Services Recovery mode.

    I'll welcome your comments again.  ASM2A.
    0
     
    LVL 18

    Expert Comment

    by:exx1976
    Everything is, indeed, all set now.  The errors you are seeing there are all backup related (except the QoS packet one, but I doubt you'd be using it on a network of that size anyway).

    I'd get in touch with Veritas about your backup issues.

    Aside from that, good job!  You're all set.


    -exx
    0
     

    Author Comment

    by:ASM2A
    Thankx again for the assistance!

    I won't worry about the Veritas issue since the backup always runs even though it reports service failures on reboot, and its not the current version anyway.

    As you point out, I don't have much incentive to pursue the
    0
     

    Author Comment

    by:ASM2A
    ... QOS issue at present.

    Regards.  ASM2A.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    The Complete Ruby on Rails Developer Course

    Ruby on Rails is one of the most popular web development frameworks, and a useful tool used by both startups and more established companies to build strong graphic user interfaces, and responsive websites and apps.

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    860 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now