Up WMI memory if you haven't done so. We have up the memory on all our DCs in our environment.
FYI. This is frequently required on WSUS servers serving high numbers of clients Cesar A. On May 12, 2017 9:37 AM, "Heaton, Joseph@Wildlife" < [email protected]> wrote: > We have strict policies in place, and I couldn’t bounce the server until > Wednesday night. This resolved the 4201 error. Now, it refuses to open at > times, with a 1723 error, RPC server is too busy to complete this operation. > > > > This DC is only doing DHCP, DNS and Directory services. No way should it > be too busy to display the event log. I have another DC that is giving the > same error, but it is handling Radius and LDAP, and both of those are very > active, chatty services here. > > > > Our thought at the moment is that we have two tools, Netwrix Auditor, and > Splunk, that pretty much constantly talk with the domain controllers, to > access, and mine the security logs. Even though CPU and Memory usage are > hanging out around 45%, something is going on underneath, that is causing > these errors. I’m just not sure how to pinpoint the culprit. > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *elsalvoz > *Sent:* Wednesday, May 10, 2017 10:26 AM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Strange error for Security Event log > > > > I'm sure you have bounced the box. WMI might be corrupted, there some > commands that can be run to verify repository health. > > Cesar A. > > > > On May 10, 2017 8:43 AM, "Heaton, Joseph@Wildlife" < > [email protected]> wrote: > > Server 2012R2 > > Domain Controller > > Main DHCP server for the domain > > > > This is affecting only my Security event log. The Application and System > logs are working fine. When I try to look at the Security log, I get an > error: > > > > “Event Viewer cannot open the event log or custom view. Verify that Event > Log service is running or query is too long. The instance name passed was > not recognized as valid by a WMI data provider (4201)” > > > > I have been searching the internet, and have found plenty of stuff on this > error, but nothing has looked right. Permissions are correct in the > registry, permissions are correct in the file structure, the event log keys > are correct value in the registry. The Windows Event Log service is > running, which was another symptom people were listing. There are no > custom views setup, or filters. > > > > When I look at the properties of the Security log within Event Viewer, it > shows the Log size as 0 bytes. The max log size was up to 12.5GB (I did > NOT set it to that). The size of the actual log in the directory is 8GB. > I have manually reset the max size to 4GB, closed out the Event Viewer, > reopened it, and the max size had changed to 8GB. > > > > I have been digging on this for a few days now, and just can’t find a > solution. We do have Splunk in place, and what it is seeing as far as > Security logs, are 521 entries, which say “Unable to log events to security > log”. Which makes sense, since the security log is hosed. Can I simply > rename the actual log file, or move it out of the location, and the system > would recreate it? Any help/tips/advice you guys can offer would be > greatly appreciated. > > > > Joe Heaton > > Information Technology Operations Branch > > Data and Technology Division > > CA Department of Fish and Wildlife > > 1700 9th Street, 3rd Floor > > Sacramento, CA 95811 > > Desk: (916) 323-1284 > > > > Every Californian should conserve water. Find out how at: > > [image: SaveOurWater_Logo] <http://saveourwater.com/> > > SaveOurWater.com <http://saveourwater.com/> · Drought.CA.gov > <http://drought.ca.gov/> > > > >
