Discussion:
SBS2000 server generating DCOM errors and multiple security events.
(too old to reply)
RDA
2004-12-15 21:37:39 UTC
Permalink
Hello all,

I have a SBS2000 sever that has been acting very strange as of late. The
first problems began 2 weeks ago when no computers could authenicate to
the server and this was in the system log:

Event Type: Warning
Event Source: MRxSmb
Event Category: None
Event ID: 3034
Date: 12/8/2004
Time: 6:13:39 AM
User: N/A
Computer: DC01
Description:
The redirector was unable to initialize security context or query
context attributes.
Data:
0000: 00 00 08 00 02 00 56 00 ......V.
0008: 00 00 00 00 da 0b 00 80 ....Ú..€
0010: 00 00 00 00 5e 00 00 c0 ....^..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 7d 04 00 00 5e 00 00 c0 }...^..À

I thought maybe it was a problem with AD, so I ran through the steps in
this JSI FAQ:
http://www.jsiinc.com/SUBQ/tip8300/rh8320.htm

All tests indicated there was no problem. Then it happened again two
days later. If I reboot the DC, the problem is corrected, but to do that
in the middle of the day makes the VP cranky.
I checked DNS, DHCP, SNTP, group policies, permissions to log on
locally, NTFS permissions to shares and drives on the DC, NetDIAG,
DCDiag, all with out finding any errors in configuration or operation.

I fear the worst in that the AD is corrupted and last night I went
through the steps in the following KB articles:

http://support.microsoft.com/kb/258062
I backup the system state, perform the Integrity check and the semantic
analysis, both complete without errors.

http://support.microsoft.com/kb/232122
I perform the offline defragmentation successfully and reboot the server.

Now I get the following errors:

System Log...

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10002
Date: 12/14/2004
Time: 11:55:43 PM
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
Access denied attempting to launch a DCOM Server. The server is:
{9DA0E106-86CE-11D1-8699-00C04FB98036}
The user is SYSTEM/NT AUTHORITY, SID=S-1-5-18.

I find {9DA0E106-86CE-11D1-8699-00C04FB98036} is the MS Exchange
Property Mapping Interface by searching the registry, but there is no
info in the net about it at all!

In the security log I have these 3 messages repeating every 30 - 45
seconds...

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 12/15/2004
Time: 2:14:30 PM
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
Pre-authentication failed:
User Name: DC$
User ID: MYDEV\DC$
Service Name: krbtgt/HOLDINGS.LOCAL
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1


Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 12/15/2004
Time: 2:14:30 PM
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
The logon to account: DC$
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: DC
failed. The error code was: 3221225578


Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/15/2004
Time: 2:14:30 PM
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: DC$
Domain: MYDEV
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DC

What I interpret these to mean is this:

1. The macine account DC$ is locked out, has an incorrect password, or
does not exist.
2. The user SYSTEM/NT AUTHORITY, SID=S-1-5-18 is locked out, has
incorrect password, or does not exist.

I have found the following info about resetting the machine account
password.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q260575
It mentions the need for another DC, but I only have the one DC.

I have not found any info about modifying NT AUTHORITY\SYSTEM account.

Also, now if I run a DCDiag, DC fails test systemlog, but passes every
other test.

I have exhausted all resources I can think of to find the source of
this. Please, if anyone has seen this before post your suggestions. I
apologize for the length of this post, but I want to present all info I
have and outline what I have tried to fix it.

TIA

RDA MCSE, CNE
rabram AT gmail DOT com
Marina Roos [SBS-MVP]
2004-12-16 01:19:04 UTC
Permalink
Hi Rabram,

Can you post the ipconfig/all from the server and one from a client?
--
Regards,

Marina
Microsoft SBS-MVP
Post by RDA
Hello all,
I have a SBS2000 sever that has been acting very strange as of late. The
first problems began 2 weeks ago when no computers could authenicate to
Event Type: Warning
Event Source: MRxSmb
Event Category: None
Event ID: 3034
Date: 12/8/2004
Time: 6:13:39 AM
User: N/A
Computer: DC01
The redirector was unable to initialize security context or query
context attributes.
0000: 00 00 08 00 02 00 56 00 ......V.
0008: 00 00 00 00 da 0b 00 80 ....Ú..€
0010: 00 00 00 00 5e 00 00 c0 ....^..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 7d 04 00 00 5e 00 00 c0 }...^..À
I thought maybe it was a problem with AD, so I ran through the steps in
http://www.jsiinc.com/SUBQ/tip8300/rh8320.htm
All tests indicated there was no problem. Then it happened again two
days later. If I reboot the DC, the problem is corrected, but to do that
in the middle of the day makes the VP cranky.
I checked DNS, DHCP, SNTP, group policies, permissions to log on
locally, NTFS permissions to shares and drives on the DC, NetDIAG,
DCDiag, all with out finding any errors in configuration or operation.
I fear the worst in that the AD is corrupted and last night I went
http://support.microsoft.com/kb/258062
I backup the system state, perform the Integrity check and the semantic
analysis, both complete without errors.
http://support.microsoft.com/kb/232122
I perform the offline defragmentation successfully and reboot the server.
System Log...
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10002
Date: 12/14/2004
Time: 11:55:43 PM
User: NT AUTHORITY\SYSTEM
Computer: DC
{9DA0E106-86CE-11D1-8699-00C04FB98036}
The user is SYSTEM/NT AUTHORITY, SID=S-1-5-18.
I find {9DA0E106-86CE-11D1-8699-00C04FB98036} is the MS Exchange
Property Mapping Interface by searching the registry, but there is no
info in the net about it at all!
In the security log I have these 3 messages repeating every 30 - 45
seconds...
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 12/15/2004
Time: 2:14:30 PM
User: NT AUTHORITY\SYSTEM
Computer: DC
User Name: DC$
User ID: MYDEV\DC$
Service Name: krbtgt/HOLDINGS.LOCAL
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 12/15/2004
Time: 2:14:30 PM
User: NT AUTHORITY\SYSTEM
Computer: DC
The logon to account: DC$
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: DC
failed. The error code was: 3221225578
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/15/2004
Time: 2:14:30 PM
User: NT AUTHORITY\SYSTEM
Computer: DC
Reason: Unknown user name or bad password
User Name: DC$
Domain: MYDEV
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DC
1. The macine account DC$ is locked out, has an incorrect password, or
does not exist.
2. The user SYSTEM/NT AUTHORITY, SID=S-1-5-18 is locked out, has
incorrect password, or does not exist.
I have found the following info about resetting the machine account
password.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q260575
It mentions the need for another DC, but I only have the one DC.
I have not found any info about modifying NT AUTHORITY\SYSTEM account.
Also, now if I run a DCDiag, DC fails test systemlog, but passes every
other test.
I have exhausted all resources I can think of to find the source of
this. Please, if anyone has seen this before post your suggestions. I
apologize for the length of this post, but I want to present all info I
have and outline what I have tried to fix it.
TIA
RDA MCSE, CNE
rabram AT gmail DOT com
RDA
2004-12-16 18:24:04 UTC
Permalink
Post by Marina Roos [SBS-MVP]
Hi Rabram,
Can you post the ipconfig/all from the server and one from a client?
Sure,

Here it is:

DOMAIN CONTROLLER:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : DC0x*
Primary DNS Suffix . . . . . . . : Holdings.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Holdings.local

Ethernet adapter Private:

Connection-specific DNS Suffix . : Holdings.local
Description . . . . . . . . . . . : NetServer 10/100TX PCI LAN
Adapter
Physical Address. . . . . . . . . : 00-E0-18-C1-AD-6E
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.123.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.123.10
Primary WINS Server . . . . . . . : 192.168.123.10

PPP adapter Dail-up Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 207.229.35.41
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 207.229.35.41
DNS Servers . . . . . . . . . . . : 199.185.130.34
199.185.131.5

FILE SERVER:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : FS0x*
Primary DNS Suffix . . . . . . . : Holdings.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Holdings.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : D-Link DFE-538TX 10/100 Adapter
Physical Address. . . . . . . . . : 00-05-5D-D2-82-C1
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.123.9
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.123.10
DNS Servers . . . . . . . . . . . : 192.168.123.10

CLIENT:

Windows IP Configuration

Host Name . . . . . . . . . . . . : ComputerX*
Primary Dns Suffix . . . . . . . : Holdings.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Holdings.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : Holdings.local
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast
Ethernet Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 00-08-74-E2-E7-DE
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.123.142
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.123.10
DHCP Server . . . . . . . . . . . : 192.168.123.10
DNS Servers . . . . . . . . . . . : 192.168.123.10
Primary WINS Server . . . . . . . : 192.168.123.10
Lease Obtained. . . . . . . . . . : Thursday, December 16, 2004
9:52:16 AM
Lease Expires . . . . . . . . . . : Friday, December 24, 2004
9:52:16 AM

* Host Names changed to protect the innnocent.

Default Gateway, DNS, DNS Domain name and WINS are set as "Server
Options" of DHCP.

Any ideas?
Marina Roos [SBS-MVP]
2004-12-16 19:27:47 UTC
Permalink
Hi Rabram,

You are missing the WINS on the fileserver.
Can you also check if the SBS is setup as a timeserver and that the
fileserver and the clients are syncing with the SBS?

Smallbizserver.Net > SBS 2000 > Server issues > How do I setup the server as
a time server:
http://www.smallbizserver.net/Default.aspx?tabid=64
--
Regards,

Marina
Microsoft SBS-MVP
Post by RDA
Post by Marina Roos [SBS-MVP]
Hi Rabram,
Can you post the ipconfig/all from the server and one from a client?
Sure,
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : DC0x*
Primary DNS Suffix . . . . . . . : Holdings.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Holdings.local
Connection-specific DNS Suffix . : Holdings.local
Description . . . . . . . . . . . : NetServer 10/100TX PCI LAN
Adapter
Physical Address. . . . . . . . . : 00-E0-18-C1-AD-6E
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.123.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
DNS Servers . . . . . . . . . . . : 192.168.123.10
Primary WINS Server . . . . . . . : 192.168.123.10
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 207.229.35.41
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 207.229.35.41
DNS Servers . . . . . . . . . . . : 199.185.130.34
199.185.131.5
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : FS0x*
Primary DNS Suffix . . . . . . . : Holdings.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Holdings.local
Description . . . . . . . . . . . : D-Link DFE-538TX 10/100 Adapter
Physical Address. . . . . . . . . : 00-05-5D-D2-82-C1
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.123.9
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.123.10
DNS Servers . . . . . . . . . . . : 192.168.123.10
Windows IP Configuration
Host Name . . . . . . . . . . . . : ComputerX*
Primary Dns Suffix . . . . . . . : Holdings.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Holdings.local
Connection-specific DNS Suffix . : Holdings.local
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast
Ethernet Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 00-08-74-E2-E7-DE
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.123.142
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.123.10
DHCP Server . . . . . . . . . . . : 192.168.123.10
DNS Servers . . . . . . . . . . . : 192.168.123.10
Primary WINS Server . . . . . . . : 192.168.123.10
Lease Obtained. . . . . . . . . . : Thursday, December 16, 2004
9:52:16 AM
Lease Expires . . . . . . . . . . : Friday, December 24, 2004
9:52:16 AM
* Host Names changed to protect the innnocent.
Default Gateway, DNS, DNS Domain name and WINS are set as "Server
Options" of DHCP.
Any ideas?
RDA
2004-12-16 20:12:03 UTC
Permalink
Post by Marina Roos [SBS-MVP]
Hi Rabram,
You are missing the WINS on the fileserver.
Can you also check if the SBS is setup as a timeserver and that the
fileserver and the clients are syncing with the SBS?
Smallbizserver.Net > SBS 2000 > Server issues > How do I setup the server as
http://www.smallbizserver.net/Default.aspx?tabid=64
I added the WINS to the File server. The DC is configured as
authoritative time server for the domain and has correct time. The
workstations time synch at login, and I have verified that is the case.

Any other leads? I appreciate your input, please continue...

Randy
Marina Roos [SBS-MVP]
2004-12-16 21:11:40 UTC
Permalink
Hi Randy,

I don't know if a reboot of both servers might help to see if those events
have cleared up. Can you track down to the moments these events are
happening?
--
Regards,

Marina
Microsoft SBS-MVP
Post by RDA
Post by Marina Roos [SBS-MVP]
Hi Rabram,
You are missing the WINS on the fileserver.
Can you also check if the SBS is setup as a timeserver and that the
fileserver and the clients are syncing with the SBS?
Smallbizserver.Net > SBS 2000 > Server issues > How do I setup the server as
http://www.smallbizserver.net/Default.aspx?tabid=64
I added the WINS to the File server. The DC is configured as
authoritative time server for the domain and has correct time. The
workstations time synch at login, and I have verified that is the case.
Any other leads? I appreciate your input, please continue...
Randy
RDA
2004-12-16 21:30:14 UTC
Permalink
Post by Marina Roos [SBS-MVP]
Hi Randy,
I don't know if a reboot of both servers might help to see if those events
have cleared up. Can you track down to the moments these events are
happening?
I will have to wait until the end of the business day to reboot. As for
the entries in the event logs, the DCOM related event occurs during Boot
on the DC, and the other 3 security events occur every 30 - 45 seconds.
They are filling the security logs with useless info. 13,000+ events
since 12/15/2004 12:00:29 AM.

Ack!
RDA
2004-12-16 21:37:27 UTC
Permalink
Post by Marina Roos [SBS-MVP]
Hi Randy,
I don't know if a reboot of both servers might help to see if those events
have cleared up. Can you track down to the moments these events are
happening?
Do you know what the effect of using netdom to reset the machine account
of the DC?
I am referring specifically to this KB Article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q260575

Will the DC not be able to get a kerberos ticket from itself? There are
no other ticket granting servers.

Thanks again...

Randy

Loading...