SBS2000 server generating DCOM errors and multiple security events.

TheMSsForum.com: The Microsoft Software Forum

Hello all,

I have a SBS2000 sever that has been acting very strange as of late. The
first problems began 2 weeks ago when no computers could authenicate to
the server and this was in the system log:

Event Type: Warning
Event Source: MRxSmb
Event Category: None
Event ID: 3034
Date: 12/8/2004
Time: 6:13:39 AM
User: N/A
Computer: DC01
Description:
The redirector was unable to initialize security context or query
context attributes.
Data:
0000: 00 00 08 00 02 00 56 00 ......V.
0008: 00 00 00 00 da 0b 00 80 ....Ã?..Â?
0010: 00 00 00 00 5e 00 00 c0 ....^..Ã?
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 7d 04 00 00 5e 00 00 c0 }...^..Ã?

I thought maybe it was a problem with AD, so I ran through the steps in
this JSI FAQ:
http://www.jsiinc.com/SUBQ/tip8300/rh8320.htm

All tests indicated there was no problem. Then it happened again two
days later. If I reboot the DC, the problem is corrected, but to do that
in the middle of the day makes the VP cranky.
I checked DNS, DHCP, SNTP, group policies, permissions to log on
locally, NTFS permissions to shares and drives on the DC, NetDIAG,
DCDiag, all with out finding any errors in configuration or operation.

I fear the worst in that the AD is corrupted and last night I went
through the steps in the following KB articles:

http://support.microsoft.com/kb/258062
I backup the system state, perform the Integrity check and the semantic
analysis, both complete without errors.

http://support.microsoft.com/kb/232122
I perform the offline defragmentation successfully and reboot the server.

Now I get the following errors:

System Log...

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10002
Date: 12/14/2004
Time: 11:55:43 PM
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
Access denied attempting to launch a DCOM Server. The server is:
{9DA0E106-86CE-11D1-8699-00C04FB98036}
The user is SYSTEM/NT AUTHORITY, SID=S-1-5-18.

I find {9DA0E106-86CE-11D1-8699-00C04FB98036} is the MS Exchange
Property Mapping Interface by searching the registry, but there is no
info in the net about it at all!

In the security log I have these 3 messages repeating every 30 - 45
seconds...

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 12/15/2004
Time: 2:14:30 PM
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
Pre-authentication failed:
User Name: DC$
User ID: MYDEV\DC$
Service Name: krbtgt/HOLDINGS.LOCAL
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1


Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 12/15/2004
Time: 2:14:30 PM
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
The logon to account: DC$
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: DC
failed. The error code was: 3221225578


Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/15/2004
Time: 2:14:30 PM
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: DC$
Domain: MYDEV
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DC

What I interpret these to mean is this:

1. The macine account DC$ is locked out, has an incorrect password, or
does not exist.
2. The user SYSTEM/NT AUTHORITY, SID=S-1-5-18 is locked out, has
incorrect password, or does not exist.

I have found the following info about resetting the machine account
password.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q260575
It mentions the need for another DC, but I only have the one DC.

I have not found any info about modifying NT AUTHORITY\SYSTEM account.

Also, now if I run a DCDiag, DC fails test systemlog, but passes every
other test.

I have exhausted all resources I can think of to find the source of
this. Please, if anyone has seen this before post your suggestions. I
apologize for the length of this post, but I want to present all info I
have and outline what I have tried to fix it.

TIA

RDA MCSE, CNE
rabram AT gmail DOT com
Top

Re: SBS2000 server generating DCOM errors and multiple security events. by Marina

Marina
Wed Dec 15 19:19:04 CST 2004

Hi Rabram,

Can you post the ipconfig/all from the server and one from a client?

--
Regards,

Marina
Microsoft SBS-MVP

"RDA" <rda@here.net> schreef in bericht
news:ek7cO5u4EHA.1300@TK2MSFTNGP14.phx.gbl...
> Hello all,
>
> I have a SBS2000 sever that has been acting very strange as of late. The
> first problems began 2 weeks ago when no computers could authenicate to
> the server and this was in the system log:
>
> Event Type: Warning
> Event Source: MRxSmb
> Event Category: None
> Event ID: 3034
> Date: 12/8/2004
> Time: 6:13:39 AM
> User: N/A
> Computer: DC01
> Description:
> The redirector was unable to initialize security context or query
> context attributes.
> Data:
> 0000: 00 00 08 00 02 00 56 00 ......V.
> 0008: 00 00 00 00 da 0b 00 80 ....Ú..?
> 0010: 00 00 00 00 5e 00 00 c0 ....^..À
> 0018: 00 00 00 00 00 00 00 00 ........
> 0020: 00 00 00 00 00 00 00 00 ........
> 0028: 7d 04 00 00 5e 00 00 c0 }...^..À
>
> I thought maybe it was a problem with AD, so I ran through the steps in
> this JSI FAQ:
> http://www.jsiinc.com/SUBQ/tip8300/rh8320.htm
>
> All tests indicated there was no problem. Then it happened again two
> days later. If I reboot the DC, the problem is corrected, but to do that
> in the middle of the day makes the VP cranky.
> I checked DNS, DHCP, SNTP, group policies, permissions to log on
> locally, NTFS permissions to shares and drives on the DC, NetDIAG,
> DCDiag, all with out finding any errors in configuration or operation.
>
> I fear the worst in that the AD is corrupted and last night I went
> through the steps in the following KB articles:
>
> http://support.microsoft.com/kb/258062
> I backup the system state, perform the Integrity check and the semantic
> analysis, both complete without errors.
>
> http://support.microsoft.com/kb/232122
> I perform the offline defragmentation successfully and reboot the server.
>
> Now I get the following errors:
>
> System Log...
>
> Event Type: Error
> Event Source: DCOM
> Event Category: None
> Event ID: 10002
> Date: 12/14/2004
> Time: 11:55:43 PM
> User: NT AUTHORITY\SYSTEM
> Computer: DC
> Description:
> Access denied attempting to launch a DCOM Server. The server is:
> {9DA0E106-86CE-11D1-8699-00C04FB98036}
> The user is SYSTEM/NT AUTHORITY, SID=S-1-5-18.
>
> I find {9DA0E106-86CE-11D1-8699-00C04FB98036} is the MS Exchange
> Property Mapping Interface by searching the registry, but there is no
> info in the net about it at all!
>
> In the security log I have these 3 messages repeating every 30 - 45
> seconds...
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 675
> Date: 12/15/2004
> Time: 2:14:30 PM
> User: NT AUTHORITY\SYSTEM
> Computer: DC
> Description:
> Pre-authentication failed:
> User Name: DC$
> User ID: MYDEV\DC$
> Service Name: krbtgt/HOLDINGS.LOCAL
> Pre-Authentication Type: 0x2
> Failure Code: 0x18
> Client Address: 127.0.0.1
>
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 681
> Date: 12/15/2004
> Time: 2:14:30 PM
> User: NT AUTHORITY\SYSTEM
> Computer: DC
> Description:
> The logon to account: DC$
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: DC
> failed. The error code was: 3221225578
>
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 12/15/2004
> Time: 2:14:30 PM
> User: NT AUTHORITY\SYSTEM
> Computer: DC
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: DC$
> Domain: MYDEV
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: DC
>
> What I interpret these to mean is this:
>
> 1. The macine account DC$ is locked out, has an incorrect password, or
> does not exist.
> 2. The user SYSTEM/NT AUTHORITY, SID=S-1-5-18 is locked out, has
> incorrect password, or does not exist.
>
> I have found the following info about resetting the machine account
> password.
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;q260575
> It mentions the need for another DC, but I only have the one DC.
>
> I have not found any info about modifying NT AUTHORITY\SYSTEM account.
>
> Also, now if I run a DCDiag, DC fails test systemlog, but passes every
> other test.
>
> I have exhausted all resources I can think of to find the source of
> this. Please, if anyone has seen this before post your suggestions. I
> apologize for the length of this post, but I want to present all info I
> have and outline what I have tried to fix it.
>
> TIA
>
> RDA MCSE, CNE
> rabram AT gmail DOT com


Top

Re: SBS2000 server generating DCOM errors and multiple security events. by RDA

RDA
Thu Dec 16 12:24:04 CST 2004

Marina Roos [SBS-MVP] wrote:
> Hi Rabram,
>
> Can you post the ipconfig/all from the server and one from a client?
>
Sure,

Here it is:

DOMAIN CONTROLLER:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : DC0x*
Primary DNS Suffix . . . . . . . : Holdings.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Holdings.local

Ethernet adapter Private:

Connection-specific DNS Suffix . : Holdings.local
Description . . . . . . . . . . . : NetServer 10/100TX PCI LAN
Adapter
Physical Address. . . . . . . . . : 00-E0-18-C1-AD-6E
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.123.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.123.10
Primary WINS Server . . . . . . . : 192.168.123.10

PPP adapter Dail-up Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 207.229.35.41
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 207.229.35.41
DNS Servers . . . . . . . . . . . : 199.185.130.34
199.185.131.5

FILE SERVER:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : FS0x*
Primary DNS Suffix . . . . . . . : Holdings.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Holdings.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : D-Link DFE-538TX 10/100 Adapter
Physical Address. . . . . . . . . : 00-05-5D-D2-82-C1
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.123.9
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.123.10
DNS Servers . . . . . . . . . . . : 192.168.123.10

CLIENT:

Windows IP Configuration

Host Name . . . . . . . . . . . . : ComputerX*
Primary Dns Suffix . . . . . . . : Holdings.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Holdings.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : Holdings.local
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast
Ethernet Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 00-08-74-E2-E7-DE
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.123.142
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.123.10
DHCP Server . . . . . . . . . . . : 192.168.123.10
DNS Servers . . . . . . . . . . . : 192.168.123.10
Primary WINS Server . . . . . . . : 192.168.123.10
Lease Obtained. . . . . . . . . . : Thursday, December 16, 2004
9:52:16 AM
Lease Expires . . . . . . . . . . : Friday, December 24, 2004
9:52:16 AM

* Host Names changed to protect the innnocent.

Default Gateway, DNS, DNS Domain name and WINS are set as "Server
Options" of DHCP.

Any ideas?
Top

Re: SBS2000 server generating DCOM errors and multiple security events. by Marina

Marina
Thu Dec 16 13:27:47 CST 2004

Hi Rabram,

You are missing the WINS on the fileserver.
Can you also check if the SBS is setup as a timeserver and that the
fileserver and the clients are syncing with the SBS?

Smallbizserver.Net > SBS 2000 > Server issues > How do I setup the server as
a time server:
http://www.smallbizserver.net/Default.aspx?tabid=64

--
Regards,

Marina
Microsoft SBS-MVP

"RDA" <rda@here.net> schreef in bericht
news:uYbKux54EHA.3380@TK2MSFTNGP09.phx.gbl...
> Marina Roos [SBS-MVP] wrote:
> > Hi Rabram,
> >
> > Can you post the ipconfig/all from the server and one from a client?
> >
> Sure,
>
> Here it is:
>
> DOMAIN CONTROLLER:
>
> Windows 2000 IP Configuration
>
> Host Name . . . . . . . . . . . . : DC0x*
> Primary DNS Suffix . . . . . . . : Holdings.local
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : Holdings.local
>
> Ethernet adapter Private:
>
> Connection-specific DNS Suffix . : Holdings.local
> Description . . . . . . . . . . . : NetServer 10/100TX PCI LAN
> Adapter
> Physical Address. . . . . . . . . : 00-E0-18-C1-AD-6E
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.123.10
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . :
> DNS Servers . . . . . . . . . . . : 192.168.123.10
> Primary WINS Server . . . . . . . : 192.168.123.10
>
> PPP adapter Dail-up Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
> Physical Address. . . . . . . . . : 00-53-45-00-00-00
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 207.229.35.41
> Subnet Mask . . . . . . . . . . . : 255.255.255.255
> Default Gateway . . . . . . . . . : 207.229.35.41
> DNS Servers . . . . . . . . . . . : 199.185.130.34
> 199.185.131.5
>
> FILE SERVER:
>
> Windows 2000 IP Configuration
>
> Host Name . . . . . . . . . . . . : FS0x*
> Primary DNS Suffix . . . . . . . : Holdings.local
> Node Type . . . . . . . . . . . . : Broadcast
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : Holdings.local
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : D-Link DFE-538TX 10/100
Adapter
> Physical Address. . . . . . . . . : 00-05-5D-D2-82-C1
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.123.9
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.123.10
> DNS Servers . . . . . . . . . . . : 192.168.123.10
>
> CLIENT:
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : ComputerX*
> Primary Dns Suffix . . . . . . . : Holdings.local
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : Holdings.local
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : Holdings.local
> Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast
> Ethernet Controller (3C905C-TX Compatible)
> Physical Address. . . . . . . . . : 00-08-74-E2-E7-DE
> Dhcp Enabled. . . . . . . . . . . : Yes
> Autoconfiguration Enabled . . . . : Yes
> IP Address. . . . . . . . . . . . : 192.168.123.142
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.123.10
> DHCP Server . . . . . . . . . . . : 192.168.123.10
> DNS Servers . . . . . . . . . . . : 192.168.123.10
> Primary WINS Server . . . . . . . : 192.168.123.10
> Lease Obtained. . . . . . . . . . : Thursday, December 16, 2004
> 9:52:16 AM
> Lease Expires . . . . . . . . . . : Friday, December 24, 2004
> 9:52:16 AM
>
> * Host Names changed to protect the innnocent.
>
> Default Gateway, DNS, DNS Domain name and WINS are set as "Server
> Options" of DHCP.
>
> Any ideas?


Top

Re: SBS2000 server generating DCOM errors and multiple security events. by RDA

RDA
Thu Dec 16 14:12:03 CST 2004

Marina Roos [SBS-MVP] wrote:
> Hi Rabram,
>
> You are missing the WINS on the fileserver.
> Can you also check if the SBS is setup as a timeserver and that the
> fileserver and the clients are syncing with the SBS?
>
> Smallbizserver.Net > SBS 2000 > Server issues > How do I setup the server as
> a time server:
> http://www.smallbizserver.net/Default.aspx?tabid=64
>
I added the WINS to the File server. The DC is configured as
authoritative time server for the domain and has correct time. The
workstations time synch at login, and I have verified that is the case.

Any other leads? I appreciate your input, please continue...

Randy
Top

Re: SBS2000 server generating DCOM errors and multiple security events. by Marina

Marina
Thu Dec 16 15:11:40 CST 2004

Hi Randy,

I don't know if a reboot of both servers might help to see if those events
have cleared up. Can you track down to the moments these events are
happening?

--
Regards,

Marina
Microsoft SBS-MVP

"RDA" <rda@here.net> schreef in bericht
news:e5CvDu64EHA.2568@TK2MSFTNGP10.phx.gbl...
> Marina Roos [SBS-MVP] wrote:
> > Hi Rabram,
> >
> > You are missing the WINS on the fileserver.
> > Can you also check if the SBS is setup as a timeserver and that the
> > fileserver and the clients are syncing with the SBS?
> >
> > Smallbizserver.Net > SBS 2000 > Server issues > How do I setup the
server as
> > a time server:
> > http://www.smallbizserver.net/Default.aspx?tabid=64
> >
> I added the WINS to the File server. The DC is configured as
> authoritative time server for the domain and has correct time. The
> workstations time synch at login, and I have verified that is the case.
>
> Any other leads? I appreciate your input, please continue...
>
> Randy


Top

Re: SBS2000 server generating DCOM errors and multiple security events. by RDA

RDA
Thu Dec 16 15:30:14 CST 2004

Marina Roos [SBS-MVP] wrote:
> Hi Randy,
>
> I don't know if a reboot of both servers might help to see if those events
> have cleared up. Can you track down to the moments these events are
> happening?
>
I will have to wait until the end of the business day to reboot. As for
the entries in the event logs, the DCOM related event occurs during Boot
on the DC, and the other 3 security events occur every 30 - 45 seconds.
They are filling the security logs with useless info. 13,000+ events
since 12/15/2004 12:00:29 AM.

Ack!
Top

Re: SBS2000 server generating DCOM errors and multiple security events. by RDA

RDA
Thu Dec 16 15:37:27 CST 2004

Marina Roos [SBS-MVP] wrote:
> Hi Randy,
>
> I don't know if a reboot of both servers might help to see if those events
> have cleared up. Can you track down to the moments these events are
> happening?
>
Do you know what the effect of using netdom to reset the machine account
of the DC?
I am referring specifically to this KB Article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q260575

Will the DC not be able to get a kerberos ticket from itself? There are
no other ticket granting servers.

Thanks again...

Randy
Top