Solved

Modified registry, now server responding really slowly.

Posted on 2006-06-08
13
7,633 Views
Last Modified: 2011-08-18
I am running one (all-in-one) server. It is a Windows Server 2003 Std running Terminal Server, Exchange 2003, and it is also a Domain Controller.
My server was running excellent for about two weeks (since I got it).
Today, I installed Quickbooks 2004 Premier Accounting Edition. I was getting a user permission error from Quickbooks when I tried running from a regular user so I followed these steps: http://www.quickbooks.com/support/faqs/qb2006/a4edfd81.html
It didn't work. Weird things now started to happen.

Notes: when I say Administrator, I mean logged on to the console. Every other user is Terminal Server.

When members of the users group logged on they only saw a completely blue screen. No taskbar, nothing. If they press ctrl + alt + end they could log off.

I tried restoring the registry from Administrator account by importing the export I had just done. It said:
Cannot import C:\.....06-08-06.reg: Not all data was succesfully written to the registry. Some keys are open by the system or other processes.

Don't remember why, but I decided to restart the server. As soon as the ctrl + alt + del screen came up an error saying that not all services or drivers could be started, check event viewer for details. I admit I don't really understand what it all means but other than WMI entering in a stopped state, everything was fine.

When I logged in as Administrator (on the console), I got the blue screen... No taskbar, nothing. I took a break because I didn't know what to do. After 6 minutes the desktop magically shows up. Every action takes about 60+ seconds to respond. I uninstalled Quickbooks, restarted server.

I tried restoring my backup from last night (Retrospect HD on a Maxtor external HD, it's supposed to do a full system backup), but that also gave me some kind of error and didn't complete.

So now, if I log in it takes about 6 mins just to show ANYTHING on the desktop. After that, it takes long (60+ secs) to recognize an action like clicking start, but then executes very fast like normal. Exchange works for Administrator with Outlook but webmail is not working. I can't really see if the other users can use their outlook because it takes so long for them to log in (or whatever it's doing).

I searched the heck out of this site and Googled myself crazy trying to find a similar situation without success. Please help.
0
Comment
Question by:jal316
  • 4
  • 4
  • 3
  • +1
13 Comments
 

Author Comment

by:jal316
ID: 16865458
I just noticed that when I log off Administrator, explorer.exe is not responding and asks me to end the program.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16865796
Hi jal316,

you need to check your event logs for us, and post what errors are occuring
0
 

Author Comment

by:jal316
ID: 16866504
Right after the first restart I found the following errors and warnings.

I also have a ton of Print warnings. But I always had them even while it worked properly. I think it's due to TS print mapping.

These are all in the system section of the event viewer. These are all the errors and warnings around the restart. All other logs are information that say services are started and what not.

In the Application section I have a bunch of Exchange errors relating to the World Wide Web publishing thing.

I am going through the Application section now to find any errors around the time of that first restart. I will post anything I find.
-------------------------------------------------------------------------------------
Event Type:      Error
Event Source:      W3SVC
Event Category:      None
Event ID:      1036
Date:            6/8/2006
Time:            2:05:00 PM
User:            N/A
Computer:      JPMLSERVER
Description:
A failure occurred while initializing the configuration manager for the World Wide Web Publishing Service. The data field contains the error number.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 54 01 04 80               T..€    
----------------------------------------------------------------------------------------
Event Type:      Error
Event Source:      W3SVC
Event Category:      None
Event ID:      1005
Date:            6/8/2006
Time:            2:05:00 PM
User:            N/A
Computer:      JPMLSERVER
Description:
The World Wide Web Publishing Service is exiting due to an error. The data field contains the error number.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 54 01 04 80               T..€    
--------------------------------------------------------------------------------------------
Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            6/8/2006
Time:            2:05:05 PM
User:            N/A
Computer:      JPMLSERVER
Description:
The Security System detected an authentication error for the server ldap/JPMLSERVER.jpml.local.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0               ^..À    
--------------------------------------------------------------------------------------------
*******
*******This is the popup I get once the server restarts:

Event Type:      Information
Event Source:      Application Popup
Event Category:      None
Event ID:      26
Date:            6/8/2006
Time:            2:05:16 PM
User:            N/A
Computer:      JPMLSERVER
Description:
Application popup: Service Control Manager  : At least one service or driver failed during system startup.  Use Event Viewer to examine the event log for details.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------------------------------------------------------------------------
Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7024
Date:            6/8/2006
Time:            2:05:57 PM
User:            N/A
Computer:      JPMLSERVER
Description:
The World Wide Web Publishing Service service terminated with service-specific error 2147746132 (0x80040154).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------------------------------------------------------------------------






Thanks.
0
 

Author Comment

by:jal316
ID: 16866589
Ok, here are the errors and warnings in the application section around the resart time.



-----------------------------------------------------------------
Event Type:      Warning
Event Source:      MSDTC
Event Category:      SVC
Event ID:      53258
Date:            6/8/2006
Time:            2:04:50 PM
User:            N/A
Computer:      JPMLSERVER
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9280, Pid: 324
No Callstack,
 CmdLine: C:\WINDOWS\system32\msdtc.exe

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00 07 80               ...€    
----------------------------------------------------------------------
Event Type:      Warning
Event Source:      MSDTC
Event Category:      SVC
Event ID:      53258
Date:            6/8/2006
Time:            2:04:50 PM
User:            N/A
Computer:      JPMLSERVER
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-----------------------------------------------------------------------
Event Type:      Warning
Event Source:      MSDTC
Event Category:      SVC
Event ID:      4199
Date:            6/8/2006
Time:            2:04:50 PM
User:            N/A
Computer:      JPMLSERVER
Description:
Could not create the MS DTC TIP Gateway initialization object.  MS DTC is being started but the TIP feature will be disabled.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------------------------------------------------------------------
Event Type:      Information
Event Source:      MSDTC
Event Category:      TM
Event ID:      4193
Date:            6/8/2006
Time:            2:04:50 PM
User:            N/A
Computer:      JPMLSERVER
Description:
MS DTC started with the following settings (OFF = 0 and ON = 1):

  Security Configuration:
      Network Administration of Transactions = 0,
      Network Clients = 0,
      Inbound Distributed Transactions using Native MSDTC Protocol = 0,
      Outbound Distributed Transactions using Native MSDTC Protocol = 0,
      Transaction Internet Protocol (TIP) = 0,
      XA Transactions = 0
  Filtering Duplicate events = 1

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-----------------------------------------------------------------------
Event Type:      Warning
Event Source:      EventSystem
Event Category:      (52)
Event ID:      4356
Date:            6/8/2006
Time:            2:04:51 PM
User:            N/A
Computer:      JPMLSERVER
Description:
The COM+ Event System failed to create an instance of the subscriber {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}.  StandardCreateInstance returned HRESULT 80040154.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-----------------------------------------------------------------------
Event Type:      Warning
Event Source:      EventSystem
Event Category:      (54)
Event ID:      4353
Date:            6/8/2006
Time:            2:04:51 PM
User:            N/A
Computer:      JPMLSERVER
Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code.  HRESULT was 80040201.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
------------------------------------------------------------------------
Event Type:      Error
Event Source:      EventSystem
Event Category:      (50)
Event ID:      4610
Date:            6/8/2006
Time:            2:04:51 PM
User:            N/A
Computer:      JPMLSERVER
Description:
The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 80040154 from line 44 of d:\nt\com\complus\src\events\tier1\eventsystemobj.cpp.  This may indicate that the COM+ Event System is not properly installed.  Please try reinstalling the COM+ Event System.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------------
Event Type:      Error
Event Source:      VSS
Event Category:      None
Event ID:      17
Date:            6/8/2006
Time:            2:04:51 PM
User:            N/A
Computer:      JPMLSERVER
Description:
Volume Shadow Copy Service error: The EventSystem service is disabled or is attempting to start during Safe Mode.  The Volume Shadow Copy service cannot start while in safe mode. If not in safe mode, make sure that EventSystem service is enabled. CLSID:{4e14fba2-2e22-11d1-9964-00c04fbbb345} Name:CEventSystem [0x80040206]

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 20 43 6f 64 65 3a 20   - Code:
0008: 57 52 54 57 52 54 49 43   WRTWRTIC
0010: 30 30 30 30 32 37 36 34   00002764
0018: 2d 20 43 61 6c 6c 3a 20   - Call:
0020: 57 52 54 57 52 54 49 43   WRTWRTIC
0028: 30 30 30 30 32 37 33 30   00002730
0030: 2d 20 50 49 44 3a 20 20   - PID:  
0038: 30 30 30 30 31 30 35 32   00001052
0040: 2d 20 54 49 44 3a 20 20   - TID:  
0048: 30 30 30 30 31 35 38 30   00001580
0050: 2d 20 43 4d 44 3a 20 20   - CMD:  
0058: 43 3a 5c 57 49 4e 44 4f   C:\WINDO
0060: 57 53 5c 73 79 73 74 65   WS\syste
0068: 6d 33 32 5c 69 6e 65 74   m32\inet
0070: 73 72 76 5c 69 6e 65 74   srv\inet
0078: 69 6e 66 6f 2e 65 78 65   info.exe
0080: 2d 20 55 73 65 72 3a 20   - User:
0088: 4e 54 20 41 55 54 48 4f   NT AUTHO
0090: 52 49 54 59 5c 53 59 53   RITY\SYS
0098: 54 45 4d 20 20 20 20 20   TEM    
00a0: 2d 20 53 69 64 3a 20 20   - Sid:  
00a8: 53 2d 31 2d 35 2d 31 38   S-1-5-18
------------------------------------------------------------------------
Event Type:      Error
Event Source:      VSS
Event Category:      None
Event ID:      8193
Date:            6/8/2006
Time:            2:04:51 PM
User:            N/A
Computer:      JPMLSERVER
Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80040206.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 20 43 6f 64 65 3a 20   - Code:
0008: 57 52 54 57 52 54 49 43   WRTWRTIC
0010: 30 30 30 30 32 37 37 30   00002770
0018: 2d 20 43 61 6c 6c 3a 20   - Call:
0020: 57 52 54 57 52 54 49 43   WRTWRTIC
0028: 30 30 30 30 32 37 33 30   00002730
0030: 2d 20 50 49 44 3a 20 20   - PID:  
0038: 30 30 30 30 31 30 35 32   00001052
0040: 2d 20 54 49 44 3a 20 20   - TID:  
0048: 30 30 30 30 31 35 38 30   00001580
0050: 2d 20 43 4d 44 3a 20 20   - CMD:  
0058: 43 3a 5c 57 49 4e 44 4f   C:\WINDO
0060: 57 53 5c 73 79 73 74 65   WS\syste
0068: 6d 33 32 5c 69 6e 65 74   m32\inet
0070: 73 72 76 5c 69 6e 65 74   srv\inet
0078: 69 6e 66 6f 2e 65 78 65   info.exe
0080: 2d 20 55 73 65 72 3a 20   - User:
0088: 4e 54 20 41 55 54 48 4f   NT AUTHO
0090: 52 49 54 59 5c 53 59 53   RITY\SYS
0098: 54 45 4d 20 20 20 20 20   TEM    
00a0: 2d 20 53 69 64 3a 20 20   - Sid:  
00a8: 53 2d 31 2d 35 2d 31 38   S-1-5-18
----------------------------------------------------------------------------
Event Type:      Error
Event Source:      MSExchangeMU
Event Category:      General
Event ID:      1009
Date:            6/8/2006
Time:            2:05:04 PM
User:            N/A
Computer:      JPMLSERVER
Description:
Failed to access the metabase, error code is 80040154 (Class not registered).

For more information, click http://www.microsoft.com/contentredirect.asp.
-------------------------------------------------------------------------------
Event Type:      Error
Event Source:      MSExchangeMU
Event Category:      General
Event ID:      1047
Date:            6/8/2006
Time:            2:05:04 PM
User:            N/A
Computer:      JPMLSERVER
Description:
Metabase Update failed to properly initialize its context. It will retry initialization every 60 seconds until succeeds or shutdown is requested.

For more information, click http://www.microsoft.com/contentredirect.asp.
---------------------------------------------------------------------------------
Event Type:      Error
Event Source:      MSExchangeSA
Event Category:      Monitoring
Event ID:      9099
Date:            6/8/2006
Time:            2:05:10 PM
User:            N/A
Computer:      JPMLSERVER
Description:
The MAD Monitoring thread was unable to read the state of the services, error '0x80040154'.

For more information, click http://www.microsoft.com/contentredirect.asp.
---------------------------------------------------------------------------------
Event Type:      Error
Event Source:      MSExchangeSA
Event Category:      Monitoring
Event ID:      9102
Date:            6/8/2006
Time:            2:05:10 PM
User:            N/A
Computer:      JPMLSERVER
Description:
The MAD Monitoring thread was unable to read the state of cluster resources, error '0x80040154'.

For more information, click http://www.microsoft.com/contentredirect.asp.
---------------------------------------------------------------------------
Event Type:      Error
Event Source:      MSExchangeSA
Event Category:      Monitoring
Event ID:      9098
Date:            6/8/2006
Time:            2:05:10 PM
User:            N/A
Computer:      JPMLSERVER
Description:
The MAD Monitoring thread was unable to read its configuration from the DS, error '0x80040154'.

For more information, click http://www.microsoft.com/contentredirect.asp.
------------------------------------------------------------------------
Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1090
Date:            6/8/2006
Time:            2:05:16 PM
User:            NT AUTHORITY\SYSTEM
Computer:      JPMLSERVER
Description:
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------





That's everything. Hope you can figure something out from this.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16867846
I hope by now you've solved the problem, but in case not...

I would think your best bet is to restore the System State from the previous night's backup. I am not familiar with Retrospect that much, but did you back up the system state? You don't need to restore the entire disk, just the system state.

The System State includes Active Directory, Registry and more.

See these articles for helpful details:

 http://support.microsoft.com/kb/326216/en-us
 http://support.microsoft.com/default.aspx?scid=kb;en-us;240363
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16867904
holy damn, what a mess!

i would agree 100% to a restoration again, there are too many errors here to try and look at indidually at the moment - i get the feeling that even if we did, we would be band-aiding a nasty wound
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 32

Expert Comment

by:r-k
ID: 16867918
Yes, I am hoping he has a usable backup, or two :)
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16867927
you and me both my friend
0
 

Author Comment

by:jal316
ID: 16877944
Well, if you thought that was a mess... I couldn't restore my backup. There was something there that didn't let me do it. At one point, I restarted the server and it wouldn't boot. It just kept restarting before Windows booted. I called Dell and we went through some diagnostics but nothing seemed to work. I rebuilt the server from scratch. When it was time to put the files back from my backup I realized that I had deleted them by accident. If there is a bright side is that the server is new and most of the info is on other systems. I think we only lost a few days worth of files and emails. Not too much.

I learned my lesson though. I do a System State backup like r-k suggested and I do a full System backup nightly. I did one before and after every action during the rebuild. I am also going to do one immediately before any installation or modification and another immediately after I know it's working properly.

Thanks for your input.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16879294
certainly a wise move....could have been a lot worse for you
0
 
LVL 32

Expert Comment

by:r-k
ID: 16879786
Sorry to hear things did not work out with the recovery. You can never have too many backups. Good luck for the future.
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 17110353
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Suggested Solutions

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Learn about cloud computing and its benefits for small business owners.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now