cluberti

You mention file copy from "site to site" - what is the link between sites rated for? Is it frame relay, ATM, VPN, etc? Are file copy speeds between machines at each site fast, and is the file copy only slow over the WAN link?

Some of us run years without real-time antivirus and have no issues - a good firewall, safe browsing/computer usage habits, and some know-how are enough to be just as good an "anti-virus" as the product.

Consider first reading the "Non-Admin" blog by Aaron Margosis, then consider running these apps (in test) under the LUA BugLight tool to determine what about the app will trigger UAC prompts, and how to work around these issues so non-admin users can run without UAC intervention.

Hm - this means the version of the kernel you have installed has no matching symbol on the public symbol server.

The hex value for that error maps to FILE_NOT_FOUND or OBJECT_NOT_FOUND, so yeah, I'd say removing defender caused it. A proces monitor log would show for sure, but it's definitely the removal of something it doesn't like .

I have to agree with everyone here - you're going about this the wrong way. Instead of making someone an admin and locking down privileges, make the user a normal user and GRANT privileges you want him to have. If you give someone admin rights, then you are making that person an admin and locking down accounts like this can be frought with issues. You're better off creating a regular, low-rights user and assigning permissions to the user in gpedit.msc as necessary.

OK, try this - in the debugger, open the dump file, then type the following commands: .logopen c:\debuglog.log .sympath SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols !sym noisy !analyze -v .logclose Post the c:\debuglog.log here so I can see why you're not getting symbols.

CN=Common Name DC=Domain Class CN=<whatever> is also the object's Relative Distinguished Name, or RDN.

Quick Start Guide to Setting up Active Directory

How big is the file when it's compressed? Perhaps you could upload it here (or some file hosting site) and we could analyze it?

That's fine - it'll work.

Google is your friend: http://www.auditmypc.com/process/lssas.asp

Once you have the dump open in windbg, then, go to the bottom box and type ".symfix" (minus the quotes). Hit enter, then run your commands again.

// Thread causing the crash: 0: kd> !thread 85711ad0 THREAD 85711ad0 Cid 0004.0040 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0 Not impersonating DeviceMap 83403068 Owning Process 0 Image: <Unknown> Attached Process 856c6ab0 Image: System Wait Start TickCount 10556 Ticks: 134 (0:00:00:02.090) Context Switch Count 6587 UserTime 00:00:00.000 KernelTime 00:00:00.140 Win32 Start Address nt!ExpWorkerThread (0x82078ea3) Stack Init 83395000 Current 83394c90 Base 83395000 Limit 83392000 Call 0 Priority 13 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 833949fc 00000000 badb0d00 00000002 85711ad0 nt!_KiTrap0E+0x2ac (FPO: [0,0] TrapFrame @ 833949fc) (CONV: cdecl) WARNING: Frame IP not in any known module. Following frames may be wrong. 83394a6c 8e9ea0f4 00000000 00000016 83394b48 0x0 83394aac 90c062ce 8a34d764 00000016 83394b48 nnrnstdi+0x20f4 83394bd4 91595ded 85d1ebf8 83394bf8 85ca1d78 tdx!TdxEventReceiveMessagesTransportAddress+0x48e (FPO: [Non-Fpo]) (CONV: stdcall) 83394c0c 91593954 00000000 00000001 00000000 tcpip!UdpDeliverDatagrams+0x1fd (FPO: [Non-Fpo]) (CONV: stdcall) 83394c58 91593834 893ee2c8 0032aaa0 83394c94 tcpip!UdpReceiveDatagrams+0x118 (FPO: [Non-Fpo]) (CONV: stdcall) 83394c68 91591204 83394c7c c000023e 00000000 tcpip!UdpNlClientReceiveDatagrams+0x12 (FPO: [Non-Fpo]) (CONV: stdcall) 83394c94 91590fd4 915e2d38 83394cf0 c000023e tcpip!IppDeliverListToProtocol+0x49 (FPO: [Non-Fpo]) (CONV: stdcall) 83394cb4 91590f03 915e29c8 00000011 83394cf0 tcpip!IppProcessDeliverList+0x2a (FPO: [Non-Fpo]) (CONV: stdcall) 83394d08 9155b56f 915e29c8 00000011 820fde7c tcpip!IppReceiveHeaderBatch+0x1da (FPO: [Non-Fpo]) (CONV: stdcall) 83394d30 8218c85a 892d4690 005e29c8 85711ad0 tcpip!IppLoopbackTransmit+0x52 (FPO: [Non-Fpo]) (CONV: stdcall) 83394d44 82078fa0 893efed8 00000000 85711ad0 nt!IopProcessWorkItem+0x23 (CONV: stdcall) 83394d7c 822254e0 893efed8 8339f680 00000000 nt!ExpWorkerThread+0xfd (CONV: stdcall) 83394dc0 8209159e 82078ea3 00000001 00000000 nt!PspSystemThreadStartup+0x9d (CONV: stdcall) 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 // The 0x0 frame in the dump above appears to be nt!KiTimerTableListHead+0x1f60, which // is just a timer and synchronization call (multiproc box, it appears you have). Since we // appear to have crashed after doing whatever nnrnstdi.sys requested in frame 2, I'd have // to say that it's probably invalid data passed in parameter 3 (whatever that is), as both the // handle from parameter 2 (0x00000016) and the pointer from parameter 3 (0x83394b48) // both appear to be valid: // The handle: 0: kd> !handle 16 7 processor number 0, process 856c6ab0 PROCESS 856c6ab0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00122000 ObjectTable: 83400188 HandleCount: 1940. Image: System Handle table at 9a0e3000 with 1940 Entries in use 0016: Object: 83462fd0 GrantedAccess: 000f003f Entry: 83402028 Object: 83462fd0 Type: (85718040) Key ObjectHeader: 83462fb8 (old version) HandleCount: 1 PointerCount: 1 Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER\MEMORY MANAGEMENT\PREFETCHPARAMETERS // The pointer: 0: kd> dc 83394b48 83394b48 00000001 0002000e 007f5dc0 00000100 .........]...... 83394b58 00000000 00000000 00005dc0 85ca1d78 .........]..x... 83394b68 8a32aaa0 893ee2c8 017f0900 900b44de ..2...>......D.. 83394b78 7fffffff 80000000 00000002 83394bb0 .............K9. 83394b88 85ca1d78 83394ba4 83394ba4 83394bb0 x....K9..K9..K9. 83394b98 915962cd 83394ba4 89100000 00000000 .bY..K9......... 83394ba8 893f5020 83394bd0 85ca1d78 893ee2c8 P?..K9.x.....>. 83394bb8 83394bd0 91595be7 00000000 83394c0c .K9..[Y......L9. // I'd say this is the culprit: 0: kd> lmvm nnrnstdi start end module name 8e9e8000 8e9f0000 nnrnstdi (no symbols) Loaded symbol image file: nnrnstdi.SYS Image path: \SystemRoot\System32\Drivers\nnrnstdi.SYS Image name: nnrnstdi.SYS Timestamp: Fri Jun 08 12:47:14 2007 (46698812) CheckSum: 0000686B ImageSize: 00008000 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 Not sure what that binary is, but according to Google it could be anything from NetRatings (Nielsen Online) to a Nokia driver, to potential malware. I'd say whatever installed that file, you should uninstall it .

You can either configure symbols in the debugger each time you run it, or, create a SYSTEM environment variable as follows: Name: _NT_SYMBOL_PATH Value: SRV*C:\Websymbols*http://msdl.microsoft.com/download/symbols After you create this value, you'll have a way to download symbols from the Microsoft symbol server on the 'net, and you won't get that error anymore (and you'll be able to debug). From what you've got, it looks like heap corruption of some sort caused by something (ntdll!RtlAllocateHeap+0x1da), but again, without symbols this could be inaccurate. Configure the _NT_SYMBOL_PATH variable, and try again.

TCP/IP or LPR printing will work fine if the ports for either are allowed through the firewall to the machine hosting the device. I just answered the OPs question, IPP printing.

There's a KB on it, and a google search for "ipp printing Windows 2000" brings up a lot of hits. And yes, it does work, I've done it with W2K and W2K3 machines with W2K, WXP, and Vista as clients.

Yes, there is, to a point (it's still an estimate, albeit a close one). In perfmon (start > run > perfmon), you can add the "Working Set" counter under the "Process" object, and select the "_Total" instance. Then, add the "Cache Bytes", "Pool Nonpaged Bytes", and "Available Bytes" counters under the "Memory" object. These give you: Working Set - Gives you the amount of memory pages that have been used recently by running processes, and as such are almost all going to have been mapped into physical RAM. This number will be larger than the actual total process memory utilization due to shared pages between processes being counted multiple times as a process working set. Cache Bytes - This number gives you a real-time display of the value of the system cache, the system driver resident bytes, the system code resident bytes, and the kernel paged pool bytes that are cached in RAM. We will use this number in our math later. Pool Nonpaged Bytes - This counter gives you the amount of the kernel nonpaged pool resource size - this pool is ALWAYS mapped into RAM (thus "nonpaged" pool - cannot be paged out to a paging file). Available Bytes - This gives us the amount of physical RAM available for system use, and is equal to the total amount of memory assigned to the standby (cached), free, and zero page lists (I won't explain them here, it's too deep for this discussion - again, Windows Internals 4th Edition, chapter 7 ). Now, add up these 4 numbers (they're all in bytes) and subtract that from the amount of physical RAM installed in the machine, and you have an approximation of the actual physical RAM footprint of your machine - you'll know how much is *used*, and in general, to where. The "Available Bytes" counter is how many bytes in memory pages you have available for allocation, and the rest is used. On older hardware, probably not - but on a new machine, yes, XP boots a decent amount faster. You are correct - only server versions (and only Enterprise/Datacenter versions at that) of x86 W2K/2K3/2K8 support it - client OSes get no benefit from /PAE (other than the ability to create a single paging file larger than 4GB). I would say yes, the differences will be insignificant in RAM usage (although XP does have the prefetch cache, which will make it look slightly larger in RAM footprint), although disk usage will be a bit different as XP's binaries are larger and far numerous to 2000 - however, with a 250GB drive, is that really a problem anymore? And yes, please post your installation steps for both 2000 and XP, and the results of your testing - I'd love to see it, personally.

enableballoontips=0 will turn it off, but it'll turn ALL balloon tips off, windows update related or not .

If you're using IE7, you could also use IE7Pro and it's download manager, which does this.

Send me a PM and I'll give you a place to upload the .zip file.

The NTBackup tasks are just scheduled tasks, and likely can be copied out like any other scheduled task. Also, if you know exactly what the scheduled task will contain, you could also script the schtasks.exe executable to create the task in a logon script or machine startup script, depending on who runs the task.

You misunderstand memory management. Personally, I would suggest XP or Vista if you have 4GB of RAM, but let me clear up some of your misunderstandings: The /3G switch gives your usermode processes 3GB of Virtual Address Space, but only if the application binary was compiled /LARGEADDRESSAWARE when it was built. Also note that Virtual Address Space (VA) and Physical RAM have absolutely nothing to do with each other - the NT memory manager decides what (if anything) of a process' VA to map into RAM, and if so, how many pages (some may be mapped to RAM, some to the pagefile). So unless you have applications that can actually use the 3GB of VA (and most, if not all, of your apps will not - mostly server apps take advantage of this) it makes no sense to do this. Not only that, but you take 1GB from the 2GB of VA the kernel would normally get and waste it when you do this unnecessarily, and you halve things like kernel paged pool and nonpaged pool, and you take a severe hit in system PTEs available. If you want to learn more, grab the book Wndows Internals 4th Edition and read chapter 7. I would say that using Nlite on XP will give you similar footprint and memory usage as 2000, and will also make you more compatible with newer hardware, software, and drivers. You do lose some of the DOS compatibility mode, but I find XP running DOSBox to be just as capable as 2000 and DOS (DOSBox is actually more capable, as it's a virtual DOS environment). If you REALLY want DOS, grab VirtualPC, VirtualBox, or VMWare Server and install DOS in a VM on the XP machine. As stated before, the /3GB switch does NOTHING for performance, period. It's a VA construct, not a RAM or performance construct. Honestly, an Nlite-d XP running the "classic" interface is probably a better option than 2K. Not only that, but 2K is in extended support only, meaning bugs don't get fixed, only security updates. XP gives you the ability to run newer apps and drivers for newer hardware (and newer games too), and gives about the same footprint. Also, make sure you read this sticky for gotchas with 4GB on x86 machines, as well as some more info on VA vs RAM.

What is the Global Catalog? How the Global Catalog Works How to create or move a global catalog in Windows Server 2003... Active Directory Replication Concepts FSMO placement and optimization on Active Directory domain controllers How to Verify an Active Directory Installation in Windows Server 2003 You should REALLY know more about AD before you try to do domain admin work, but this should get you started.

Configure the box for a complete memory dump, and then compress it and post it somewhere where we can get to it and download/analyze it.