Let this be a lesson.
The first event we've got in the Directory Services event is went the
box is already in the 'I'm really sick" state. Because the DS event log
default is tiny [512k] there's nothing documenting that event on or
around 12/1 when this box freaked. We only have a very tiny filled up
event log that documents we already have a sick box, we don't have
something in that log file right 'before' or on or about 12/1.
Question.. [and this is probably more to the Eric Fitz world] Short of
ACS which is still in beta until MOM, is there anyway to have these log
files save things not by size, but by day to ensure that tracking
between the logs can be done? [I'm pretty sure the answer is no, and the
only thing we can do is bump the size of those logs but I thought I'd
ask the blonde question anyway]
Event Type: Error
Event Source: NTDS ISAM
Event Category: (2)
Event ID: 474
Date: 12/2/2005
Time: 10:09:04 AM
User: N/A
Computer: WTRI00
Description:
The description for Event ID ( 474 ) in Source ( NTDS ISAM ) cannot be
found. The local computer may not have the necessary registry
information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following information
is part of the event: NTDS, 260, NTDSA: , C:\WINDOWS\NTDS\ntds.dit,
23470080 (0x0000000001662000), 8192 (0x00002000), -1018 (0xfffffc06),
2561010674 (0x98a5ebf2), 2561010675 (0x98a5ebf3).
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
2 am 12/1 Trend fires off a delete task
Event Type: Information
Event Source: Trend Micro ScanMail for Microsoft Exchange
Event Category: None
Event ID: 4100
Date: 12/1/2005
Time: 2:00:12 AM
User: N/A
Computer: WTRI00
Description:
The description for Event ID ( 4100 ) in Source ( Trend Micro ScanMail
for Microsoft Exchange ) cannot be found. The local computer may not
have the necessary registry information or message DLL files to
display messages from a remote computer. You may be able to use the
/AUXSOURCE= flag to retrieve this description; see Help and Support
for details. The following information is part of the event: The
quarantine manager maintenance delete task has begun..
-----------------------------------
6 a.m on 12/1 this box starts freaking
Event Type: Error
Event Source: MSExchangeIS Mailbox Store
Event Category: (16)
Event ID: 1022
Date: 12/1/2005
Time: 6:32:07 AM
User: N/A
Computer: WTRI00
Description:
The description for Event ID ( 1022 ) in Source ( MSExchangeIS Mailbox
Store ) cannot be found. The local computer may not have the necessary
registry information or message DLL files to display messages from a
remote computer. You may be able to use the /AUXSOURCE= flag to
retrieve this description; see Help and Support for details. The
following information is part of the event: NT AUTHORITY\SYSTEM,
/o=WTRI/ou=first administrative
group/cn=Recipients/cn=SystemMailbox{8F2D41C7-0CFC-436F-BB68-5725983CDA99},
-2147221231, First Storage Group\Mailbox Store (WTRI00).
--------------------------------
8 a.m security policy is freaking
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 12/1/2005
Time: 8:11:34 PM
User: N/A
Computer: WTRI00
Description:
Security policies were propagated with warning. 0x4b8 : An extended
error has occurred.
Advanced help for this problem is available on
http://support.microsoft.com. Query for "troubleshooting 1202 events".
------------------------------------------------------------
In the system log we get this for the first time which is referred to
in this KB
http://support.microsoft.com/default.aspx?scid=kb;en-us;812499
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 7
Date: 12/1/2005
Time: 11:00:00 AM
User: N/A
Computer: WTRI00
Description:
The description for Event ID ( 7 ) in Source ( KDC ) cannot be found.
The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may
be able to use the /AUXSOURCE= flag to retrieve this description; see
Help and Support for details. The following information is part of the
event: IUSR_4Z11S61, 0x0.
Data:
0000: e5 00 00 c0 å..À
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
------------------------
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7038
Date: 12/1/2005
Time: 2:04:16 PM
User: N/A
Computer: WTRI00
Description:
The WinHttpAutoProxySvc service was unable to log on as NT
AUTHORITY\LocalService with the currently configured password due to
the following error:
Insufficient system resources exist to complete the requested service.
To ensure that the service is configured properly, use the Services
snap-in in Microsoft Management Console (MMC).
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----------------------------
In the Directory services event viewer I have this as the earliest
post... seeing if I can get earlier from from the guy
Event Type: Error
Event Source: NTDS ISAM
Event Category: (2)
Event ID: 474
Date: 12/2/2005
Time: 10:09:04 AM
User: N/A
Computer: WTRI00
Description:
The description for Event ID ( 474 ) in Source ( NTDS ISAM ) cannot be
found. The local computer may not have the necessary registry
information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following
information is part of the event: NTDS, 260, NTDSA: ,
C:\WINDOWS\NTDS\ntds.dit, 23470080 (0x0000000001662000), 8192
(0x00002000), -1018 (0xfffffc06), 2561010674 (0x98a5ebf2), 2561010675
(0x98a5ebf3).
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/