Tricks & Traps: Ask the Doctor

Article from Windows 2000 Magazine

by Sean Daily

Q: We've been experiencing strange application initialization errors. On our network, we run Computer Associates' (CA's) InoculateIT 4.53 on our network, and most of our machines are behind a server running Microsoft Proxy Server 2.0. Processes running on some of our Windows NT systems fail to initialize properly at system startup, and we have to manually start them. The problem isn't limited to InoculateIT processes—even the Task Scheduler utility (mstask.exe) is experiencing problems. In each case, the Event Viewer Application log shows an Event ID 3 with Winsock Proxy Client as the source and the following description:

Application <name of failed process> was started while the service manager was locked and the
NtLmSsp wasn't running. If the application will try to remote via WinSock Proxy it can cause a
deadlock with the service manager. For this reason the remoting is disabled. If the application
is a service and you want to be able to remote, make it dependent on NtLmSsp.

What can we do to resolve this problem?

A: This problem is common in, but not exclusive to, systems running the Winsock Proxy Client that accompanies Proxy Server. The problem usually happens because the service in question is attempting to initialize and run through Proxy Server's remote Winsock service while the service database is in a locked state. I have seen similar error messages when newly installed services don't create the proper service dependencies (i.e., load service A before loading service B). In your situation, the problem is that the NtLmSsp service isn't running when other services that depend on it attempt to initialize.

The solution is to manually edit the Registry entry related to the failing service so that the failing service won't attempt to load until the dependent service, NtLmSsp, has successfully initialized. I recommend that you use the regedt32 Registry editor to make the following changes because it properly supports the REG_MULTI_SZ Registry data type (unlike regedit.exe). First, you need to locate the Registry entry related to the failing service. Service Registry entries are located in alphabetical order in the HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services Registry subkey. In some cases, the service's Registry key name will be the same as the process name (e.g., NtLmSsp), but other services' keys will have descriptive names (e.g., InoculateIT Server). To locate the right key, use the Registry editor's Edit, Find option to search for the process name (i.e., the name of the process' .exe file) within the Services subkey. After you locate the service's Registry subkey, highlight the service name in the Registry editor's left pane, and edit or add the DependOnService subkey of type REG_MULTI_SZ. Set the value of the DependOnService subkey to the name of service (as it appears in the Services Registry subkey) that you want the failing service to depend on. For example, in your case, set the value to NtLmSsp, as Figure 1 shows.

Figure 1: Using regedt32 to create a service dependency

If the failing service requires multiple dependencies, enter the name of each service on separate lines in the DependOnService value dialog box. Some services are also members of service groups (e.g., SCSI miniport, Primary disk, Video), so you can create dependencies with service groups instead of or in addition to individual services. For more information about service and service group dependencies, see the Microsoft articles "CurrentControlSet\Services Subkey Entries" (https://support.microsoft.com/default.aspx?scid=kb;en-us;103000&sd=tech) , "REG: Network Services Entries, Part 2" (https://support.microsoft.com/default.aspx?scid=kb;en-us;102996&sd=tech) , "HOWTO: Control Device Driver Load Order" (https://support.microsoft.com/default.aspx?scid=kb;en-us;115486&sd=tech) , and "How to Delay Loading of Specific Services" (https://support.microsoft.com/default.aspx?scid=kb;en-us;193888&sd=tech).

You can use the Microsoft Windows NT Server 4.0 Resource Kit Sc.exe utility to query and modify service dependencies from the command line. See the resource kit's documentation for more information about how to use sc.exe.

Q: My supervisor and I are stumped about how to set up authentication for Windows NT security. We set up an IUSR_computername account in User Manager, permitted anonymous access in Microsoft Internet Service Manager (ISM), and selected Basic (clear text) authentication. However, when we test the authentication, we receive a pop-up dialog box that asks for the username and password. The system then rejects the username and password that we submit. How do we configure the system to let clients see a site after they input their username and password?

A: For anonymous authentication (i.e., authentication for directories and files that don't require explicit authentication and are publicly available), in addition to the configuration you've already set up, you need to verify that the password of the IUSR_computername account (e.g., IUSR_MYSERVER—the account that the system uses to provide anonymous access to the server) matches the password configured in ISM. (You can check this manually in Microsoft IIS 4.0 or 3.0 or through automatic synchronization in IIS 4.0 and later.) You also need to ensure that you assign, in User Manager, the IUSR account (or the group that contains this account) the rights to log on locally to the NT IIS server. Also, make sure that you assign, through file system ACLs, to the IUSR account the appropriate NTFS permissions on any directories to which you want anonymous users to have access (i.e., set read permissions on these directories). To require authentication for Web server access (i.e., so that even the default home page on the server prompts users for authentication), when you configure the server or a particular Web site, disable anonymous access by clearing the Allow Anonymous Access option on the Directory Security tab.

To set up access to content that requires explicit authentication, you follow the same procedure except that you create an additional account in User Manager to which you assign rights to all files and folders that require authenticated access. In this case, the IUSR account should not have rights on these files and folders. Doing so causes the clients' browser to prompt them for authentication when they attempt to access the protected folder or file on the server. Your authentication set up should work correctly as long as you've assigned the proper ACL permissions to the user's account (i.e., the account that the user authenticates with through the browser) for the files and folders that you want them to be able to access, the user account has log on locally rights on the server (or domain if the IIS system is a domain controller), and the system uses the correct password to authenticate the user. If it doesn't work properly, search the Microsoft Web site for more information about your problem and to see if you've overlooked a configuration step.

Q: Unlike Windows NT 4.0 Setup, Windows 2000 Setup doesn't let you choose whether you want to install several components such as games, multimedia files, accessories and utility applications, and accessibility options. Win2K Setup installs them by default. After Win2K Setup completes the installation, I go into the Control Panel Add/Remove Programs applet and select Add/Remove Windows Components, but no options are available to remove these items. Can I control whether Win2K Setup installs these components, and if so, how?

A: You can modify Win2K to control whether Setup installs these components during setup or after. However, doing so requires manual file editing. To force Win2K Setup to enumerate these items for selection during setup, copy the \i386 folder from the Win2K installation CD-ROM to a distribution share on your local system or the network. Next, locate the sysoc.in_ file in the \i386 directory, and use the following command line to expand it:

expand -r sysoc.in_

Next, edit the expanded Sysoc.inf file to display the components that you want to be able to select during installation. (Figure 2 shows an example expanded file.) To do this, locate the line in the file that reads

; old base components

Figure 2: Editing the sysoc.inf file

For each component that you want to appear in the Add/Remove Programs applet, remove the HIDE field and its associated comma. For example, to force Setup to enumerate multimedia components, change the line that reads

MultiM=ocgen.dll,OcEntry,multimed.inf,HIDE,7

to

MultiM=ocgen.dll,OcEntry,multimed.inf,7

You also need to remove the HIDE option from the AccessUtil= line. Otherwise, no other components in the old base components section will be available in the Add/Remove Programs applet. Finally, save and close the file.

To display these components in Add/Remove Windows Components after Setup has completed the installation, go to the \%systemroot%\inf folder, and locate the sysoc.inf file. Make a backup copy of the file (e.g., by copying sysoc.inf to sysoc.bak), and use a text editor, such as Notepad, to open the sysoc.inf file and make the same changes described in the previous procedure. After you finish and save your changes, you can manage these components through the Control Panel Add/Remove Programs applet.

Q: While trying to find a solution to a problem in which Windows NT doesn't boot unless I use a boot disk, I discovered the Microsoft article "Windows NT Does Not Boot with Highly Fragmented MFT" (https://support.microsoft.com/default.aspx?scid=kb;en-us;228734&sd=tech ). This article instructs me to run bcupdate.exe but doesn't provide any information about where to find this file. Any ideas?

A: From what I can tell, you're the lucky finder of a phantom utility. From time to time, in Knowledge Base articles, I see Microsoft mention utilities and patches that the company claims to have developed for various problems but that don't seem to actually exist. In the article you mentioned, Microsoft describes bcupdate.exe as a utility that ships with NT Service Pack 6 (SP6) and SP6a and modifies NT's boot code. The article claims that this modification remedies your boot problem, which is caused by excessive fragmentation of the Master File Table (MFT) on an NTFS system partition. I searched every NT service pack CD-ROM, TechNet, the Microsoft Web site, and newsgroups and NT-related discussion sites, but I never found any mention of this utility. Perhaps Microsoft incorporated Bcupdate.exe's functionality into the SP6 and SP6a update process. Or maybe the utility and its intended fix never materialized. To solve your problem, try upgrading to SP6a to see if the boot-code modification promised in Microsoft's article occurs. If this method doesn't solve your problem, you can use the most recent versions of Executive Software's Diskeeper and Symantec's Norton Speed Disk utilities to defragment the MFT on an NTFS volume. You might be able to use one of these utilities to sufficiently defragment the MFT and restore typical boot functionality to your system.

Q: In our Windows NT 4.0 Service Pack 4 (SP4) environment, we use DNS (through BIND 4.0 servers). Our biggest NT resource domain is called TELLABS, and most of the workstations at our headquarters are in this domain. We also have a UNIX box called tellabs, and we're concerned that this box might be getting barraged by queries to the TELLABS domain. The Fully Qualified Domain Name (FQDN) of the UNIX host is tellabs.hq.tellabs.com (the short name or alias is tellabs). We don't have the Enable DNS for Windows resolution check box selected for any of our machines. Are our concerns valid?

A: I don't think that your UNIX box is receiving any unnecessary traffic, because the DNS and NetBIOS namespaces are separate. If a NetBIOS name query for TELLABS comes from a WINS-enabled client, the query will probably be in the form of a request to locate a domain controller for the TELLABS domain (e.g., to a WINS server or through a broadcast). As a NetBIOS-style name query, the WINS-enabled client usually directs its query at a WINS server; thus, DNS wouldn't receive the query. The response to this query from the WINS server is a list of the IP addresses of various domain controllers for the TELLABS domain, not the tellabs.hq.tellabs.com UNIX host.

However, this process doesn't guarantee that you won't experience a name-resolution conflict in the future. A more likely scenario for undesirable results is an environment in which the DNS host name is identical to a NetBIOS name on a different IP host. In this case, depending on how a client queries for the name, a name server might return the wrong IP address to the client. For more information about why this error could occur, see "Navigating Name Resolution, Part 1," June 2000 and "Navigating Name Resolution, Part 2," July 2000. A good practice is to keep your DNS and NetBIOS names the same on machines whenever possible, and don't create conflicts between these two namespaces (with host names and group names such as the NT domain name).

Q: Although setting up the Internet Connection Sharing (ICS) service on my Windows 2000 Server system seemed straightforward, I'm having problems getting ICS to work properly. Any ideas about what might be causing the problem?

A: My guess is that the server you're attempting to configure ICS on is also acting as a dynamic DNS (DDNS) or DHCP server. To enable LAN clients on the private network to use ICS's connection to connect to the Internet, ICS automatically sets up a small DHCP scope (called the DHCP allocator) and a DNS proxy service. These two services bind to the same ports that DDNS and DHCP servers use; thus, a conflict results between ICS and DDNS or DHCP. This ICS setup can also cause problems with the DDNS and DHCP services that are already running on the machine. Solutions to this problem include moving ICS to a different machine or using Network Address Translation (NAT—within RRAS) instead of ICS to enable IP translation for the internal network. Unlike ICS, NAT is configurable. For example, you can configure NAT not to use the DHCP allocator by clearing the Automatically assign IP addresses using DHCP check box on the Address Assignment tab of the NAT Properties dialog box; this action removes the interference with DDNS. You can also configure NAT to avoid conflicts with DDNS services running on the same machine by clearing the Clients using Domain Naming System (DNS) check box on the Name Resolution tab of the NAT Properties dialog box. For more information about ICS conflicts, see the Microsoft article "Internet Connection Sharing Service May Not Function Properly on a Server Running DHCP or DDNS" at https://support.microsoft.com/default.aspx?scid=kb;en-us;250603&sd=tech.

Q: I'm having a problem with Internet Mail on Microsoft Exchange Server. In my event logs, I often see undeliverable messages with the error message 503 Please introduce yourself first. What is causing these errors?

A: This problem relates to Extended SMTP. ESMTP includes encryption on top of the authentication that Exchange Server uses to transfer Internet Mail. SMTP doesn't include this additional layer of encryption. Some systems aren't compliant with Internet Engineering Task Force (IETF) Request for Comments (RFC) 1651, which defines ESMTP commands; thus, the systems don't accept ESMTP commands. This limitation can result in compatibility problems when sending email over the Internet: The receiving email server expects an SMTP response from the sending email server, and the sending email server sends the response in ESMTP, which the receiving email server doesn't recognize.

To solve this problem, you can disable outbound ESMTP in Exchange Server. However, by doing so, you lose the ability to send the ETRN command on a dial-up connection. ETRN is an ESMTP command that alerts one ESMTP gateway or mail host to process email that is waiting delivery to another SMTP mail handling system. If your email server is sending and receiving email over a leased line, this loss of ability won't be a problem. However, if you're using Exchange Server with DUN to retrieve email from an outside host, talk to the host's managers about the potential impact of disabling the ETRN command. Disabling ESMTP also removes the added encryption layer gained by using ESMTP rather than SMTP.

To disable outbound ESMTP in Exchange Server, start regedt32, go to the HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \MSExchangeIMC \Parameters subkey, and add the DisableOutbondESMTP subkey of data type REG_DWORD and a value of 1. Verify that the new value appears in the parameters list, close regedt32, and stop and restart the Internet Mail Service (IMS).

Editor's Note: Bob Chronister contributed answers to this Tricks & Traps.

Sean Daily is a contributing editor for Windows 2000 Magazine and the technology lead at Xcedia, a consulting firm specializing in Win2K deployment and migrations. His most recent book is Optimizing Windows NT (IDG). You can reach him at sean@xcedia.com.

The above article is courtesy of Windows 2000 Magazine. Click here to subscribe to Windows 2000 Magazine.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.

Click to subscribe