Event Master - Active Directory Known Issues v1.0
Overview ......................................................................................................................................................... 3
Revision History .............................................................................................................................................. 3
Directory Service Log...................................................................................................................................... 4
NTDS APO .................................................................................................................................................. 4
Errors ....................................................................................................................................................... 4
Warnings.................................................................................................................................................. 4
NTDS Backup.............................................................................................................................................. 4
Errors ....................................................................................................................................................... 4
Warnings.................................................................................................................................................. 4
NTDS Database .......................................................................................................................................... 4
Errors ....................................................................................................................................................... 4
Warnings.................................................................................................................................................. 5
NTDS General............................................................................................................................................. 5
Errors ....................................................................................................................................................... 5
Warnings................................................................................................................................................ 11
NTDS Inter-site Messaging ....................................................................................................................... 14
Errors ..................................................................................................................................................... 14
Warnings................................................................................................................................................ 17
NTDS ISAM............................................................................................................................................... 20
Errors ..................................................................................................................................................... 20
Warnings................................................................................................................................................ 27
NTDS KCC ................................................................................................................................................ 30
Errors ..................................................................................................................................................... 30
Warnings................................................................................................................................................ 31
NTDS LDAP .............................................................................................................................................. 35
Errors ..................................................................................................................................................... 35
Warnings................................................................................................................................................ 35
NTDS MAPI............................................................................................................................................... 35
Errors ..................................................................................................................................................... 35
Warnings................................................................................................................................................ 35
NTDS Replication ...................................................................................................................................... 35
Errors ..................................................................................................................................................... 35
Warnings................................................................................................................................................ 38
NTDS SAM................................................................................................................................................ 42
Errors ..................................................................................................................................................... 42
Warnings................................................................................................................................................ 42
NTDS Scripting.......................................................................................................................................... 43
Errors ..................................................................................................................................................... 43
Warnings................................................................................................................................................ 43
NTDS SDPROP ........................................................................................................................................ 43
Errors ..................................................................................................................................................... 43
Warnings................................................................................................................................................ 43
NTDS Security........................................................................................................................................... 43
Errors ..................................................................................................................................................... 43
Warnings................................................................................................................................................ 43
NTDS Setup .............................................................................................................................................. 43
Errors ..................................................................................................................................................... 43
Warnings................................................................................................................................................ 43
NTDS XDS ................................................................................................................................................ 43
Errors ..................................................................................................................................................... 43
Warnings................................................................................................................................................ 44
File Replication Log ...................................................................................................................................... 45
File Replication Service ............................................................................................................................. 45
errors ..................................................................................................................................................... 45
Warnings................................................................................................................................................ 45
NTFRS ...................................................................................................................................................... 45
Errors ..................................................................................................................................................... 45
Warnings................................................................................................................................................ 51
Windows Server Patches....................................................................................................................... 56
Windows Server 2003 ............................................................................................................................... 56
Servicepack 2 ........................................................................................................................................ 56
Windows 2000 Server ............................................................................................................................... 56
Servicepack 4 ........................................................................................................................................ 56
Post Servicepack 4 Rollup ..................................................................................................................... 56
Overview
This article contains details of error and warning events found in RM Event Master related to the Microsoft
Active Directory service, specifically the Directory Service and File Replication logs. Wherever possible, links
to Microsoft Knowledgebase and / or Technet articles are included. It is based on data in the RM Event
Master database, so is relevant to issues that our customers are experiencing in the field.
RM Event Master collects only information about the events IDs that are occurring; it does not collect the
specific event description. Because of this, some of the links may not relate to the issues occurring on a
server; this is unavoidable as many events occurrences form part of a pattern and the underlying issues
depend on the group of events that occur together.
Revision History
This document will be revised from time to time as new events are discovered and problems resolved.
REVISION
DATE
DETAILS
1.0
July 2009
This is the initial revision of the document.
Directory Service Log
NTDS APO
ERRORS
None found
WARNINGS
None Found
NTDS BACKUP
ERRORS
Source:
Type:
Event ID:
Scope:
Description
NTDS Backup
Error
1913
Backup/Restore
This indicates a failed Active Directory backup or restore operation:
Internal error: The Active Directory backup and restore operation encountered
an unexpected error. Backup or restore will not succeed until this is corrected.
Problem
If this was a backup, then the backup failed and the administrator may not be aware.
If it was a restore, then the restore failed and the administrator is probably aware. In
either case more information is needed to establish the reason.
WARNINGS
None found
NTDS DATABASE
ERRORS
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Database
Error
1168
Database Health
This may be related to a known issue where multiple directory service threads try to
create a new name for a deleted object:
http://support.microsoft.com/kb/842394
Problem
However there are many other potential causes of this event. The event data is
needed to establish the reason.
Unknown without the event data
WARNINGS
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Database
Warning
1792
Database Health
There are references to this in Technet, but all are related to Windows
Server 2008. Eventid.net suggests this
A transaction lasts <number> minutes and <number> seconds, much longer
than expected. (The caller is SAM.) Long-running transactions contribute to the
depletion of version store. When version store is exhausted all directory
operations will fail. Please contact Microsoft Product Support Services for
assistance.
This could be caused by a failed/replaced disk in a RAID array; while the array is
rebuilding performance will be degraded. This is not conclusive without the event
data and/or corresponding events.
Problem
Unknown without the event data
NTDS GENERAL
ERRORS
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Error
1126
Communication
Could be related to a failed promotion of a domain controller to a global
catalog:
http://support.microsoft.com/kb/842208
If this is not an attempt to promote the local DC to a GC then there is
another reason why this DC cannot reach a GC:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=W
indows%20Operating%20System&ProdVer=5.2&EvtID=1126&EvtSrc=Activ
e%20Directory&LCID=1033
The event data is needed to establish the cause.
Problem
User logons via this domain controller will have problems.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Error (in the current critical list)
1168
Database Health
This is a problem with the underlying JET database engine. It is likely that
Event ID 1003 will also occur:
http://support.microsoft.com/kb/280364
Event ID: 1168
Source: NTDS General
Category: Internal Processing
Description: Error -1811(fffff8ed) has occurred (Internal ID 404ab). Please
contact Microsoft Product Support Services for assistance.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This could be because the NTDS files have been moved, improperly restored from
backup, or corrupted.
Active Directory services will not run on this server until the files are replaced /
repaired.
NTDS General
Error
1003
Database Health
This is a problem with the underlying JET database engine. It is likely that
Event ID 1168 will also occur
http://support.microsoft.com/kb/280364
Event ID: 1003
Source: NTDS General
Category: Internal Processing
Description: The Windows Directory Services database cannot be initialized
and returned error -1811. Unrecoverable error, the directory can't continue.
Problem
This could be because the NTDS files have been moved, improperly restored from
backup, or corrupted.
Active Directory services will not run on this server until the files are replaced /
repaired.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Error
1039
System Resources
Not found on microsoft.com, eventid.net suggests this:
Internal event: Active Directory could not process the following object.
Object: <object>
User Action
Increase physical memory or virtual memory. If this error continues to occur,
restart this domain controller.
Additional Data
Error value: <error>
Internal ID: <id>.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The event data is needed to confirm this.
Unknown without the event data
NTDS General
Error
1135
Replication
This looks like a failure occurring during a search of the Schema partition of Active
Directory. Possibly related to a Schema extension that has not yet completed:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1135&EvtSrc=Active+Directory&LCID=103
3
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This cannot be verified without the event data.
Inconclusive
NTDS General
Error or Warning (can be either)
1153
Replication / Patched
This is a replication delay caused by an Active Directory Schema extension. This is
expected when running preparations for AD aware applications such as Exchange
Server:
http://support.microsoft.com/kb/307323
For Windows 2000 Server this is resolved with Servicepack 2, so make sure that
Servicepack 4 + the August 2004 Post Servicepack 4 Rollup are installed.
Problem
Assuming that a schema extension was happening at the time this event was logged
then there is no problem.
Replication of the Schema partition may be affected.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Error
1169
System Resources
This looks like memory resource issues on the domain controller:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1169&EvtSrc=Active+Directory&LCID=103
3
Problem
Source:
Type:
Event ID:
SCOPE:
Description
Reboot the domain controller to free memory. If it continues to occur then more
RAM may be needed.
Domain Controller services may be unstable, users & applications may experience
authentication problems.
NTDS General
Error
1188
Replication
This indicates that an RPC replication request has not received a response from the
source domain controller:
http://support.microsoft.com/kb/830746
Problem
Source:
Type:
Event ID:
SCOPE:
Description
If the source domain controller is offline then this would be expected. If it is online
then there is a delay with RPC communication.
Replication will be delayed or not occurring
NTDS General
Error
1207
Internal
This event is logged when an internal asynchronous attempt to update the schema
cache fails with an error:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1207&EvtSrc=Active+Directory&LCID=103
3
Problem
This event is only logged if diagnostic logging has been increased. As per the
Technet article, no action is required.
This does not indicate a problem.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Error
1229
Operating System
This looks to be a problem with the system accessing performance monitor
counters:
Unable to open performance counters. An attempt to open shared memory
returned error %1.
The event data is needed to establish the error code.
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1229&EvtSrc=Active+Directory&LCID=103
3
Problem
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Error
1393
System Resources
This is caused by no free disk space on the volume that contains the Active
Directory database and/or log:
http://support.microsoft.com/kb/259278
Attempts to update the Directory Service database are failing with error 112.
Since Windows will be unable to log on users while this condition persists, the
NetLogon service is being paused. Check to make sure that adequate free disk
space is available on the drives where the directory database and log files
reside.
Problem
Active Directory services will not start until disk space is made available.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Error
1656
Communication
This indicates some kind of RPC communication problem:
This is a general RPC troubleshooting article:
http://support.microsoft.com/kb/839880
Problem
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Error
2069
Database Health
All of the articles on Technet relate to Exchange Server. Eventid.net
suggests this:
Active Directory detected corrupt counts in the quota-tracking table. Quota
enforcement may not behave correctly until the quota-tracking table is rebuilt.
Additional data:
NCDNT: <number>
Tombstoned count: <number>
Total count: <number>.
Problem
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Error
2098
TBA
Problem
Score
Unknown without the event data
5
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Error
2103
Replication
This indicates that the domain controller has performed a USN rollback, which is
usually caused by an incorrectly performed data restoration. The following articles
have information about the cause and detection / resolution of USN rollback.
All of the articles on Technet relate to Exchange Server, nothing found
relating to Active Directory. More data is needed.
Windows Server 2003
http://support.microsoft.com/kb/875495
Windows 2000 Server
http://support.microsoft.com/kb/885875
Error Event ID 2095 specifically alerts to a USN Rollback. Warning events 1113 and
1115 are symptoms of replication being disabled as a result.
Problem
Active Directory Replication will not work for objects affected by the USN Rollback,
but replication will appear to be working in Replication Monitor. User / Computer
logon may fail periodically for these affected objects.
WARNINGS
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Warning
1079
System Resources
All of the articles on Technet relate to Exchange Server. Eventid.net
suggests this:
Replication warning: Couldn't allocate memory. Replication may be affected
until more memory is available. Increase the amount of Virtual memory
available. Stop and restart this Windows Domain Controller and try again.
If this occurs there could be a memory leak, virtual memory configuration might
need checking, or the server could need more physical RAM.
Problem
Active Directory Replication will not occur until the server is rebooted.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Warning
1094
Operating System
All of the articles on Technet relate to Exchange Server. Eventid.net
suggests this
Disk write caching on drive c: has been disabled to prevent possible data loss
during system failures.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This is an expected warning that disk write caching has been disabled; this is the
default configuration for a Windows 2000 Server Domain Controller
This does not indicate a problem
NTDS General
Warning
1113 / 1115
Replication
This indicates that the domain controller has performed a USN rollback, which is
usually caused by an incorrectly performed data restoration. The following articles
have information about the cause and detection / resolution of USN rollback.
Windows Server 2003
http://support.microsoft.com/kb/875495
Windows 2000 Server
http://support.microsoft.com/kb/885875
Error Event ID 2095 specifically alerts to a USN Rollback. Warning events 1113 and
1115 are symptoms of replication being disabled as a result.
Problem
Active Directory Replication will not work for objects affected by the USN Rollback,
but replication will appear to be working in Replication Monitor. User / Computer
logon may fail periodically for these affected objects.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Warning
1173
Internal
This is an internal processing error that may relate to one of many documented
issues. The event data is required to establish the reason:
Internal event: Exception %1 has occurred with parameters %2 and %3
(Internal ID %4).
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1173&EvtSrc=Active+Directory&LCID=103
3
Problem
Unknown without the event data.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Warning
1224
Replication
This could be a Windows 2000 Server domain controller that was upgraded from
Windows NT 4.0 and the computer name contains only numeric characters.
http://support.microsoft.com/default.aspx?scid=kb;en-us;838400
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This article relates to error 87 in the event data. It is resolved with a hotfix, but also
included in the August 2004 Post Servicepack 4 Rollup. Without the event data we
cannot tell if this is the problem.
Unknown without the event data
NTDS General
Warning
1463
Database Health
This is Jet (the underlying database engine) detecting and fixing some corrupted
indices:
Jet has detected and deleted some corrupt indices as part of initialization. The
indices will be rebuilt.
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Win
dows%20Operating%20System&ProdVer=5.2&EvtID=1463&EvtSrc=Active%20
Directory&LCID=1033
Problem
This does not require any action.
This does not indicate a problem.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Warning
1475
Internal
This is an internal event that is only logged when the default logging level is
changed:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1475&EvtSrc=Active+Directory&LCID=103
3
Problem
Source:
Type:
Event ID:
SCOPE:
Description
As per the Technet article, no action is required.
This does not indicate a problem.
NTDS General
Warning
1539
Operating System
Not found on microsoft.com, eventid.net suggests this:
Unable to disable disk write cache on c:. Data might be lost during system
failures.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This doesn’t necessarily indicate a problem, as long as the system is not shutdown
suddenly (e.g. power loss) then the data will be written to cache first and then to
disk. However you should investigate and disable write caching on the disks that
contain Active Directory data
There is a chance of data loss if sudden unexpected shutdown (e.g. power loss)
occurs.
NTDS General
Warning
1655
Replication
This might be the system failing to connect to a global catalog:
The attempt to communicate with global catalog \\gc.domain.com failed with
the following status:
Replication access was denied.
The operation in progress might be unable to continue. The directory service
will use the locator to try find an available global catalog server for the next
operation that requires one.
There are several documented reasons for this event, one of which may be the
cause:
Invalid Kerberos tokens in Windows 2000 Server
http://support.microsoft.com/kb/297716
Missing NTFS / Share permissions:
http://support.microsoft.com/kb/305837
Damaged Phantom Objects:
http://support.microsoft.com/kb/318170
Problem
There may be other causes; it is not possible to confirm without the event data.
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Warning
1715
Communication
Not found from the Active Directory sources, but this article explains a potential RPC
problem:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1715&EvtSrc=RPC&LCID=1033
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The event data is needed to establish the reason for this warning.
Unknown without the event data
NTDS General
Warning
1772
Communication
Not found from the Active Directory sources, but this article explains a potential RPC
problem:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1722&EvtSrc=RPC&LCID=1033
Problem
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS General
Warning
2044
TBA
All of the Technet articles found relate to Exchange Server. Nothing found for Active
Directory.
Unknown without the event data
Problem
NTDS INTER-SITE MESSAGING
ERRORS
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Inter-site Messaging
Error
1168
Database Health
This could be related to a third party winsock application on Windows 2000 Server
affecting LDAP operations:
http://support.microsoft.com/kb/315182
Problem
This cannot be verified without the event data.
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Inter-site Messaging
Error
1373
Internal
This is a warning that the intersite messaging service could not receive any
messages for the service through the specified transport:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1373&EvtSrc=Active+Directory&LCID=103
3
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The event data is needed to verify this. As per the Technet article, no action is
required.
Unknown without the event data
NTDS Inter-site Messaging
Error
1374
Internal
This is an intersite messaging request for the number of sites interconnected
thought the specified transport failing;
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1373&EvtSrc=Active+Directory&LCID=103
3
Problem
As per the Technet article, no action is required.
This does not indicate a problem.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Inter-site Messaging
Error
1378
Internal
This may be an Intersite Messaging transport error as per this Technet article:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1378&EvtSrc=Active+Directory&LCID=103
3
Problem
Try restarting the Intersite Messaging service.
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Inter-site Messaging
Error
1468
Replication
This is related to missing SMTP configuration. Although IIS / SMTP are not core
domain controller services, SMTP can be used as an inter-site transport:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Win
dows+Operating+System&ProdVer=5.0&EvtID=1468&EvtSrc=Active+Directory
&LCID=1033
Problem
So this could be related to a missing / broken IIS/SMTP installation.
Site links that use SMTP will not function, so replication could fail.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Inter-site Messaging
Error
1528
Replication
Not found on microsoft.com, eventid.net suggests this:
Internal error: The Intersite Messaging service using the SMTP transport has
encountered an error originating from the Collaboration Data Object (CDO)
library.
Additional Data
Error value: <error code> <error message>
Internal ID: <ID>.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This could be a problem with Collaborative Data Objects (CDO) but the event data is
needed to confirm what the issue is.
Unknown without the event data
NTDS Inter-site Messaging
Error
1824
Database Health
This could be an LDAP problem when the first domain controller in a domain is
created:
http://support.microsoft.com/kb/834317
Problem
This cannot be confirmed without the event data.
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Inter-site Messaging
Error
1832
Replication
Not found on microsoft.com, eventid.net suggests this:
The SMTP domain administrative namespace is not available at this time. Mailbased replication cannot be configured until this condition is corrected. As a
result intersite replication using the SMTP transport between the local domain
controller and all domain controllers in other sites will fail. Replication using
SMTP will be tried again later.
Additional Data
Error value:
80070422 The service cannot be started either because it is disabled or
because it has no enabled devices associated with it.
Problem
This could indicate a missing / damaged IIS/SMTP configuration.
Unconfirmed without event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Inter-site Messaging
Error
1866
Database Health
Not found on microsoft.com, eventid.net suggests this:
The Intersite Messaging service received the following extended error string
information from LDAP.
Extended error string: Additional Data
LDAP error value: 51 Server Down
WIN32 extended error value: 0 The operation completed successfully.
This might be related to the issue:
http://support.microsoft.com/default.aspx?scid=kb;en-us;826819
Problem
This is not confirmed.
Unknown without event data
WARNINGS
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Inter-site Messaging
Warning
1368
Internal
This is a failed LDAP service request:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Win
dows+Operating+System&ProdVer=5.0&EvtID=1368&EvtSrc=Active+Directory
&LCID=1033
Problem
As per the Technet article, no action is required
This does not indicate a problem
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Inter-site Messaging
Warning
1369
Database Health
This is a failed LDAP search, the reason for the failure will be in the event code:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Win
dows+Operating+System&ProdVer=5.0&EvtID=1369&EvtSrc=Active+Directory
&LCID=1033
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The event data is needed to determine the reason for this.
Unknown without the event data
NTDS Inter-site Messaging
Warning
1380
Replication
This is a failure of the task that monitors Active Directory for changes in intersite
transport objects:
The task that monitors the Directory Service for changes in the Inter-Site
Transport objects failed with the following status:
%1
The record data is the status code. Additions- deletions- and modifications of
Inter-Site Transport objects will not be reflected in the configuration of the
Inter-Site Messaging Service until its service is restarted or this machine is
rebooted.
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1380&EvtSrc=Active+Directory&LCID=103
3
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The event data is needed to establish the reason for this
Unknown without the event data
NTDS Inter-site Messaging
Warning
1409
Replication
This is caused by the server not having IIS & SMTP installed when a site link is
configured to use the SMTP transport:
The Inter-Site Messaging Service SMTP Transport plug-in could not send a
message because no mail transport is installed. Please install a mail transport,
such as the SMTP Service. The operation will be retried
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1409&EvtSrc=Active+Directory&LCID=103
3
Problem
To resolve this, install IIS with SMTP
This server will not be able to service the site link that requires SMTP until the
service is installed
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Inter-site Messaging
Warning
1465
Replication
This is a failure of the task that monitors Active Directory for changes in site
topology:
The task that monitors the Directory Service for changes in the site topology
for the Inter-Site Transport object %1 failed with the following status: %2
Additions- deletions- and modifications of the site topology beneath the InterSite Transport object will not be reflected in the configuration of the Inter-Site
Messaging Service until its service is restarted or this machine is rebooted.
The record data is the status code.
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1465&EvtSrc=Active+Directory&LCID=103
3
Problem
Source:
Type:
Event ID:
SCOPE:
Description
Restart the Intersite Messaging service. The event data is needed to establish the
reason for the problem.
Unknown without the event data
NTDS Inter-site Messaging
Warning
1473
Replication
This is a problem with the intersite messaging service not being able to read the
intersite transport objects:
The Intersite Messaging Service failed to read the configuration of the
Intersite Transports out of the Directory. The error message is as follows: %1
The service has stopped. It will be necessary to correct the problem and
restart the service in order for intersite communication to occur. The KCC will
be unable to calculate intersite topology without this service. There may be a
problem retrieving data from the LDAP server. Please verify that LDAP queries
are succeeding on this machine. You may also wish to try restarting the
Intersite Messaging Service manually. The record data is the status code.
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1473&EvtSrc=Active+Directory&LCID=103
3
Problem
Restart the intersite messaging service. The event data is needed to establish the
reason for the problem.
Unknown without event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Inter-site Messaging
Warning
1867
Replication
Not found on microsoft.com, eventid.net suggests this:
The task that monitors Active Directory for changes in the site topology for the
following Intersite Transport object could not be started.
Intersite Transport object:
CN=IPCN=Inter-Site TransportsCN=SitesCN=ConfigurationDC=<DC>DC=local
The problem may have been caused by a temporary resource shortage. The
task will be restarted.
Additional Data
Error value: 55 The specified network resource or device is no longer available.
Problem
This could be a system resources issue.
Unknown without event data
NTDS ISAM
ERRORS
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Error (in the critical list, recommending a lower score)
215
Database Health
This is an error related to a failed backup. But it may indicate a false negative; the
backup may actually be OK;
http://support.microsoft.com/kb/927654
If this is occurring on a Windows Server 2003 domain controller then install
Servicepack 2 and retest the backup to see if the event continues to occur.
Problem
This may indicate a failed backup, but may be a false error.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Error (in the critical list, recommending a lower score)
217
Database Health
There are several Technet articles related to this, but they all refer to Exchange
Server. The underlying JET database is the cause, and this engine is also used for
the Active Directory database. The existing Event Master description is this:
NTDS ISAM: Error ... during backup of a database [path to NTDS.DIT] The database will
be unable to restore.
Problem
The event data is needed to verify this.
This looks like problem with backup that renders the backed up data useless.
Recovery will not be possible from this backup.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Error (in the critical list)
439
Database Health
There are several Technet articles, but they all relate to Exchange Server / SQL
Server. The same JET database engine is used for Active Directory. Eventid.net
suggests this:
NTDS (<PID>) NTDSA: Unable to write a shadowed header file for file <file
name>. Error <error>.
This could be the same symptom as these ESE (Extensible Storage Engine):
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange
&ProdVer=6.5.6940.0&EvtID=439&EvtSrc=ESE&LCID=1033
Problem
Source:
Type:
Event ID:
SCOPE:
Description
It looks related to a failure to write to the NTDS.dit file, this could be low disk space /
permissions broken / anti-virus software / file level backups locking the file.
Unconfirmed without the event data.
NTDS ISAM
Error (in the critical list, recommending a lower score)
454
Database Health
There are several Technet articles, but they all relate to Exchange Server / SQL
Server. The same JET database engine is used for Active Directory. Eventid.net
suggests this:
<process> (<PID>) Database recovery/restore failed with unexpected error
<error>.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
Looks to be a failed database recovery, or maybe a corruption in the database.
Unknown without the event data
NTDS ISAM
Error (in the critical list, recommending a lower score)
474
Database Health
There are several Technet articles, but they all relate to Exchange Server /
Extensible Storage Engine. Eventid.net suggests this:
NTDS (<PID>) NTDSA: The database page read from the file "<path to edb
file>" at offset <offset> for <value> bytes failed verification due to a page
checksum mismatch. The expected checksum was <checksum> and the actual
checksum was <checksum>. The read operation will fail with error <error
code> (<error code>). If this condition persists then please restore the
database from a previous backup. This problem is likely due to faulty hardware.
Problem
This could indicate a problem with the disk and/or disk controller.
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Error (in the critical list, recommending a lower score)
482
Database Health
There are several Technet articles, but they all relate to Exchange Server /
Extensible Storage Engine. Eventid.net suggests this:
<process> (<PID>) An attempt to write to the file "<file>" at offset <value>
(<hex value>) for <value> (<hex value>) bytes failed with system error
<error code> (<hex error code>): "<error message>". The write operation will
fail with error <error code> (<hex error code>). If this error persists then the
file may be damaged and may need to be restored from a previous backup.
Problem
This might indicate a damaged NTDS.dit database, or could be related to out of disk
space problems.
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Error
0
Database Health
Not found on microsoft.com, eventid.net suggests this:
NTDS (<PID>) Unexpected Win32 Error :<error code>.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The examples shown relate to anti-virus software trying to scan the NTDS folder or
missing NTFS permissions.
Unknown without the event data
NTDS ISAM
Error
203
Database Health
There are no Technet articles specific to the TNDS ISAM source, but several related
to Exchange / ESE. Eventid.net suggests this:
NTDS (<PID>) The database engine has stopped the backup with error <error
code>.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
Problem
This looks to be a backup problem, but the event data is needed to confirm this.
The backup of the NTDS database has failed
NTDS ISAM
Error
411
Database Health
There are no Technet articles specific to the TNDS ISAM source, but several related
to Exchange / ESE.
This looks like a problem with the database and/or log files. More data is needed to
establish this.
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Error
427
Operating System
There are no Technet articles specific to the NTDS ISAM source, but two related to
Exchange / ESE
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exch
ange&ProdVer=6.5.6940.0&EvtID=427&EvtSrc=ESE&LCID=1033
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This seems to indicate a problem accessing the database and/or log files due to
permissions denied. The event data is needed to confirm this.
Unknown without the event data
NTDS ISAM
Error or Warning
428
System Resources
There are no Technet articles specific to the NTDS ISAM source, but two related to
Exchange / ESE. Eventid.net suggests this:
NTDS (272) The database engine is rejecting update operations due to low free
disk space on the log disk.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This is caused by low disk space so will probably have been caught already.
The database will be unavailable until more free space is made available.
NTDS ISAM
Error
447
Database Health
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / ESE. Eventid.net suggests this:
NTDS (<process id>) <storage group name> A bad page link (error <error
code>) has been detected in a B-Tree (ObjectId: <id>, PgnoRoot: <number>)
of database <name> (<number> => <number>, <number>).
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This indicates corruption in the database. The event data is needed to establish the
specific problem.
The database is damaged.
NTDS ISAM
Error
455
Database Health
This looks to be a problem with missing or unreadable files. It may have been
caused by a power outage causing a sudden shutdown:
http://support.microsoft.com/kb/265089
Problem
The event data is needed to determine the exact cause.
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Error
465
Database Health
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / ESE. Eventid.net suggests this:
<process> (ID) Corruption was detected during soft recovery in logfile <log
file>. The failing checksum record is located at position <position>. Data not
matching the log-file fill pattern first appeared in sector <sector>. This logfile
has been damaged and is unusable.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This may indicate database corruption.
Database operations might fail.
NTDS ISAM
Error
467
Database Health / Patched
This is a database corruption issue that is resolved in Servicepack 2 for Windows
Server 2003:
http://support.microsoft.com/kb/902396
Problem
Database operations may fail
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Error
471
Database Health
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / ESE.
All seem to indicate problems updating the database due to failed rollback
operations / problems with the checkpoint file.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The event data is needed to establish the cause.
Unknown without the event data.
NTDS ISAM
Error
475
Database Health
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / ESE.
All seem to indicate problems due to page number mismatch. They tend to indicate
checksum errors which are probably related to a hardware (disk / controller) fault.
Problem
The event data is needed to establish the cause.
Unknown without the event data.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Error
477
Database Health
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / ESE.
They tend to indicate checksum errors which are probably related to a hardware
(disk / controller) fault, or corrupted transaction log files. This may happen on a
domain controller as the same underlying database engines are used.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The event data is needed to establish the cause
Unknown without the event data.
NTDS ISAM
Error
481
Database Health
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / ESE. Eventid.net suggests this:
<process name> (<PID>) An attempt to read from the file "<file name>" at
offset <value> for <value> bytes failed with system error <error code>:
"<error message>". The read operation will fail with error <error code>. If this
error persists then the file may be damaged and may need to be restored from
a previous backup.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This may indicate a corrupted database. The event data is needed to verify this.
Database operations may fail
NTDS ISAM
Error
488
Database Health
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / Sharepoint / ESE
All are related to a failure to create a file. Possibly because another process (such
as a backup program) has locked access to it.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The event data is needed to verify the cause.
Unknown without the event data.
NTDS ISAM
Error
490
Database Health
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / ESE. Eventid.net suggests this:
NTDS (<PID>) NTDSA: An attempt to open the file "<file>" for read / write
access failed with system error <system error code> (<hex error code>):
"Access is denied. ". The open file operation will fail with error <operation
error code> (<hex error code>).
Problem
This could be file corruption / permissions. The event data is needed to verify the
cause.
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Error
491
Database Health
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / ESE.
It could indicate that the database and/or log files could not be accessed, possibly
by a backup and/or anti virus application.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The event data is needed to verify this.
Unknown without the event data
NTDS ISAM
Error
492
Database Health
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / ESE. Eventid.net suggests this:
NTDS (388) NTDSA: The logfile sequence in "<directory name>" has been
halted due to a fatal error. No further updates are possible for the databases
that use this logfile sequence. Please correct the problem and restart or restore
from backup.
This could indicate a problem with the log files. In Exchange there are a finite
number of log files available in a sequence (equal to hex FFFFFFFF) but AD uses
circular logging so this is probably not the problem.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
Problem
Source:
Type:
Event ID:
SCOPE:
Description
Problem
The event data is needed to establish the cause.
Unknown without the event data.
NTDS ISAM
Error
494
Database Health
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / ESE.
This may be related to a failed restore of backed up data. The event data is needed
to establish the reason.
Unknown without the event data.
NTDS ISAM
Error
624
System Resources
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / ESE.
This could be related to an out of memory condition. The event data is needed to
verify this.
Unknown without the event data.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Error
705
Database Health
Not found on microsoft.com, eventid.net suggests this:
<NTDS> (<process id>) Online defragmentation of database '<name>'
terminated prematurely after encountering unexpected error <error code>. The
next time online defragmentation is started on this database, it will resume
from the point of interruption.
Problem
Database maintenance may not have completed properly. This may be related to
database corruption. The event data is needed to verify this.
Unknown without the event data.
WARNINGS
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Warning (in the critical list)
411
Database Health
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / ESE. The existing Event Master description is this:
NTDS ISAM: This event may indicate and issue with the active directory database
(NTDS.DIT)
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This most likely relates to some type of database problem, possibly the relation
between the database and the transaction log. The event data is needed to verify
this.
Unknown without event data
NTDS ISAM
Warning (in the critical list)
508
Database Health
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / ESE. Eventid.net suggests this:
NTDS (<PID>) NTDSA: A request to write to the file "<file>" at offset <offset>
(<offset>) for <size> (<size>) bytes succeeded but took an abnormally long
time (<number> seconds) to be serviced by the OS. In addition <number>
other I/O requests to this file have also taken an abnormally long time to be
serviced since the last message regarding this problem was posted <number>
seconds ago. This problem is likely due to faulty hardware. Please contact your
hardware vendor for further assistance diagnosing the problem.
Problem
This may indicate a faulty disk and/or disk controller, or and overloaded disk.
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Warning (in the critical list)
510
Database Health
There are no Technet articles specific to the NTDS ISAM source, but several related
to Exchange / ESE. Eventid.net suggests this:
NTDS (<PID>) NTDSA: A request to write to the file "<file>" at offset <offset>
(<offset>) for <size> (<size>) bytes succeeded but took an abnormally long
time (<number> seconds) to be serviced by the OS. In addition <number>
other I/O requests to this file have also taken an abnormally long time to be
serviced since the last message regarding this problem was posted <number>
seconds ago. This problem is likely due to faulty hardware. Please contact your
hardware vendor for further assistance diagnosing the problem.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This may indicate a faulty disk and/or disk controller, or and overloaded disk.
Unknown without the event data
NTDS ISAM
Warning (in the critical list)
614
Database Health
There are no Technet articles specific to the NTDS ISAM source, but this one is
related to missing indexes in a RFS (File Replication (which is a domain controller
component)) database:
http://support.microsoft.com/kb/842462
Problem
The event data is needed to verify this.
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
Problem
NTDS ISAM
Warning (in the critical list)
705
TBA
Not found on Microsoft.com or Eventid.net
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
Problem
NTDS ISAM
Warning
498
TBA
Not found on Microsoft.com or Eventid.net
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Warning
507
Database Health
There are no Technet articles specific to the NTDS ISAM source, but one related to
Exchange / ESE. Eventid.net suggests this:
NTDS (464) NTDSA: A request to read from the file "<file>" at offset <offset>
(<offset>) for <value> (<hex value>) bytes succeeded, but took an
abnormally long time (<value> seconds) to be serviced by the OS. This
problem is likely due to faulty hardware. Please contact your hardware vendor
for further assistance diagnosing the problem.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This could be disk subsystem related. The event data is needed to verify this.
Server performance will be affected
NTDS ISAM
Warning
509 (issue not confirmed)
Database Health
There are no Technet articles specific to the NTDS ISAM source, but one related to
Exchange / ESE. Eventid.net suggests this:
NTDS (464) NTDSA: A request to read from the file "<file>" at offset <offset>
(<offset>) for <value> (<hex value>) bytes succeeded, but took an
abnormally long time (<value> seconds) to be serviced by the OS. This
problem is likely due to faulty hardware. Please contact your hardware vendor
for further assistance diagnosing the problem.
Problem
This could be disk subsystem related. The event data is needed to verify this.
Server performance will be affected
Source:
Type:
Event ID:
SCOPE:
Description
NTDS ISAM
Warning
602
Database Health
Not found on microsoft.com, eventid.net suggests this:
NTDS (<PID>) Background clean-up skipped pages. The database may benefit
from widening the online maintenance window during off-peak hours. If this
message persists offline defragmentation may be run to remove all skipped
pages from the database.
Problem
The event data is needed to confirm this
Database maintenance may not have completed properly. Look at how we can
increase the maintenance time for AD and provide instructions.
NTDS KCC
ERRORS
Source:
Type:
Event ID:
SCOPE:
Description
NTDS KCC
Error (in the critical list) / Warning (not in the critical list). Could be either.
1014
Knowledge Consistency
This looks like an error with the KCC updating the replication topology:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Win
dows+Operating+System&ProdVer=5.0&EvtID=1014&EvtSrc=Active+Directory
&LCID=1033
Problem
The event data is needed to establish the cause.
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS KCC
Error (in the critical list)
1130
Knowledge Consistency
This looks like an error with the KCC updating the replication topology:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Win
dows+Operating+System&ProdVer=5.0&EvtID=1130&EvtSrc=Active+Directory
&LCID=1033
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The event data is needed to establish the cause.
Unknown without the event data
NTDS KCC
Error (in the critical list)
1311
Knowledge Consistency
This indicates that the inter site replication configuration need to be fixed because
the current site is not associated with a site link:
http://support.microsoft.com/kb/214745
This article contains more detailed troubleshooting help:
http://support.microsoft.com/kb/307593
Problem
This will have been caused by administrator error.
Inbound replication from other sites will not occur. Other sites may have a link to this
one so outbound replication from this site may be OK.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS KCC
Error
1131
Knowledge Consistency
This is a problem where the KCC cannot create a connection between two domain
controllers:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1131&EvtSrc=Active+Directory&LCID=103
3
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The event data is needed to establish the reason for this.
Intrasite replication may be affected.
NTDS KCC
Error
1312
Knowledge Consistency
This could be an issue with the intersite messaging service that prevents the KCC
from creating a correct replication topology:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1312&EvtSrc=Active+Directory&LCID=103
3
Problem
Source:
Type:
Event ID:
SCOPE:
Description
Problem
The event data is needed to confirm this.
Replication between sites (not intra-site) will be affected
NTDS KCC
Error
2002
Knowledge Consistency
There are many different matches on Microsoft.com for this event, but none
specifically for the NTDS KCC source.
The event data is needed to establish the reason for this.
Unknown without the event data.
WARNINGS
Source:
Type:
Event ID:
SCOPE:
Description
NTDS KCC
Warning
1105
Knowledge Consistency
This looks like a known event that occurs if a domain controller is moved between
sites:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1105&EvtSrc=Active+Directory&LCID=103
3
Problem
As per the Technet article, no action is required
This does not indicate a problem
Source:
Type:
Event ID:
SCOPE:
Description
NTDS KCC
Warning
1265
Knowledge Consistency
This is a problem establishing a replication link with another domain controller to
replicate one of the AD partitions. The description should be similar to this:
The attempt to establish a replication link with parameters Partition:
CN=Schema,CN=Configuration,DC=mydomain,DC=com Source DSA DN:
CN=NTDS
Settings,CN=MYDC1,CN=Servers,CN=MYSITE,CN=Sites,CN=Configuration,DC
=MYDOMAIN,DC=COM Source DSA Address: e7453dd3-63b9-4ea1-ab78e0f16115c84d._msdcs.mydomain.com Inter-site Transport (if any): failed
with the following status: Logon failure: unknown user name or bad
password. The record data is the status code. This operation will be retried.
Data 0000052e
This cannot be confirmed without the event data, these are some possible causes:
Out of sync domain trust relationship:
http://support.microsoft.com/kb/816577
Problems promoting a DC to be a Global Catalog:
http://support.microsoft.com/kb/910204
Wider replication problems:
http://support.microsoft.com/kb/816577
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The event data is needed to properly establish the cause for the warning.
Unconfirmed without the event data
NTDS KCC
Warning
1307 / 1308
Knowledge Consistency
This is the KCC failing to connect to a domain controller to replicate but failing and
then creating a temporary link to another DC:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1307&EvtSrc=Active+Directory&LCID=103
3
This could be caused by the relevant domain controller being shut down /
disconnected from the LAN. This is commonly done, but a DC should not be
disconnected without be demoted first:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.2&EvtID=1308&EvtSrc=NTDS+KCC&LCID=1033
Problem
If the problem domain controller was removed from the network intentionally then
this is not a problem, but metadata cleanup should be used to cleanly remove it
(assuming that it cannot be reconnected and then demoted). If it was not removed
intentionally then communication problems need to be investigated.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS KCC
Warning
1435
Knowledge Consistency
This is a warning that a KCC operation failed and will be retried:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Win
dows%20Operating%20System&ProdVer=5.2&EvtID=1435&EvtSrc=Active%20
Directory&LCID=1033
Problem
As per the Technet article no action is required.
This does not indicate a problem.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS KCC
Warning
1566
Knowledge Consistency / Patched
This may be a patched issue with Windows 2000 Server:
http://support.microsoft.com/kb/268109
Problem
It is not yet clear which Servicepack this was first fixed in, but it will be covered by
Servicepack 4 + August 2004 Post Servicepack 4 rollup.
The event logs may fill and rollover
Source:
Type:
Event ID:
SCOPE:
Description
NTDS KCC
Warning
1663
Knowledge Consistency
This is an internal event and does not represent a problem:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1633&EvtSrc=Active+Directory&LCID=103
3
Problem
Source:
Type:
Event ID:
SCOPE:
Description
As per the Technet article, this does not represent a problem.
Unknown without the event data.
NTDS KCC
Warning
1865
Knowledge Consistency
This could be a communication problem between the bridgehead domain controllers
of two AD sites (the bridgehead is also known as the Inter Site Topology Generator,
or ISTG):
http://support.microsoft.com/kb/944351
Problem
This is usually cased by a firewall blocking ports between sites (subnets).
Replication will not occur between the affected sites.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS KCC
Warning
1925
Knowledge Consistency
This could be caused by a firewall blocking ports needed for RPC communication:
http://support.microsoft.com/kb/911799
If could also indicate an out of sync trust between a parent & child domain:
http://support.microsoft.com/kb/938702
Problem
Replication will not occur between the affected sites.
Source:
Type:
Event ID:
SCOPE:
Description
Problem
NTDS KCC
Warning
2051
Knowledge Consistency
Can only find references to Exchange 5.5 MTA
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
Problem
NTDS KCC
Warning
2052
Knowledge Consistency
Can only find references to Message Queue Service
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
Problem
NTDS KCC
Warning
2053
Knowledge Consistency
Can only find references to Exchange & Message Queue service
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
Problem
NTDS KCC
Warning
2054
Knowledge Consistency
Not found
Unknown without the event data
NTDS LDAP
ERRORS
Source:
Type:
Event ID:
SCOPE:
Description
NTDS LDAP
Error
1238
Database Health
This is an internal event that should only be seen if the default logging level is
changed:
This is an Active Directory internal event. Internal events appear in the Event
Viewer only when the default logging level is changed. Most internal events
are for informational purposes only. This event is logged when Active
Directory cannot initialize network connections for incoming LDAP requests.
Verify that the connections are set up correctly.
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1238&EvtSrc=Active+Directory&LCID=103
3
Problem
Unknown without the event data
WARNINGS
None Found
NTDS MAPI
ERRORS
None Found
WARNINGS
None Found
NTDS REPLICATION
ERRORS
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Replication
Error
1107
Replication
This looks like a problem with the AD replication dispatcher thread:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1107&EvtSrc=Active+Directory&LCID=103
3
Problem
The domain controller should be restarted.
Replication in and out from this domain controller will not occur until the server is
rebooted
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Replication
Error
1388 / 1988
Replication
This indicates that the domain controller has detected a lingering object:
http://technet.microsoft.com/en-us/library/cc780362.aspx
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This can happen if a domain controller is offline for longer than the Tombstone
lifetime period, is switched back on, and then tries to update items that have been
deleted. It could also happen if an online domain controller has not been replicating
for then length of the Tombstone lifetime.
Old items that should have been deleted may reappear in the directory.
NTDS Replication
Error
1411
Replication
This looks to be an internal AD event that is only logged when the default logging
level is changed:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1488&EvtSrc=Active+Directory&LCID=103
3
Problem
Source:
Type:
Event ID:
SCOPE:
Description
As per the Technet article, no action is required. The event data is needed to
confirm this.
This does not represent a problem.
NTDS Replication
Error
1481
Replication
This looks to be an internal AD event that is only logged when the default logging
level is changed:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1481&EvtSrc=Active+Directory&LCID=103
3
Problem
Source:
Type:
Event ID:
SCOPE:
Description
As per the Technet article, no action is required. The event data is needed to
confirm this.
This does not represent a problem.
NTDS Replication
Error
1791
Replication / Patched
This looks like a known problem in a mixed Windows 2000 Server / Windows Server
2003 domain controller environment. It is resolved by a patch on the Windows 2000
domain controller:
http://support.microsoft.com/kb/824873
Note: This patch is included in Windows 2000 Server Post Servicepack 4 Rollup 1.
Problem
The event data is needed to confirm this.
Replication between Windows 2000 Server and Windows Server 2003 domain
controllers
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Replication
Error
1960
Replication
Not found on microsoft.com, eventid.net suggests this:
Internal event: The following domain controller received an exception from a
remote procedure call (RPC) connection. The operation may have failed.
Process ID: <PID>
Reported error information:
Error value: The RPC server is too busy to complete this operation. (1723)
Domain controller: <DC>
Extended error information:
Error value: The RPC server is too busy to complete this operation. (1723)
Domain controller: <DC>
Additional Data
Internal ID: <ID>.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The event data is needed to verify this.
Unknown without the event data
NTDS Replication
Error
1977
Replication
Microsoft.com has a document for this, but it relates to Windows Server 2008. It is a
problem where a replication request from one domain controller to another is
denied:
The following directory service made a replication request for a writable
directory partition that has been denied by the local directory service. The
requesting directory service does not have access to a writable copy of this
directory partition.
Requesting directory service:
%2
Directory partition:
%1
User Action
If the requesting directory service must have a writable copy of this partition,
verify that the security descriptor on this directory partition has the correct
configuration for the Replication Get Changes All access right. You may also
get this message during the transition period after a child partition has been
removed. This message will cease when knowledge of the child partition
removal has replicated throughout the forest.
http://technet.microsoft.com/en-us/library/dd349498.aspx
Problem
The event data is needed to verify this
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Replication
Error
2095
Replication
This indicates that the domain controller has performed a USN rollback, which is
usually caused by an incorrectly performed data restoration. The following articles
have information about the cause and detection / resolution of USN rollback.
Windows Server 2003
http://support.microsoft.com/kb/875495
Windows 2000 Server
http://support.microsoft.com/kb/885875
Error Event ID 2095 specifically alerts to a USN Rollback. Warning events 1113 and
1115 are symptoms of replication being disabled as a result.
Problem
Active Directory Replication will not work for objects affected by the USN Rollback,
but replication will appear to be working in Replication Monitor. User / Computer
logon may fail periodically for these affected objects.
WARNINGS
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Replication
Warning
1085
Replication
This indicates that an RPC replication request has not received a response from the
source domain controller:
http://support.microsoft.com/kb/830746
Problem
Source:
Type:
Event ID:
SCOPE:
Description
If the source domain controller is offline then this would be expected. If it is online
then there is a delay with RPC communication.
Replication will be delayed or not occurring
NTDS Replication
Warning
1188
Replication
This is the domain controller waiting for a response from an RPC call made to
another domain controller:
A thread in the directory is waiting in a remote procedure call (RPC) to
directory %1 performing a(n) %3 operation. The directory has attempted to
cancel the call and recover thread id %2. If this condition persists- stop and
restart that Windows Domain Controller.
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1188&EvtSrc=Active+Directory&LCID=103
3
Problem
If this continues to happen regularly then the domain controller should be rebooted.
Replication will be interrupted.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Replication
Warning
1203
Replication
The local domain controller could not replicate the specified object from the source
domain controller at the network address because of an Active Directory schema
mismatch. Active Directory will try to synchronize the schema and then try to
synchronize the directory partition again.
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.0&EvtID=1203&EvtSrc=Active+Directory&LCID=103
3
Problem
Source:
Type:
Event ID:
SCOPE:
Description
As per the Technet article, this does not require any action.
This does not indicate a problem.
NTDS Replication
Warning
1232
Replication
This is caused by a timeout whilst waiting for a replication request response over
RPC:
http://support.microsoft.com/kb/830746
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This may indicate that the remote domain controller is offline, or a problem with the
link to it.
Replication delays will occur.
NTDS Replication
Warning
1586
Replication / Patched
This is a known replication issue in Windows 2000 Server and is resolved in
Servicepack 4:
http://support.microsoft.com/kb/326855
Problem
Replication will be disrupted
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Replication
Warning
1837
Replication
Not found on microsoft.com, eventid.net suggests this:
An attempt to transfer the operations master role represented by the following
object failed.
Object:
CN=Infrastructure,DC=home,DC=rodgersent,DC=com
Current operations master role:
CN=NTDS Settings,CN=SPEEDY,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=home,DC=rodgersent,DC=com
Proposed operations master role:
CN=NTDS Settings,CN=ROCKET,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=home,DC=rodgersent,DC=com
Additional Data
Error value: <value>.
Problem
If this is in fact the case then there could be problems with the forest root domain
controller. The event data is needed to confirm this.
Potential forest root domain controller problems.
Source:
Type:
Event ID:
SCOPE:
Description
Problem
NTDS Replication
Warning
1838
Replication
Nothing found on Microsoft.com or EventID.net
Unknown without the event data
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Replication
Warning
1839
Replication
Not found on microsoft.com, eventid.net suggests this:
The following number of operations is waiting in the replication queue. The
oldest operation has been waiting since the following time.
Time: <date> <time>
Number of waiting operations: <value>
This condition can occur if the overall replication workload on this domain
controller is too large or the replication interval is too small.
Problem
This could be a temporary resource issue. The event data is needed to verify this.
Unknown without the event data.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Replication
Warning
1862
Replication
Not found on microsoft.com, eventid.net suggests this:
This is the replication status for the following directory partition on the local
domain controller.
Directory partition: DC=ForestDnsZones,DC=mcsenetworks,DC=net
The local domain controller has not received replication information from a
number of domain controllers in other sites within the configured latency
intverval.
Number of domain controllers: 1
Latency Interval (Hours): 24
The latency interval can be modified with the following registry key.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency
error interval (hours)
To identify the domain controllers by name, install the support tools included on
the installation CD and run dcdiag.exe. You can also use the support tool
repadmin.exe to display the replication latencies of the domain controllers in
the forest. The command is "repadmin /showvector /latency <partition-dn>".
Problem
Source:
Type:
Event ID:
SCOPE:
Description
This could indicate a comms issue with a remote site. The event data is needed to
verify this.
Replication between sites could be interrupted.
NTDS Replication
Warning
2088
Replication
This is a DNS issue. The server could not resolve the IP address of a domain
controller using its GUID in the CNAME record (this is part of the domain SRV
records). The server managed to reach the remote domain controller via either it s
FQDN or NETBIOS name, but the DNS issue needs to be resolved:
http://technet.microsoft.com/en-us/library/cc787713(WS.10).aspx
Problem
In the first instance use ipconfig /registerDNS on the remote domain controller. If the
warning still occurs then there may be other DNS issues.
Replication is working, but DNS configuration is damaged.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Replication
Warning
2089
Replication
This is a warning that the System State has not been backed up recently:
http://support.microsoft.com/kb/914034
Event Type: Warning
Event Source: NTDS Replication
Event Category: Backup Event ID: 2089
Description: This directory partition has not been backed up since at least the
following number of days.
Directory partition:
DC=domainDC=com
"Backup latency interval" (days):
30
Problem
Source:
Type:
Event ID:
SCOPE:
Description
The event data is needed to verify the time since the last backup, but the existence
of this event means that regular backups are not taking place.
Backup issues with this server.
NTDS Replication
Warning
2091 / 2092 / 2093
Replication
This indicates that one or more FSMO roles are owned by a server that has been
deleted. This indicates a dirty removal of a domain controller.
http://support.microsoft.com/kb/914032
Problem
Use NTDSUTIL to seize ownership of the affected FSMO roles on a suitable domain
controller.
FSMO dependant operations will fail.
Source:
Type:
Event ID:
SCOPE:
Description
NTDS Replication
Warning
2094
Replication
Not found on microsoft.com, eventid.net suggests this:
Performance warning: replication was delayed while applying changes to the
following object. If this message occurs frequently it indicates that the
replication is occurring slowly and that the server may have difficulty keeping
up with changes.
Problem
NTDS SAM
ERRORS
None found
WARNINGS
None found
The event data is needed to verify this.
Replication may be delayed
NTDS SCRIPTING
ERRORS
None found
WARNINGS
None found
NTDS SDPROP
ERRORS
Source:
Type:
Event ID:
SCOPE:
Description
NTDS SDPROP
Error
2008
Database Health
This looks to be related to performance issues caused by an AD attribute having too
many values, specifically ProxyAddresses (Exchange email address attribute) has
too many email addresses:
http://support.microsoft.com/kb/914036
.
The event data is needed to verify this. The hotfix is actually an Exchange Server
2003 so would be installed on the Exchange server that runs the Recipient Update
Service:
http://support.microsoft.com/kb/834349/
http://support.microsoft.com/kb/835894/
Problem
WARNINGS
None found
NTDS SECURITY
ERRORS
None found
WARNINGS
None found
NTDS SETUP
ERRORS
None found
WARNINGS
None found
NTDS XDS
ERRORS
None found
Unknown without the event data
WARNINGS
None found
File Replication Log
FILE REPLICATION SERVICE
ERRORS
None found
WARNINGS
None Found
NTFRS
ERRORS
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Error (In the critical list)
13568
File Replication
This indicates that the File Replication Service has entered a Journal Wrap state.
This happens when files needed by the replication service have been purged from
the NTFS USN journal.
There can be many reasons for this happening. These articles contain information
and troubleshooting tips:
Windows 2000 Server
http://technet.microsoft.com/en-us/library/bb727056.aspx#EFAA
Windows Server 2003
http://www.microsoft.com/windowsserver2003/technologies/storage/dfs/tshootfrs.ms
px
Problem
File replication, which is used for the SYSVOL and NETLOGON shares, is
interrupted. This means that AD replication is interrupted.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Error
13504
File Replication
This indicates that the file replication service stopped without cleaning up. This could
indicate an unexpected shutdown of the service or the entire server. More events
are needed to establish whether or not replication has been affected.
Event ID: 13504
Event Type: Error
Rule: Collect
Message Text: The File Replication Service stopped without cleaning up.
Problem
Unknown without the event data.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Error
13506
File Replication
This indicates a failed consistency check, and that the file replication service is
going to restart. Other events will be logged to provide more specific information.
Event ID: 13506
Event Type: Error
Rule: Alert suppressed based on ID, source, computer, desc (par 3).
Message Text:
The File Replication Service failed a consistency check (%3) in "%1" at line %2.
The File Replication Service will restart automatically at a later time. If this
problem persists a subsequent entry in this event log describes the recovery
procedure. For more information about the automatic restart right click on My
Computer and then click on Manage, System Tools, Services, File Replication
Service, and Recovery.
Problem
Unknown without the event data.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Error
13526
File Replication
This indicates that the target replication partner becomes unreachable; this means
that the local domain controller has lost communication with the remote domain
controller.
If this happens when a DC is being rebooted then it is to be expected, but otherwise
it indicates a problem with communication.
Problem
Communication between the servers in the event is broken. May be transient but
needs to be checked if it occurs regularly.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Error
13539
File Replication
This could mean that the file replication service is still trying to replicate a folder that
has been deleted.
Event ID: 13539
Event Type: Error
Rule: Alert suppressed based on ID, source, computer
Message Text:
The File Replication Service cannot replicate %1 because the pathname of the
replicated directory is not the fully qualified pathname of an existing, accessible
local directory.
Problem
Check the value of that path in %1. Has it recently been deleted?
This could be benign if the folder detailed in the log was intentionally deleted.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Error
13540
File Replication
This could indicate a problem with the staging directory in the file replication service.
Event ID: 13540
Event Type: Error
Rule: Alert suppressed based on ID, source, computer
Message Text:
The File Replication Service cannot replicate %1 because the pathname of the
customer designated staging directory: %2 is not the fully qualified pathname of
an existing, accessible local directory.
This article explains how to check / change the staging directory:
http://support.microsoft.com/default.aspx?scid=kb;en-us;291823
It could also occur if the SYSVOL folder is not properly shared, which can happen
after a system state restore. It could also be a badly implemented staging area
change. Check that the share exists and is pointing to the correct folder.
Problem
File replication may be broken between one or more domain controllers.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Error
13544
File Replication
This could occur if changes are made to the replication settings, and a folder is
added that is already replicated as a subfolder in another set:
CHECK THIS
Event ID: 13544
Event Type: Error
Rule: Alert suppressed based on ID, source, computer
Message Text:
The File Replication Service cannot replicate %1 because it overlaps the replicating
directory %2.
Problem
This may correct itself once replication is complete, but if not then the duplication
needs to be manually fixed. This could be a Distributed File System issue that is not
related to Active Directory SYSVOL replication. The event data would be needed to
check this.
File replication may be broken between one or more Servers.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Error
13548
File Replication
This indicates a time synchronisation issue on the network:
Event ID: 13548
Event Type: Error
Rule: Alert suppressed based on ID, source, computer
Message Text:
The File Replication Service is unable to replicate with its partner computer
because the difference in clock times is outside the range of plus or minus %1
minutes. The connection to the partner computer is: "%2" The detected time
difference is: %3 minutes.
The Windows Time service should be reset to the proper Active Directory
configuration where the Forest Root (PDC Emulator) uses a reliable NTP source,
and all replica domain controllers use the NTDS time source. RM TEC article
TEC843246 has detailed instructions.
Problem
File replication will not work until this is resolved. Users may also experience
problems accessing files on the server with incorrect time.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Error
13552
File Replication
This is a problem starting file replication:
Event ID: 13552
Event Type: Error
Rule: Alert suppressed based on ID, source, computer
Message Text:
The File Replication Service is unable to add this computer to the following replica
set: "%1" This could be caused by a number of problems such as:
-- an invalid root path,
-- a missing directory,
-- a missing disk volume,
-- a file system on the volume that does not support NTFS 5.0
The information below may help to resolve the problem:
Computer DNS name is "%2" Replica set member name is "%3" Replica set root
path is "%4" Replica staging directory path is "%5" Replica working directory path
is "%6" Windows error status code is %7 FRS error status code is %8 Other event
log messages may also help determine the problem. Correct the problem and the
service will attempt to restart replication automatically at a later time.
Problem
The event data is needed to establish the reason for this.
Unknown without the event data, but replication is not functioning.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Error
13555
File Replication
This indicates that the file replication is in an error state, but doesn’t say why
Event ID: 13555
Event Type: Error
Rule: Alert suppressed based on ID, source, computer
Message Text:
The File Replication Service is in an error state. Files will not replicate to or from
one or all of the replica sets on this computer until the following recovery steps are
performed:
There can be many reasons for this error. Some things to check:
1)
2)
The first step is to restart the file replication service to see if it clears.
If this is a Windows 2000 Server then install Servicepack 4 + the latest Post
Servicepack 4 rollup. There were hotfixes previous to Servicepack 4 that
improved the reliability of the FRS service.
3) A file ID for data in the FRS database does not match the file ID for the
data in the update sequence number (USN) journal database; This article
explains a process to resolve this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;925633
Problem
There could be other reasons, more investigation may be needed.
Unknown without the event data.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Error
13559
File Replication
The File Replication Service has detected that the replica root path has changed:
Event ID: 13559
Event Type: Error
Rule: Alert suppressed based on ID, source, computer
Message Text:
The File Replication Service has detected that the replica root path has changed
from "%2" to "%3". If this is an intentional move then a file with the name
NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path. This
was detected for the following replica set: "%1" Changing the replica root path is a
two step process which is triggered by the creation of the
NTFRS_CMD_FILE_MOVE_ROOT file.
[1] At the first poll which will occur in %4 minutes this computer will be deleted
from the replica set.
[2] At the poll following the deletion this computer will be re-added to the replica
set with the new root path. This re-addition will trigger a full tree sync for the
replica set. At the end of the sync all the files will be at the new location. The files
may or may not be deleted from the old location depending on whether they are
needed or not.
Problem
If this is a file server that is using distributed file system (DFS) then this may indicate
an incorrectly implemented change. This is not expected on a domain controller as
the file replication settings are not normally changed manually.
File replication may be broken. More investigation is needed.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Error
13561
File Replication
This indicates that a journal wrap state has been encountered and that Windows will
attempt to recover the situation automatically:
Event ID: 13561
Event Type: Error
Rule: Alert suppressed based on ID, source, computer - state to look for event ID
13560 to indicate that the error is auto recover
Message Text:
The File Replication Service has detected that the replica set "%1" is in
JRNL_WRAP_ERROR. Replica set name is : "%1" Replica root path is : "%2"
Replica root volume is : "%3" A Replica set hits JRNL_WRAP_ERROR when the
record that it is trying to read from the NTFS USN journal is not found. This can
occur because of one of the following reasons.
[1] Volume "%3" has been formatted.
[2] The NTFS USN journal on volume "%3" has been deleted.
[3] The NTFS USN journal on volume "%3" has been truncated. Chkdsk can
truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on
"%3".
Following recovery steps will be taken to automatically recover from this error
state.
[1] At the first poll which will occur in %4 minutes this computer will be deleted
from the replica set.
[2] At the poll following the deletion this computer will be re-added to the replica
set. The re-addition will trigger a full tree sync for the replica set.
Problem
Windows should recover from this situation automatically
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Error
13570
File Replication
This is a low disk space warning:
EventID: 13570
Event Type: Error
Rule: Low disk space detected.
Message Text:
The File Replication Service has detected that the volume hosting the path C: is
low on disk space. Files may not replicate until disk space is made available on this
volume.
Problem
Disk space on C: needs to be made available
If C: runs out of disk space the server will stop
Source:
Type:
Event ID:
SCOPE:
Description
Problem
NTFRS
Error
13671
File Replication
Nothing found
Unknown without the event data
WARNINGS
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Warning (In the critical list)
13508
File Replication
This indicates that the server could not enable replication from a remote server. This
could be a transient problem if the remote server is disconnected from the network
for some reason, but could be a problem with the file replication service:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.2&EvtID=13508&EvtSrc=NtFrs&LCID=1033
Look out for event 13509 which indicates that replication recovered; if it occurs then
replication is functional again.
Problem
File replication, which is used for the SYSVOL and NETLOGON shares, is
interrupted. This means that AD replication is interrupted.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Warning (In the critical list)
13562
File Replication
This event indicates that there are file replication issues, and shows a summary of
them. The event data is needed to troubleshoot the specifics.
This document can help with the troubleshooting
Recovering missing FRS objects and attributes in Active Directory
http://support.microsoft.com/kb/312862
Problem
File replication, which is used for the SYSVOL and NETLOGON shares, is
interrupted. This means that AD replication is interrupted
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Warning (In the critical list)
13564
File Replication
This indicates that the volume that holds the FRS debug logs is running out of
space:
http://support.microsoft.com/kb/308406
Problem
On a typical domain controller this is likely to be the C: drive.
If disk space does run out then the server will stop. Services on that server will be
unavailable.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Warning
13509
File Replication
This indicates that the file replication service has enabled replication, and is
expected after a temporary interruption in replication:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+
Operating+System&ProdVer=5.2&EvtID=13509&EvtSrc=NtFrs&LCID=1033
As per the Technet article, no action is required.
Problem
This does not indicate a problem.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Warning
13512
File Replication
This indicates that the system has detected write caching on the C: drive. Although
this is not a specific problem, it is not recommended for domain controllers as it
increases the risk of data corruption.
http://support.microsoft.com/kb/316504
Problem
Disk caching should be disabled for the C: drive
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Warning
13520
File Replication
This is the event data:
Event ID: 13520
Event Type: Warning
Rule: Collect
Message Text:
The File Replication Service moved the preexisting files in %1 to %2. The File
Replication Service may delete the files in %2 at any time. Files can be saved from
deletion by copying them out of %2. Copying the files into %1 may lead to name
conflicts if the files already exist on some other replicating partner. In some cases,
the File Replication Service may copy a file from %2 into %1 instead of replicating
the file from some other replicating partner. Space can be recovered at any time
by deleting the files in %2.
Problem
If this is a file server that is using distributed file system (DFS) then this may indicate
an incorrectly implemented change. This is not expected on a domain controller as
the file replication settings are not normally changed manually
More information is needed.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Warning
13525
File Replication
This indicates that the system could not find the DNS name for the computer with
which it is trying to replicate files?
Event ID: 13525
Event Type: Warning
Rule: Alert suppressed based on ID, source, computer
Message Text:
The File Replication Service cannot find the DNS name for the computer %1
because the "%2" attribute could not be read from the distinguished name "%3".
The File Replication Service will try using the name "%1" until the computer's DNS
name appears.
Problem
Check that the computer mentioned in the event is properly configured for DNS; try
running ipconfig /registerdns at the command prompt of the remote computer
Replication between the two servers may be broken
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Warning
13560
File Replication
This is the server attempting to recover from an error state:
Event ID: 13560
Event Type: Warning
Rule: Collect
Message Text:
The File Replication Service is deleting this computer from the replica set "%1" as
an attempt to recover from the error state, Error status = %2 At the next poll,
which will occur in %3 minutes, this computer will be re-added to the replica set.
The re-addition will trigger a full tree sync for the replica set.
The procedure in this article may resolve the problem on a Windows 2000 Server:
http://support.microsoft.com/default.aspx?scid=kb;en-us;887440
Problem
Replication may be interrupted
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Warning
13563
File Replication
This is the system warning that the file path for a replica set has changed, but the
change has not yet taken effect as the service has not been restarted:
Event ID: 13563
Event Type: Warning
Rule: Warning alert suppressed based on ID, source and computer
Message Text:
The File Replication Service has detected that the staging path for the replica set
%1 has changed. Current staging path = %2 New staging path = %3 The service
will start using the new staging path after it restarts.
Restart the file replication service to apply the new path. The following article
explains how to change the staging path for a replica set:
http://technet.microsoft.com/en-us/library/cc780215.aspx
Problem
File replication may be interrupted
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Warning
13565
File Replication
This may occur after a System State recovery on a single domain controller domain:
http://support.microsoft.com/default.aspx?scid=kb;en-us;316790
Event ID: 13565
Event Type: Warning
Rule: Initial non-authoritative restore in progress
Message Text:
File Replication Service is initializing the system volume with data from another
domain controller. Computer %1 cannot become a domain controller until this
process is complete. The system volume will then be shared as SYSVOL. To check
for the SYSVOL share, at the command prompt, type net share.
When File Replication Service completes the initialization process, the SYSVOL
share will appear. The initialization of the system volume can take some time. The
time is dependent on the amount of data in the system volume, the availability of
other domain controllers, and the replication interval between domain controllers.
Problem
Source:
Type:
Event ID:
SCOPE:
Description
It may also indicate that the file replication service cannot locate a valid replication
partner in the domain.
Replication may be interrupted
NTFRS
Warning
13566
File Replication
This is expected immediately after a server is promoted to become a domain
controller:
Event ID: 13566
Event Type: Warning
Rule: Authoritative restore in progress
Message Text:
File Replication Service is scanning the data in the system volume. Computer %1
cannot become a domain controller until this process is complete. The system
volume will then be shared as SYSVOL. To check for the SYSVOL share, at the
command prompt, type net share.
When File Replication Service completes the scanning process, the SYSVOL share
will appear.The initialization of the system volume can take some time. The time is
dependent on the amount of data in the system volume.
Problem
If the server has not been promoted then more investigation is needed. Check the
event log for more events to help establish the state of the server
If the server has been promoted to be a domain controller then this does not indicate
a problem. If not then more data is needed.
Source:
Type:
Event ID:
SCOPE:
Description
NTFRS
Warning
13567
File Replication
This is the file replication service suppressing replication of duplicate changes to
preserve bandwidth. This is by design:
http://support.microsoft.com/kb/315045
Event ID:13567
Event Type: Warning
Rule: Excess file updates detected
Message Text:
File Replication Service has detected and suppressed an average of %1 or more
file updates every hour for the last %2 hours because the updates did not change
the contents of the file. The tracking records in FRS debug logs will have the
filename and event time for the suppressed updates. The tracking records have
the date and time followed by :T: as their prefix. Updates that do not change the
content of the file are suppressed to prevent unnecessary replication traffic.
Following are common examples of updates that do not change the contents of the
file.
[1] Overwriting a file with a copy of the same file.
[2] Setting the same ACLs on a file multiple times.
[3] Restoring an identical copy of the file over an existing one.
Suppression of updates can be disabled by running regedit. Click on Start, Run and
type regedit. Expand
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters
and create or update the value "Suppress Identical Updates To Files" to 0 (Default
is 1) to force identical updates to replicate.
Problem
This does not indicate a problem
WINDOWS SERVER PATCHES
WINDOWS SERVER 2003
SERVICEPACK 2
http://technet.microsoft.com/en-gb/windowsserver/bb229701.aspx
WINDOWS 2000 SERVER
SERVICEPACK 4
http://www.microsoft.com/downloads/details.aspx?familyid=1001AAF1-749F-49F4-8010297BD6CA33A0&displaylang=en
POST SERVICEPACK 4 ROLLUP
http://www.microsoft.com/downloads/details.aspx?familyid=B54730CF-8850-4531-B52BBF28B324C662&displaylang=en