M
Mike Bayly
Hi all
I have an interesting problem that occurred simultaneously on two domain
controllers within my domain that I remotely manage with Terminal Services
(admin mode). Both servers run Windows Server 2000 SP3 and have been running
fine up until now. When attempting a remote desktop or terminal services
client connection to either of these machines, an application popup appears
on the server screen with title "csrss.exe - Unable to Locate DLL" and with
the popup box showing "The dynamic link library winsrv could not be found in
the specified path Default Load Path".
I've checked the server environmant variables and "Path" includes
"C:\WINNT\System32" and have also verified that C:\WINNT\System32\WINSRV.DLL
exists.
The only significant event for the domain was that a new Domain controller
was installed 6 days ago - Windows Server 2000 SP4, with otherwise identical
configuration to the other servers. In all there are 5 domain controllers in
the domain, all separated by 16K CIR (128K access) frame relay links. There
have been no other issues with the new server installed last week.
I've exhausted support.microsoft.com and really have no idea what the
problem could be, so any help or advice at all would be greatly appreciated.
Thanks
Mike
Further to the above...
I'm now getting all kinds of event log errors and warnings (see end of
message).
A third server (THLADL2) has started this behaviour - this server already
has SP4 installed so Microsoft Support suggested I install Security Rollup 1
for SP4 and some hotfixes, but when I attempt this, the server complains
that "Setup cannot update a checked (debug) system with a free (retail)
version of KB837585". This led the support guy to conclude that the wrong OS
has been installed on this server - It's a Dell Poweredge 2550 with Server
2000 SP1 OEM from Dell. This happens on the one SP3 server I can access via
VNC as well, which is a Dell Poweredge as well with Server 2000 OEM from
Dell.
Checking last night's backup (Veritas Backup Exec) I see these errors for
THLADL2 with is an additional concern:
Unable to attach to C:.
Unable to attach to C:.
Unable to attach to D:.
Unable to attach to D:.
Unable to attach to \\THLADL2\System?State.
Unable to attach to \\THLADL2\System?State.
On checking another remote domain controller (same setup, Server 2000 SP4,
DC) I notice that there are the same Event Log messages: "The dynamic link
library winsrv could not be found in the specified path Default Load Path".
and "csrss.exe - Unable to Locate DLL" in 18th Jan. One of the other guys
here had attempted to connect to that server and couldn't, so got a local
user to perform a hard reboot on it. After that, the Application and System
logs appear to have no reoccurences of these error messages.
Another weird thing is that if I try to log in on the console with the
administrator account, the box where you enter username, password and domain
vanished for a split second, and then then "hit ctril alt delete" screen
appears. I have to log in with a different account that has administrator
rights which gives a "Path too long" error in a popup box. Also, if I check
the Performance tab in Task Manager", the CPU activity is hovering around
50%, but on the Processes tab, all of the running processes show 0% CPU.
I'm tempted to try and reboot one of the other servers to see if the problem
just "goes away" given that I don't seem to be getting far with Microsoft
Support, but because so far the users haven't really been impacted, I'd hate
to reboot and have a server that wont boot back up. I'll see what MS have to
say today (public holiday so might be lucky) and will check here for any
further help here.
Thanks
Mike
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 25/01/2006
Time: 7:51:52 PM
User: N/A
Computer: THLADL2
Description:
Security policies were propagated with warning. 0x4b8 : An extended error
has occurred.
For best results in resolving this event, log on with a non-administrative
account and search http://support.microsoft.com for "Troubleshooting Event
1202s".
-----
Event Type: Warning
Event Source: SpntLog
Event Category: (4)
Event ID: 222
Date: 25/01/2006
Time: 7:42:21 PM
User: NT AUTHORITY\SYSTEM
Computer: THLADL2
Description:
The description for Event ID ( 222 ) in Source ( SpntLog ) cannot be found.
The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may be
able to use the /AUXSOURCE= flag to retrieve this description; see Help and
Support for details. The following information is part of the event:
D:\Program Files\BackupExec\NT\ECM\bumodule.jar, 100.
-----
Event Type: Error
Event Source: EventSystem
Event Category: (3)
Event ID: 4097
Date: 25/01/2006
Time: 7:36:33 PM
User: N/A
Computer: THLADL2
Description:
The description for Event ID ( 4097 ) in Source ( EventSystem ) cannot be
found. The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may be
able to use the /AUXSOURCE= flag to retrieve this description; see Help and
Support for details. The following information is part of the event:
..\eventsystem2.cpp, 329, 800705AA.
-----
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 25/01/2006
Time: 7:36:32 PM
User: NT AUTHORITY\SYSTEM
Computer: THLADL2
Description:
Windows cannot create a temporary profile directory. Contact your network
administrator.
DETAIL - Insufficient system resources exist to complete the requested
service.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Warning
Event Source: SpntLog
Event Category: (4)
Event ID: 211
Date: 25/01/2006
Time: 7:26:07 PM
User: NT AUTHORITY\SYSTEM
Computer: THLADL2
Description:
The description for Event ID ( 211 ) in Source ( SpntLog ) cannot be found.
The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may be
able to use the /AUXSOURCE= flag to retrieve this description; see Help and
Support for details. The following information is part of the event:
F:\software\Symantec.Norton.Ghost.v9.0.Incl.Keygen-SSG.zip,
nortonghost90p4.rar, 2.
-----
Event Type: Warning
Event Source: MRxSmb
Event Category: None
Event ID: 3019
Date: 25/01/2006
Time: 7:19:51 PM
User: N/A
Computer: THLADL2
Description:
The redirector failed to determine the connection type.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 25/01/2006
Time: 7:13:40 PM
User: N/A
Computer: THLADL2
Description:
Application popup: Explorer.EXE - Application Error : The instruction at
"0x7831886a" referenced memory at "0x00000000". The memory could not be
"read".
Click on OK to terminate the program
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 25/01/2006
Time: 7:13:03 PM
User: N/A
Computer: THLADL2
Description:
Application popup: File Error : Cannot find NETWORK.DRV
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Warning
Event Source: Srv
Event Category: None
Event ID: 2022
Date: 25/01/2006
Time: 7:03:18 PM
User: N/A
Computer: THLADL2
Description:
The server was unable to find a free connection 9 times in the last 60
seconds. This indicates a spike in network traffic. If this is happening
frequently, you should consider increasing the minimum number of free
connections to add headroom. To do that, modify the MinFreeConnections and
MaxFreeConnections for the LanmanServer in the registry.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 25/01/2006
Time: 6:57:34 PM
User: N/A
Computer: THLADL2
Description:
Application popup: csrss.exe - Unable To Locate DLL : The dynamic link
library winsrv could not be found in the specified path Default Load Path.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
I have an interesting problem that occurred simultaneously on two domain
controllers within my domain that I remotely manage with Terminal Services
(admin mode). Both servers run Windows Server 2000 SP3 and have been running
fine up until now. When attempting a remote desktop or terminal services
client connection to either of these machines, an application popup appears
on the server screen with title "csrss.exe - Unable to Locate DLL" and with
the popup box showing "The dynamic link library winsrv could not be found in
the specified path Default Load Path".
I've checked the server environmant variables and "Path" includes
"C:\WINNT\System32" and have also verified that C:\WINNT\System32\WINSRV.DLL
exists.
The only significant event for the domain was that a new Domain controller
was installed 6 days ago - Windows Server 2000 SP4, with otherwise identical
configuration to the other servers. In all there are 5 domain controllers in
the domain, all separated by 16K CIR (128K access) frame relay links. There
have been no other issues with the new server installed last week.
I've exhausted support.microsoft.com and really have no idea what the
problem could be, so any help or advice at all would be greatly appreciated.
Thanks
Mike
Further to the above...
I'm now getting all kinds of event log errors and warnings (see end of
message).
A third server (THLADL2) has started this behaviour - this server already
has SP4 installed so Microsoft Support suggested I install Security Rollup 1
for SP4 and some hotfixes, but when I attempt this, the server complains
that "Setup cannot update a checked (debug) system with a free (retail)
version of KB837585". This led the support guy to conclude that the wrong OS
has been installed on this server - It's a Dell Poweredge 2550 with Server
2000 SP1 OEM from Dell. This happens on the one SP3 server I can access via
VNC as well, which is a Dell Poweredge as well with Server 2000 OEM from
Dell.
Checking last night's backup (Veritas Backup Exec) I see these errors for
THLADL2 with is an additional concern:
Unable to attach to C:.
Unable to attach to C:.
Unable to attach to D:.
Unable to attach to D:.
Unable to attach to \\THLADL2\System?State.
Unable to attach to \\THLADL2\System?State.
On checking another remote domain controller (same setup, Server 2000 SP4,
DC) I notice that there are the same Event Log messages: "The dynamic link
library winsrv could not be found in the specified path Default Load Path".
and "csrss.exe - Unable to Locate DLL" in 18th Jan. One of the other guys
here had attempted to connect to that server and couldn't, so got a local
user to perform a hard reboot on it. After that, the Application and System
logs appear to have no reoccurences of these error messages.
Another weird thing is that if I try to log in on the console with the
administrator account, the box where you enter username, password and domain
vanished for a split second, and then then "hit ctril alt delete" screen
appears. I have to log in with a different account that has administrator
rights which gives a "Path too long" error in a popup box. Also, if I check
the Performance tab in Task Manager", the CPU activity is hovering around
50%, but on the Processes tab, all of the running processes show 0% CPU.
I'm tempted to try and reboot one of the other servers to see if the problem
just "goes away" given that I don't seem to be getting far with Microsoft
Support, but because so far the users haven't really been impacted, I'd hate
to reboot and have a server that wont boot back up. I'll see what MS have to
say today (public holiday so might be lucky) and will check here for any
further help here.
Thanks
Mike
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 25/01/2006
Time: 7:51:52 PM
User: N/A
Computer: THLADL2
Description:
Security policies were propagated with warning. 0x4b8 : An extended error
has occurred.
For best results in resolving this event, log on with a non-administrative
account and search http://support.microsoft.com for "Troubleshooting Event
1202s".
-----
Event Type: Warning
Event Source: SpntLog
Event Category: (4)
Event ID: 222
Date: 25/01/2006
Time: 7:42:21 PM
User: NT AUTHORITY\SYSTEM
Computer: THLADL2
Description:
The description for Event ID ( 222 ) in Source ( SpntLog ) cannot be found.
The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may be
able to use the /AUXSOURCE= flag to retrieve this description; see Help and
Support for details. The following information is part of the event:
D:\Program Files\BackupExec\NT\ECM\bumodule.jar, 100.
-----
Event Type: Error
Event Source: EventSystem
Event Category: (3)
Event ID: 4097
Date: 25/01/2006
Time: 7:36:33 PM
User: N/A
Computer: THLADL2
Description:
The description for Event ID ( 4097 ) in Source ( EventSystem ) cannot be
found. The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may be
able to use the /AUXSOURCE= flag to retrieve this description; see Help and
Support for details. The following information is part of the event:
..\eventsystem2.cpp, 329, 800705AA.
-----
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 25/01/2006
Time: 7:36:32 PM
User: NT AUTHORITY\SYSTEM
Computer: THLADL2
Description:
Windows cannot create a temporary profile directory. Contact your network
administrator.
DETAIL - Insufficient system resources exist to complete the requested
service.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Warning
Event Source: SpntLog
Event Category: (4)
Event ID: 211
Date: 25/01/2006
Time: 7:26:07 PM
User: NT AUTHORITY\SYSTEM
Computer: THLADL2
Description:
The description for Event ID ( 211 ) in Source ( SpntLog ) cannot be found.
The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may be
able to use the /AUXSOURCE= flag to retrieve this description; see Help and
Support for details. The following information is part of the event:
F:\software\Symantec.Norton.Ghost.v9.0.Incl.Keygen-SSG.zip,
nortonghost90p4.rar, 2.
-----
Event Type: Warning
Event Source: MRxSmb
Event Category: None
Event ID: 3019
Date: 25/01/2006
Time: 7:19:51 PM
User: N/A
Computer: THLADL2
Description:
The redirector failed to determine the connection type.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 25/01/2006
Time: 7:13:40 PM
User: N/A
Computer: THLADL2
Description:
Application popup: Explorer.EXE - Application Error : The instruction at
"0x7831886a" referenced memory at "0x00000000". The memory could not be
"read".
Click on OK to terminate the program
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 25/01/2006
Time: 7:13:03 PM
User: N/A
Computer: THLADL2
Description:
Application popup: File Error : Cannot find NETWORK.DRV
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Warning
Event Source: Srv
Event Category: None
Event ID: 2022
Date: 25/01/2006
Time: 7:03:18 PM
User: N/A
Computer: THLADL2
Description:
The server was unable to find a free connection 9 times in the last 60
seconds. This indicates a spike in network traffic. If this is happening
frequently, you should consider increasing the minimum number of free
connections to add headroom. To do that, modify the MinFreeConnections and
MaxFreeConnections for the LanmanServer in the registry.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 25/01/2006
Time: 6:57:34 PM
User: N/A
Computer: THLADL2
Description:
Application popup: csrss.exe - Unable To Locate DLL : The dynamic link
library winsrv could not be found in the specified path Default Load Path.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.