Event Master - Active Directory Known Issues v1.0 Overview ......................................................................................................................................................... 3 Revision History .............................................................................................................................................. 3 Directory Service Log...................................................................................................................................... 4 NTDS APO .................................................................................................................................................. 4 Errors ....................................................................................................................................................... 4 Warnings.................................................................................................................................................. 4 NTDS Backup.............................................................................................................................................. 4 Errors ....................................................................................................................................................... 4 Warnings.................................................................................................................................................. 4 NTDS Database .......................................................................................................................................... 4 Errors ....................................................................................................................................................... 4 Warnings.................................................................................................................................................. 5 NTDS General............................................................................................................................................. 5 Errors ....................................................................................................................................................... 5 Warnings................................................................................................................................................ 11 NTDS Inter-site Messaging ....................................................................................................................... 14 Errors ..................................................................................................................................................... 14 Warnings................................................................................................................................................ 17 NTDS ISAM............................................................................................................................................... 20 Errors ..................................................................................................................................................... 20 Warnings................................................................................................................................................ 27 NTDS KCC ................................................................................................................................................ 30 Errors ..................................................................................................................................................... 30 Warnings................................................................................................................................................ 31 NTDS LDAP .............................................................................................................................................. 35 Errors ..................................................................................................................................................... 35 Warnings................................................................................................................................................ 35 NTDS MAPI............................................................................................................................................... 35 Errors ..................................................................................................................................................... 35 Warnings................................................................................................................................................ 35 NTDS Replication ...................................................................................................................................... 35 Errors ..................................................................................................................................................... 35 Warnings................................................................................................................................................ 38 NTDS SAM................................................................................................................................................ 42 Errors ..................................................................................................................................................... 42 Warnings................................................................................................................................................ 42 NTDS Scripting.......................................................................................................................................... 43 Errors ..................................................................................................................................................... 43 Warnings................................................................................................................................................ 43 NTDS SDPROP ........................................................................................................................................ 43 Errors ..................................................................................................................................................... 43 Warnings................................................................................................................................................ 43 NTDS Security........................................................................................................................................... 43 Errors ..................................................................................................................................................... 43 Warnings................................................................................................................................................ 43 NTDS Setup .............................................................................................................................................. 43 Errors ..................................................................................................................................................... 43 Warnings................................................................................................................................................ 43 NTDS XDS ................................................................................................................................................ 43 Errors ..................................................................................................................................................... 43 Warnings................................................................................................................................................ 44 File Replication Log ...................................................................................................................................... 45 File Replication Service ............................................................................................................................. 45 errors ..................................................................................................................................................... 45 Warnings................................................................................................................................................ 45 NTFRS ...................................................................................................................................................... 45 Errors ..................................................................................................................................................... 45 Warnings................................................................................................................................................ 51 Windows Server Patches....................................................................................................................... 56 Windows Server 2003 ............................................................................................................................... 56 Servicepack 2 ........................................................................................................................................ 56 Windows 2000 Server ............................................................................................................................... 56 Servicepack 4 ........................................................................................................................................ 56 Post Servicepack 4 Rollup ..................................................................................................................... 56 Overview This article contains details of error and warning events found in RM Event Master related to the Microsoft Active Directory service, specifically the Directory Service and File Replication logs. Wherever possible, links to Microsoft Knowledgebase and / or Technet articles are included. It is based on data in the RM Event Master database, so is relevant to issues that our customers are experiencing in the field. RM Event Master collects only information about the events IDs that are occurring; it does not collect the specific event description. Because of this, some of the links may not relate to the issues occurring on a server; this is unavoidable as many events occurrences form part of a pattern and the underlying issues depend on the group of events that occur together. Revision History This document will be revised from time to time as new events are discovered and problems resolved. REVISION DATE DETAILS 1.0 July 2009 This is the initial revision of the document. Directory Service Log NTDS APO ERRORS None found WARNINGS None Found NTDS BACKUP ERRORS Source: Type: Event ID: Scope: Description NTDS Backup Error 1913 Backup/Restore This indicates a failed Active Directory backup or restore operation: Internal error: The Active Directory backup and restore operation encountered an unexpected error. Backup or restore will not succeed until this is corrected. Problem If this was a backup, then the backup failed and the administrator may not be aware. If it was a restore, then the restore failed and the administrator is probably aware. In either case more information is needed to establish the reason. WARNINGS None found NTDS DATABASE ERRORS Source: Type: Event ID: SCOPE: Description NTDS Database Error 1168 Database Health This may be related to a known issue where multiple directory service threads try to create a new name for a deleted object: http://support.microsoft.com/kb/842394 Problem However there are many other potential causes of this event. The event data is needed to establish the reason. Unknown without the event data WARNINGS Source: Type: Event ID: SCOPE: Description NTDS Database Warning 1792 Database Health There are references to this in Technet, but all are related to Windows Server 2008. Eventid.net suggests this A transaction lasts <number> minutes and <number> seconds, much longer than expected. (The caller is SAM.) Long-running transactions contribute to the depletion of version store. When version store is exhausted all directory operations will fail. Please contact Microsoft Product Support Services for assistance. This could be caused by a failed/replaced disk in a RAID array; while the array is rebuilding performance will be degraded. This is not conclusive without the event data and/or corresponding events. Problem Unknown without the event data NTDS GENERAL ERRORS Source: Type: Event ID: SCOPE: Description NTDS General Error 1126 Communication Could be related to a failed promotion of a domain controller to a global catalog: http://support.microsoft.com/kb/842208 If this is not an attempt to promote the local DC to a GC then there is another reason why this DC cannot reach a GC: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=W indows%20Operating%20System&ProdVer=5.2&EvtID=1126&EvtSrc=Activ e%20Directory&LCID=1033 The event data is needed to establish the cause. Problem User logons via this domain controller will have problems. Source: Type: Event ID: SCOPE: Description NTDS General Error (in the current critical list) 1168 Database Health This is a problem with the underlying JET database engine. It is likely that Event ID 1003 will also occur: http://support.microsoft.com/kb/280364 Event ID: 1168 Source: NTDS General Category: Internal Processing Description: Error -1811(fffff8ed) has occurred (Internal ID 404ab). Please contact Microsoft Product Support Services for assistance. Problem Source: Type: Event ID: SCOPE: Description This could be because the NTDS files have been moved, improperly restored from backup, or corrupted. Active Directory services will not run on this server until the files are replaced / repaired. NTDS General Error 1003 Database Health This is a problem with the underlying JET database engine. It is likely that Event ID 1168 will also occur http://support.microsoft.com/kb/280364 Event ID: 1003 Source: NTDS General Category: Internal Processing Description: The Windows Directory Services database cannot be initialized and returned error -1811. Unrecoverable error, the directory can't continue. Problem This could be because the NTDS files have been moved, improperly restored from backup, or corrupted. Active Directory services will not run on this server until the files are replaced / repaired. Source: Type: Event ID: SCOPE: Description NTDS General Error 1039 System Resources Not found on microsoft.com, eventid.net suggests this: Internal event: Active Directory could not process the following object. Object: <object> User Action Increase physical memory or virtual memory. If this error continues to occur, restart this domain controller. Additional Data Error value: <error> Internal ID: <id>. Problem Source: Type: Event ID: SCOPE: Description The event data is needed to confirm this. Unknown without the event data NTDS General Error 1135 Replication This looks like a failure occurring during a search of the Schema partition of Active Directory. Possibly related to a Schema extension that has not yet completed: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1135&EvtSrc=Active+Directory&LCID=103 3 Problem Source: Type: Event ID: SCOPE: Description This cannot be verified without the event data. Inconclusive NTDS General Error or Warning (can be either) 1153 Replication / Patched This is a replication delay caused by an Active Directory Schema extension. This is expected when running preparations for AD aware applications such as Exchange Server: http://support.microsoft.com/kb/307323 For Windows 2000 Server this is resolved with Servicepack 2, so make sure that Servicepack 4 + the August 2004 Post Servicepack 4 Rollup are installed. Problem Assuming that a schema extension was happening at the time this event was logged then there is no problem. Replication of the Schema partition may be affected. Source: Type: Event ID: SCOPE: Description NTDS General Error 1169 System Resources This looks like memory resource issues on the domain controller: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1169&EvtSrc=Active+Directory&LCID=103 3 Problem Source: Type: Event ID: SCOPE: Description Reboot the domain controller to free memory. If it continues to occur then more RAM may be needed. Domain Controller services may be unstable, users & applications may experience authentication problems. NTDS General Error 1188 Replication This indicates that an RPC replication request has not received a response from the source domain controller: http://support.microsoft.com/kb/830746 Problem Source: Type: Event ID: SCOPE: Description If the source domain controller is offline then this would be expected. If it is online then there is a delay with RPC communication. Replication will be delayed or not occurring NTDS General Error 1207 Internal This event is logged when an internal asynchronous attempt to update the schema cache fails with an error: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1207&EvtSrc=Active+Directory&LCID=103 3 Problem This event is only logged if diagnostic logging has been increased. As per the Technet article, no action is required. This does not indicate a problem. Source: Type: Event ID: SCOPE: Description NTDS General Error 1229 Operating System This looks to be a problem with the system accessing performance monitor counters: Unable to open performance counters. An attempt to open shared memory returned error %1. The event data is needed to establish the error code. http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1229&EvtSrc=Active+Directory&LCID=103 3 Problem Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS General Error 1393 System Resources This is caused by no free disk space on the volume that contains the Active Directory database and/or log: http://support.microsoft.com/kb/259278 Attempts to update the Directory Service database are failing with error 112. Since Windows will be unable to log on users while this condition persists, the NetLogon service is being paused. Check to make sure that adequate free disk space is available on the drives where the directory database and log files reside. Problem Active Directory services will not start until disk space is made available. Source: Type: Event ID: SCOPE: Description NTDS General Error 1656 Communication This indicates some kind of RPC communication problem: This is a general RPC troubleshooting article: http://support.microsoft.com/kb/839880 Problem Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS General Error 2069 Database Health All of the articles on Technet relate to Exchange Server. Eventid.net suggests this: Active Directory detected corrupt counts in the quota-tracking table. Quota enforcement may not behave correctly until the quota-tracking table is rebuilt. Additional data: NCDNT: <number> Tombstoned count: <number> Total count: <number>. Problem Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS General Error 2098 TBA Problem Score Unknown without the event data 5 Source: Type: Event ID: SCOPE: Description NTDS General Error 2103 Replication This indicates that the domain controller has performed a USN rollback, which is usually caused by an incorrectly performed data restoration. The following articles have information about the cause and detection / resolution of USN rollback. All of the articles on Technet relate to Exchange Server, nothing found relating to Active Directory. More data is needed. Windows Server 2003 http://support.microsoft.com/kb/875495 Windows 2000 Server http://support.microsoft.com/kb/885875 Error Event ID 2095 specifically alerts to a USN Rollback. Warning events 1113 and 1115 are symptoms of replication being disabled as a result. Problem Active Directory Replication will not work for objects affected by the USN Rollback, but replication will appear to be working in Replication Monitor. User / Computer logon may fail periodically for these affected objects. WARNINGS Source: Type: Event ID: SCOPE: Description NTDS General Warning 1079 System Resources All of the articles on Technet relate to Exchange Server. Eventid.net suggests this: Replication warning: Couldn't allocate memory. Replication may be affected until more memory is available. Increase the amount of Virtual memory available. Stop and restart this Windows Domain Controller and try again. If this occurs there could be a memory leak, virtual memory configuration might need checking, or the server could need more physical RAM. Problem Active Directory Replication will not occur until the server is rebooted. Source: Type: Event ID: SCOPE: Description NTDS General Warning 1094 Operating System All of the articles on Technet relate to Exchange Server. Eventid.net suggests this Disk write caching on drive c: has been disabled to prevent possible data loss during system failures. Problem Source: Type: Event ID: SCOPE: Description This is an expected warning that disk write caching has been disabled; this is the default configuration for a Windows 2000 Server Domain Controller This does not indicate a problem NTDS General Warning 1113 / 1115 Replication This indicates that the domain controller has performed a USN rollback, which is usually caused by an incorrectly performed data restoration. The following articles have information about the cause and detection / resolution of USN rollback. Windows Server 2003 http://support.microsoft.com/kb/875495 Windows 2000 Server http://support.microsoft.com/kb/885875 Error Event ID 2095 specifically alerts to a USN Rollback. Warning events 1113 and 1115 are symptoms of replication being disabled as a result. Problem Active Directory Replication will not work for objects affected by the USN Rollback, but replication will appear to be working in Replication Monitor. User / Computer logon may fail periodically for these affected objects. Source: Type: Event ID: SCOPE: Description NTDS General Warning 1173 Internal This is an internal processing error that may relate to one of many documented issues. The event data is required to establish the reason: Internal event: Exception %1 has occurred with parameters %2 and %3 (Internal ID %4). http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1173&EvtSrc=Active+Directory&LCID=103 3 Problem Unknown without the event data. Source: Type: Event ID: SCOPE: Description NTDS General Warning 1224 Replication This could be a Windows 2000 Server domain controller that was upgraded from Windows NT 4.0 and the computer name contains only numeric characters. http://support.microsoft.com/default.aspx?scid=kb;en-us;838400 Problem Source: Type: Event ID: SCOPE: Description This article relates to error 87 in the event data. It is resolved with a hotfix, but also included in the August 2004 Post Servicepack 4 Rollup. Without the event data we cannot tell if this is the problem. Unknown without the event data NTDS General Warning 1463 Database Health This is Jet (the underlying database engine) detecting and fixing some corrupted indices: Jet has detected and deleted some corrupt indices as part of initialization. The indices will be rebuilt. http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Win dows%20Operating%20System&ProdVer=5.2&EvtID=1463&EvtSrc=Active%20 Directory&LCID=1033 Problem This does not require any action. This does not indicate a problem. Source: Type: Event ID: SCOPE: Description NTDS General Warning 1475 Internal This is an internal event that is only logged when the default logging level is changed: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1475&EvtSrc=Active+Directory&LCID=103 3 Problem Source: Type: Event ID: SCOPE: Description As per the Technet article, no action is required. This does not indicate a problem. NTDS General Warning 1539 Operating System Not found on microsoft.com, eventid.net suggests this: Unable to disable disk write cache on c:. Data might be lost during system failures. Problem Source: Type: Event ID: SCOPE: Description This doesn’t necessarily indicate a problem, as long as the system is not shutdown suddenly (e.g. power loss) then the data will be written to cache first and then to disk. However you should investigate and disable write caching on the disks that contain Active Directory data There is a chance of data loss if sudden unexpected shutdown (e.g. power loss) occurs. NTDS General Warning 1655 Replication This might be the system failing to connect to a global catalog: The attempt to communicate with global catalog \\gc.domain.com failed with the following status: Replication access was denied. The operation in progress might be unable to continue. The directory service will use the locator to try find an available global catalog server for the next operation that requires one. There are several documented reasons for this event, one of which may be the cause: Invalid Kerberos tokens in Windows 2000 Server http://support.microsoft.com/kb/297716 Missing NTFS / Share permissions: http://support.microsoft.com/kb/305837 Damaged Phantom Objects: http://support.microsoft.com/kb/318170 Problem There may be other causes; it is not possible to confirm without the event data. Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS General Warning 1715 Communication Not found from the Active Directory sources, but this article explains a potential RPC problem: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1715&EvtSrc=RPC&LCID=1033 Problem Source: Type: Event ID: SCOPE: Description The event data is needed to establish the reason for this warning. Unknown without the event data NTDS General Warning 1772 Communication Not found from the Active Directory sources, but this article explains a potential RPC problem: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1722&EvtSrc=RPC&LCID=1033 Problem Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS General Warning 2044 TBA All of the Technet articles found relate to Exchange Server. Nothing found for Active Directory. Unknown without the event data Problem NTDS INTER-SITE MESSAGING ERRORS Source: Type: Event ID: SCOPE: Description NTDS Inter-site Messaging Error 1168 Database Health This could be related to a third party winsock application on Windows 2000 Server affecting LDAP operations: http://support.microsoft.com/kb/315182 Problem This cannot be verified without the event data. Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS Inter-site Messaging Error 1373 Internal This is a warning that the intersite messaging service could not receive any messages for the service through the specified transport: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1373&EvtSrc=Active+Directory&LCID=103 3 Problem Source: Type: Event ID: SCOPE: Description The event data is needed to verify this. As per the Technet article, no action is required. Unknown without the event data NTDS Inter-site Messaging Error 1374 Internal This is an intersite messaging request for the number of sites interconnected thought the specified transport failing; http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1373&EvtSrc=Active+Directory&LCID=103 3 Problem As per the Technet article, no action is required. This does not indicate a problem. Source: Type: Event ID: SCOPE: Description NTDS Inter-site Messaging Error 1378 Internal This may be an Intersite Messaging transport error as per this Technet article: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1378&EvtSrc=Active+Directory&LCID=103 3 Problem Try restarting the Intersite Messaging service. Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS Inter-site Messaging Error 1468 Replication This is related to missing SMTP configuration. Although IIS / SMTP are not core domain controller services, SMTP can be used as an inter-site transport: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Win dows+Operating+System&ProdVer=5.0&EvtID=1468&EvtSrc=Active+Directory &LCID=1033 Problem So this could be related to a missing / broken IIS/SMTP installation. Site links that use SMTP will not function, so replication could fail. Source: Type: Event ID: SCOPE: Description NTDS Inter-site Messaging Error 1528 Replication Not found on microsoft.com, eventid.net suggests this: Internal error: The Intersite Messaging service using the SMTP transport has encountered an error originating from the Collaboration Data Object (CDO) library. Additional Data Error value: <error code> <error message> Internal ID: <ID>. Problem Source: Type: Event ID: SCOPE: Description This could be a problem with Collaborative Data Objects (CDO) but the event data is needed to confirm what the issue is. Unknown without the event data NTDS Inter-site Messaging Error 1824 Database Health This could be an LDAP problem when the first domain controller in a domain is created: http://support.microsoft.com/kb/834317 Problem This cannot be confirmed without the event data. Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS Inter-site Messaging Error 1832 Replication Not found on microsoft.com, eventid.net suggests this: The SMTP domain administrative namespace is not available at this time. Mailbased replication cannot be configured until this condition is corrected. As a result intersite replication using the SMTP transport between the local domain controller and all domain controllers in other sites will fail. Replication using SMTP will be tried again later. Additional Data Error value: 80070422 The service cannot be started either because it is disabled or because it has no enabled devices associated with it. Problem This could indicate a missing / damaged IIS/SMTP configuration. Unconfirmed without event data Source: Type: Event ID: SCOPE: Description NTDS Inter-site Messaging Error 1866 Database Health Not found on microsoft.com, eventid.net suggests this: The Intersite Messaging service received the following extended error string information from LDAP. Extended error string: Additional Data LDAP error value: 51 Server Down WIN32 extended error value: 0 The operation completed successfully. This might be related to the issue: http://support.microsoft.com/default.aspx?scid=kb;en-us;826819 Problem This is not confirmed. Unknown without event data WARNINGS Source: Type: Event ID: SCOPE: Description NTDS Inter-site Messaging Warning 1368 Internal This is a failed LDAP service request: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Win dows+Operating+System&ProdVer=5.0&EvtID=1368&EvtSrc=Active+Directory &LCID=1033 Problem As per the Technet article, no action is required This does not indicate a problem Source: Type: Event ID: SCOPE: Description NTDS Inter-site Messaging Warning 1369 Database Health This is a failed LDAP search, the reason for the failure will be in the event code: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Win dows+Operating+System&ProdVer=5.0&EvtID=1369&EvtSrc=Active+Directory &LCID=1033 Problem Source: Type: Event ID: SCOPE: Description The event data is needed to determine the reason for this. Unknown without the event data NTDS Inter-site Messaging Warning 1380 Replication This is a failure of the task that monitors Active Directory for changes in intersite transport objects: The task that monitors the Directory Service for changes in the Inter-Site Transport objects failed with the following status: %1 The record data is the status code. Additions- deletions- and modifications of Inter-Site Transport objects will not be reflected in the configuration of the Inter-Site Messaging Service until its service is restarted or this machine is rebooted. http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1380&EvtSrc=Active+Directory&LCID=103 3 Problem Source: Type: Event ID: SCOPE: Description The event data is needed to establish the reason for this Unknown without the event data NTDS Inter-site Messaging Warning 1409 Replication This is caused by the server not having IIS & SMTP installed when a site link is configured to use the SMTP transport: The Inter-Site Messaging Service SMTP Transport plug-in could not send a message because no mail transport is installed. Please install a mail transport, such as the SMTP Service. The operation will be retried http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1409&EvtSrc=Active+Directory&LCID=103 3 Problem To resolve this, install IIS with SMTP This server will not be able to service the site link that requires SMTP until the service is installed Source: Type: Event ID: SCOPE: Description NTDS Inter-site Messaging Warning 1465 Replication This is a failure of the task that monitors Active Directory for changes in site topology: The task that monitors the Directory Service for changes in the site topology for the Inter-Site Transport object %1 failed with the following status: %2 Additions- deletions- and modifications of the site topology beneath the InterSite Transport object will not be reflected in the configuration of the Inter-Site Messaging Service until its service is restarted or this machine is rebooted. The record data is the status code. http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1465&EvtSrc=Active+Directory&LCID=103 3 Problem Source: Type: Event ID: SCOPE: Description Restart the Intersite Messaging service. The event data is needed to establish the reason for the problem. Unknown without the event data NTDS Inter-site Messaging Warning 1473 Replication This is a problem with the intersite messaging service not being able to read the intersite transport objects: The Intersite Messaging Service failed to read the configuration of the Intersite Transports out of the Directory. The error message is as follows: %1 The service has stopped. It will be necessary to correct the problem and restart the service in order for intersite communication to occur. The KCC will be unable to calculate intersite topology without this service. There may be a problem retrieving data from the LDAP server. Please verify that LDAP queries are succeeding on this machine. You may also wish to try restarting the Intersite Messaging Service manually. The record data is the status code. http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1473&EvtSrc=Active+Directory&LCID=103 3 Problem Restart the intersite messaging service. The event data is needed to establish the reason for the problem. Unknown without event data Source: Type: Event ID: SCOPE: Description NTDS Inter-site Messaging Warning 1867 Replication Not found on microsoft.com, eventid.net suggests this: The task that monitors Active Directory for changes in the site topology for the following Intersite Transport object could not be started. Intersite Transport object: CN=IPCN=Inter-Site TransportsCN=SitesCN=ConfigurationDC=<DC>DC=local The problem may have been caused by a temporary resource shortage. The task will be restarted. Additional Data Error value: 55 The specified network resource or device is no longer available. Problem This could be a system resources issue. Unknown without event data NTDS ISAM ERRORS Source: Type: Event ID: SCOPE: Description NTDS ISAM Error (in the critical list, recommending a lower score) 215 Database Health This is an error related to a failed backup. But it may indicate a false negative; the backup may actually be OK; http://support.microsoft.com/kb/927654 If this is occurring on a Windows Server 2003 domain controller then install Servicepack 2 and retest the backup to see if the event continues to occur. Problem This may indicate a failed backup, but may be a false error. Source: Type: Event ID: SCOPE: Description NTDS ISAM Error (in the critical list, recommending a lower score) 217 Database Health There are several Technet articles related to this, but they all refer to Exchange Server. The underlying JET database is the cause, and this engine is also used for the Active Directory database. The existing Event Master description is this: NTDS ISAM: Error ... during backup of a database [path to NTDS.DIT] The database will be unable to restore. Problem The event data is needed to verify this. This looks like problem with backup that renders the backed up data useless. Recovery will not be possible from this backup. Source: Type: Event ID: SCOPE: Description NTDS ISAM Error (in the critical list) 439 Database Health There are several Technet articles, but they all relate to Exchange Server / SQL Server. The same JET database engine is used for Active Directory. Eventid.net suggests this: NTDS (<PID>) NTDSA: Unable to write a shadowed header file for file <file name>. Error <error>. This could be the same symptom as these ESE (Extensible Storage Engine): http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange &ProdVer=6.5.6940.0&EvtID=439&EvtSrc=ESE&LCID=1033 Problem Source: Type: Event ID: SCOPE: Description It looks related to a failure to write to the NTDS.dit file, this could be low disk space / permissions broken / anti-virus software / file level backups locking the file. Unconfirmed without the event data. NTDS ISAM Error (in the critical list, recommending a lower score) 454 Database Health There are several Technet articles, but they all relate to Exchange Server / SQL Server. The same JET database engine is used for Active Directory. Eventid.net suggests this: <process> (<PID>) Database recovery/restore failed with unexpected error <error>. Problem Source: Type: Event ID: SCOPE: Description Looks to be a failed database recovery, or maybe a corruption in the database. Unknown without the event data NTDS ISAM Error (in the critical list, recommending a lower score) 474 Database Health There are several Technet articles, but they all relate to Exchange Server / Extensible Storage Engine. Eventid.net suggests this: NTDS (<PID>) NTDSA: The database page read from the file "<path to edb file>" at offset <offset> for <value> bytes failed verification due to a page checksum mismatch. The expected checksum was <checksum> and the actual checksum was <checksum>. The read operation will fail with error <error code> (<error code>). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Problem This could indicate a problem with the disk and/or disk controller. Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS ISAM Error (in the critical list, recommending a lower score) 482 Database Health There are several Technet articles, but they all relate to Exchange Server / Extensible Storage Engine. Eventid.net suggests this: <process> (<PID>) An attempt to write to the file "<file>" at offset <value> (<hex value>) for <value> (<hex value>) bytes failed with system error <error code> (<hex error code>): "<error message>". The write operation will fail with error <error code> (<hex error code>). If this error persists then the file may be damaged and may need to be restored from a previous backup. Problem This might indicate a damaged NTDS.dit database, or could be related to out of disk space problems. Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS ISAM Error 0 Database Health Not found on microsoft.com, eventid.net suggests this: NTDS (<PID>) Unexpected Win32 Error :<error code>. Problem Source: Type: Event ID: SCOPE: Description The examples shown relate to anti-virus software trying to scan the NTDS folder or missing NTFS permissions. Unknown without the event data NTDS ISAM Error 203 Database Health There are no Technet articles specific to the TNDS ISAM source, but several related to Exchange / ESE. Eventid.net suggests this: NTDS (<PID>) The database engine has stopped the backup with error <error code>. Problem Source: Type: Event ID: SCOPE: Description Problem This looks to be a backup problem, but the event data is needed to confirm this. The backup of the NTDS database has failed NTDS ISAM Error 411 Database Health There are no Technet articles specific to the TNDS ISAM source, but several related to Exchange / ESE. This looks like a problem with the database and/or log files. More data is needed to establish this. Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS ISAM Error 427 Operating System There are no Technet articles specific to the NTDS ISAM source, but two related to Exchange / ESE http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exch ange&ProdVer=6.5.6940.0&EvtID=427&EvtSrc=ESE&LCID=1033 Problem Source: Type: Event ID: SCOPE: Description This seems to indicate a problem accessing the database and/or log files due to permissions denied. The event data is needed to confirm this. Unknown without the event data NTDS ISAM Error or Warning 428 System Resources There are no Technet articles specific to the NTDS ISAM source, but two related to Exchange / ESE. Eventid.net suggests this: NTDS (272) The database engine is rejecting update operations due to low free disk space on the log disk. Problem Source: Type: Event ID: SCOPE: Description This is caused by low disk space so will probably have been caught already. The database will be unavailable until more free space is made available. NTDS ISAM Error 447 Database Health There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / ESE. Eventid.net suggests this: NTDS (<process id>) <storage group name> A bad page link (error <error code>) has been detected in a B-Tree (ObjectId: <id>, PgnoRoot: <number>) of database <name> (<number> => <number>, <number>). Problem Source: Type: Event ID: SCOPE: Description This indicates corruption in the database. The event data is needed to establish the specific problem. The database is damaged. NTDS ISAM Error 455 Database Health This looks to be a problem with missing or unreadable files. It may have been caused by a power outage causing a sudden shutdown: http://support.microsoft.com/kb/265089 Problem The event data is needed to determine the exact cause. Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS ISAM Error 465 Database Health There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / ESE. Eventid.net suggests this: <process> (ID) Corruption was detected during soft recovery in logfile <log file>. The failing checksum record is located at position <position>. Data not matching the log-file fill pattern first appeared in sector <sector>. This logfile has been damaged and is unusable. Problem Source: Type: Event ID: SCOPE: Description This may indicate database corruption. Database operations might fail. NTDS ISAM Error 467 Database Health / Patched This is a database corruption issue that is resolved in Servicepack 2 for Windows Server 2003: http://support.microsoft.com/kb/902396 Problem Database operations may fail Source: Type: Event ID: SCOPE: Description NTDS ISAM Error 471 Database Health There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / ESE. All seem to indicate problems updating the database due to failed rollback operations / problems with the checkpoint file. Problem Source: Type: Event ID: SCOPE: Description The event data is needed to establish the cause. Unknown without the event data. NTDS ISAM Error 475 Database Health There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / ESE. All seem to indicate problems due to page number mismatch. They tend to indicate checksum errors which are probably related to a hardware (disk / controller) fault. Problem The event data is needed to establish the cause. Unknown without the event data. Source: Type: Event ID: SCOPE: Description NTDS ISAM Error 477 Database Health There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / ESE. They tend to indicate checksum errors which are probably related to a hardware (disk / controller) fault, or corrupted transaction log files. This may happen on a domain controller as the same underlying database engines are used. Problem Source: Type: Event ID: SCOPE: Description The event data is needed to establish the cause Unknown without the event data. NTDS ISAM Error 481 Database Health There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / ESE. Eventid.net suggests this: <process name> (<PID>) An attempt to read from the file "<file name>" at offset <value> for <value> bytes failed with system error <error code>: "<error message>". The read operation will fail with error <error code>. If this error persists then the file may be damaged and may need to be restored from a previous backup. Problem Source: Type: Event ID: SCOPE: Description This may indicate a corrupted database. The event data is needed to verify this. Database operations may fail NTDS ISAM Error 488 Database Health There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / Sharepoint / ESE All are related to a failure to create a file. Possibly because another process (such as a backup program) has locked access to it. Problem Source: Type: Event ID: SCOPE: Description The event data is needed to verify the cause. Unknown without the event data. NTDS ISAM Error 490 Database Health There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / ESE. Eventid.net suggests this: NTDS (<PID>) NTDSA: An attempt to open the file "<file>" for read / write access failed with system error <system error code> (<hex error code>): "Access is denied. ". The open file operation will fail with error <operation error code> (<hex error code>). Problem This could be file corruption / permissions. The event data is needed to verify the cause. Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS ISAM Error 491 Database Health There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / ESE. It could indicate that the database and/or log files could not be accessed, possibly by a backup and/or anti virus application. Problem Source: Type: Event ID: SCOPE: Description The event data is needed to verify this. Unknown without the event data NTDS ISAM Error 492 Database Health There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / ESE. Eventid.net suggests this: NTDS (388) NTDSA: The logfile sequence in "<directory name>" has been halted due to a fatal error. No further updates are possible for the databases that use this logfile sequence. Please correct the problem and restart or restore from backup. This could indicate a problem with the log files. In Exchange there are a finite number of log files available in a sequence (equal to hex FFFFFFFF) but AD uses circular logging so this is probably not the problem. Problem Source: Type: Event ID: SCOPE: Description Problem Source: Type: Event ID: SCOPE: Description Problem The event data is needed to establish the cause. Unknown without the event data. NTDS ISAM Error 494 Database Health There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / ESE. This may be related to a failed restore of backed up data. The event data is needed to establish the reason. Unknown without the event data. NTDS ISAM Error 624 System Resources There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / ESE. This could be related to an out of memory condition. The event data is needed to verify this. Unknown without the event data. Source: Type: Event ID: SCOPE: Description NTDS ISAM Error 705 Database Health Not found on microsoft.com, eventid.net suggests this: <NTDS> (<process id>) Online defragmentation of database '<name>' terminated prematurely after encountering unexpected error <error code>. The next time online defragmentation is started on this database, it will resume from the point of interruption. Problem Database maintenance may not have completed properly. This may be related to database corruption. The event data is needed to verify this. Unknown without the event data. WARNINGS Source: Type: Event ID: SCOPE: Description NTDS ISAM Warning (in the critical list) 411 Database Health There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / ESE. The existing Event Master description is this: NTDS ISAM: This event may indicate and issue with the active directory database (NTDS.DIT) Problem Source: Type: Event ID: SCOPE: Description This most likely relates to some type of database problem, possibly the relation between the database and the transaction log. The event data is needed to verify this. Unknown without event data NTDS ISAM Warning (in the critical list) 508 Database Health There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / ESE. Eventid.net suggests this: NTDS (<PID>) NTDSA: A request to write to the file "<file>" at offset <offset> (<offset>) for <size> (<size>) bytes succeeded but took an abnormally long time (<number> seconds) to be serviced by the OS. In addition <number> other I/O requests to this file have also taken an abnormally long time to be serviced since the last message regarding this problem was posted <number> seconds ago. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem. Problem This may indicate a faulty disk and/or disk controller, or and overloaded disk. Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS ISAM Warning (in the critical list) 510 Database Health There are no Technet articles specific to the NTDS ISAM source, but several related to Exchange / ESE. Eventid.net suggests this: NTDS (<PID>) NTDSA: A request to write to the file "<file>" at offset <offset> (<offset>) for <size> (<size>) bytes succeeded but took an abnormally long time (<number> seconds) to be serviced by the OS. In addition <number> other I/O requests to this file have also taken an abnormally long time to be serviced since the last message regarding this problem was posted <number> seconds ago. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem. Problem Source: Type: Event ID: SCOPE: Description This may indicate a faulty disk and/or disk controller, or and overloaded disk. Unknown without the event data NTDS ISAM Warning (in the critical list) 614 Database Health There are no Technet articles specific to the NTDS ISAM source, but this one is related to missing indexes in a RFS (File Replication (which is a domain controller component)) database: http://support.microsoft.com/kb/842462 Problem The event data is needed to verify this. Unknown without the event data Source: Type: Event ID: SCOPE: Description Problem NTDS ISAM Warning (in the critical list) 705 TBA Not found on Microsoft.com or Eventid.net Unknown without the event data Source: Type: Event ID: SCOPE: Description Problem NTDS ISAM Warning 498 TBA Not found on Microsoft.com or Eventid.net Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS ISAM Warning 507 Database Health There are no Technet articles specific to the NTDS ISAM source, but one related to Exchange / ESE. Eventid.net suggests this: NTDS (464) NTDSA: A request to read from the file "<file>" at offset <offset> (<offset>) for <value> (<hex value>) bytes succeeded, but took an abnormally long time (<value> seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem. Problem Source: Type: Event ID: SCOPE: Description This could be disk subsystem related. The event data is needed to verify this. Server performance will be affected NTDS ISAM Warning 509 (issue not confirmed) Database Health There are no Technet articles specific to the NTDS ISAM source, but one related to Exchange / ESE. Eventid.net suggests this: NTDS (464) NTDSA: A request to read from the file "<file>" at offset <offset> (<offset>) for <value> (<hex value>) bytes succeeded, but took an abnormally long time (<value> seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem. Problem This could be disk subsystem related. The event data is needed to verify this. Server performance will be affected Source: Type: Event ID: SCOPE: Description NTDS ISAM Warning 602 Database Health Not found on microsoft.com, eventid.net suggests this: NTDS (<PID>) Background clean-up skipped pages. The database may benefit from widening the online maintenance window during off-peak hours. If this message persists offline defragmentation may be run to remove all skipped pages from the database. Problem The event data is needed to confirm this Database maintenance may not have completed properly. Look at how we can increase the maintenance time for AD and provide instructions. NTDS KCC ERRORS Source: Type: Event ID: SCOPE: Description NTDS KCC Error (in the critical list) / Warning (not in the critical list). Could be either. 1014 Knowledge Consistency This looks like an error with the KCC updating the replication topology: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Win dows+Operating+System&ProdVer=5.0&EvtID=1014&EvtSrc=Active+Directory &LCID=1033 Problem The event data is needed to establish the cause. Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS KCC Error (in the critical list) 1130 Knowledge Consistency This looks like an error with the KCC updating the replication topology: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Win dows+Operating+System&ProdVer=5.0&EvtID=1130&EvtSrc=Active+Directory &LCID=1033 Problem Source: Type: Event ID: SCOPE: Description The event data is needed to establish the cause. Unknown without the event data NTDS KCC Error (in the critical list) 1311 Knowledge Consistency This indicates that the inter site replication configuration need to be fixed because the current site is not associated with a site link: http://support.microsoft.com/kb/214745 This article contains more detailed troubleshooting help: http://support.microsoft.com/kb/307593 Problem This will have been caused by administrator error. Inbound replication from other sites will not occur. Other sites may have a link to this one so outbound replication from this site may be OK. Source: Type: Event ID: SCOPE: Description NTDS KCC Error 1131 Knowledge Consistency This is a problem where the KCC cannot create a connection between two domain controllers: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1131&EvtSrc=Active+Directory&LCID=103 3 Problem Source: Type: Event ID: SCOPE: Description The event data is needed to establish the reason for this. Intrasite replication may be affected. NTDS KCC Error 1312 Knowledge Consistency This could be an issue with the intersite messaging service that prevents the KCC from creating a correct replication topology: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1312&EvtSrc=Active+Directory&LCID=103 3 Problem Source: Type: Event ID: SCOPE: Description Problem The event data is needed to confirm this. Replication between sites (not intra-site) will be affected NTDS KCC Error 2002 Knowledge Consistency There are many different matches on Microsoft.com for this event, but none specifically for the NTDS KCC source. The event data is needed to establish the reason for this. Unknown without the event data. WARNINGS Source: Type: Event ID: SCOPE: Description NTDS KCC Warning 1105 Knowledge Consistency This looks like a known event that occurs if a domain controller is moved between sites: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1105&EvtSrc=Active+Directory&LCID=103 3 Problem As per the Technet article, no action is required This does not indicate a problem Source: Type: Event ID: SCOPE: Description NTDS KCC Warning 1265 Knowledge Consistency This is a problem establishing a replication link with another domain controller to replicate one of the AD partitions. The description should be similar to this: The attempt to establish a replication link with parameters Partition: CN=Schema,CN=Configuration,DC=mydomain,DC=com Source DSA DN: CN=NTDS Settings,CN=MYDC1,CN=Servers,CN=MYSITE,CN=Sites,CN=Configuration,DC =MYDOMAIN,DC=COM Source DSA Address: e7453dd3-63b9-4ea1-ab78e0f16115c84d._msdcs.mydomain.com Inter-site Transport (if any): failed with the following status: Logon failure: unknown user name or bad password. The record data is the status code. This operation will be retried. Data 0000052e This cannot be confirmed without the event data, these are some possible causes: Out of sync domain trust relationship: http://support.microsoft.com/kb/816577 Problems promoting a DC to be a Global Catalog: http://support.microsoft.com/kb/910204 Wider replication problems: http://support.microsoft.com/kb/816577 Problem Source: Type: Event ID: SCOPE: Description The event data is needed to properly establish the cause for the warning. Unconfirmed without the event data NTDS KCC Warning 1307 / 1308 Knowledge Consistency This is the KCC failing to connect to a domain controller to replicate but failing and then creating a temporary link to another DC: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1307&EvtSrc=Active+Directory&LCID=103 3 This could be caused by the relevant domain controller being shut down / disconnected from the LAN. This is commonly done, but a DC should not be disconnected without be demoted first: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.2&EvtID=1308&EvtSrc=NTDS+KCC&LCID=1033 Problem If the problem domain controller was removed from the network intentionally then this is not a problem, but metadata cleanup should be used to cleanly remove it (assuming that it cannot be reconnected and then demoted). If it was not removed intentionally then communication problems need to be investigated. Source: Type: Event ID: SCOPE: Description NTDS KCC Warning 1435 Knowledge Consistency This is a warning that a KCC operation failed and will be retried: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Win dows%20Operating%20System&ProdVer=5.2&EvtID=1435&EvtSrc=Active%20 Directory&LCID=1033 Problem As per the Technet article no action is required. This does not indicate a problem. Source: Type: Event ID: SCOPE: Description NTDS KCC Warning 1566 Knowledge Consistency / Patched This may be a patched issue with Windows 2000 Server: http://support.microsoft.com/kb/268109 Problem It is not yet clear which Servicepack this was first fixed in, but it will be covered by Servicepack 4 + August 2004 Post Servicepack 4 rollup. The event logs may fill and rollover Source: Type: Event ID: SCOPE: Description NTDS KCC Warning 1663 Knowledge Consistency This is an internal event and does not represent a problem: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1633&EvtSrc=Active+Directory&LCID=103 3 Problem Source: Type: Event ID: SCOPE: Description As per the Technet article, this does not represent a problem. Unknown without the event data. NTDS KCC Warning 1865 Knowledge Consistency This could be a communication problem between the bridgehead domain controllers of two AD sites (the bridgehead is also known as the Inter Site Topology Generator, or ISTG): http://support.microsoft.com/kb/944351 Problem This is usually cased by a firewall blocking ports between sites (subnets). Replication will not occur between the affected sites. Source: Type: Event ID: SCOPE: Description NTDS KCC Warning 1925 Knowledge Consistency This could be caused by a firewall blocking ports needed for RPC communication: http://support.microsoft.com/kb/911799 If could also indicate an out of sync trust between a parent & child domain: http://support.microsoft.com/kb/938702 Problem Replication will not occur between the affected sites. Source: Type: Event ID: SCOPE: Description Problem NTDS KCC Warning 2051 Knowledge Consistency Can only find references to Exchange 5.5 MTA Unknown without the event data Source: Type: Event ID: SCOPE: Description Problem NTDS KCC Warning 2052 Knowledge Consistency Can only find references to Message Queue Service Unknown without the event data Source: Type: Event ID: SCOPE: Description Problem NTDS KCC Warning 2053 Knowledge Consistency Can only find references to Exchange & Message Queue service Unknown without the event data Source: Type: Event ID: SCOPE: Description Problem NTDS KCC Warning 2054 Knowledge Consistency Not found Unknown without the event data NTDS LDAP ERRORS Source: Type: Event ID: SCOPE: Description NTDS LDAP Error 1238 Database Health This is an internal event that should only be seen if the default logging level is changed: This is an Active Directory internal event. Internal events appear in the Event Viewer only when the default logging level is changed. Most internal events are for informational purposes only. This event is logged when Active Directory cannot initialize network connections for incoming LDAP requests. Verify that the connections are set up correctly. http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1238&EvtSrc=Active+Directory&LCID=103 3 Problem Unknown without the event data WARNINGS None Found NTDS MAPI ERRORS None Found WARNINGS None Found NTDS REPLICATION ERRORS Source: Type: Event ID: SCOPE: Description NTDS Replication Error 1107 Replication This looks like a problem with the AD replication dispatcher thread: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1107&EvtSrc=Active+Directory&LCID=103 3 Problem The domain controller should be restarted. Replication in and out from this domain controller will not occur until the server is rebooted Source: Type: Event ID: SCOPE: Description NTDS Replication Error 1388 / 1988 Replication This indicates that the domain controller has detected a lingering object: http://technet.microsoft.com/en-us/library/cc780362.aspx Problem Source: Type: Event ID: SCOPE: Description This can happen if a domain controller is offline for longer than the Tombstone lifetime period, is switched back on, and then tries to update items that have been deleted. It could also happen if an online domain controller has not been replicating for then length of the Tombstone lifetime. Old items that should have been deleted may reappear in the directory. NTDS Replication Error 1411 Replication This looks to be an internal AD event that is only logged when the default logging level is changed: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1488&EvtSrc=Active+Directory&LCID=103 3 Problem Source: Type: Event ID: SCOPE: Description As per the Technet article, no action is required. The event data is needed to confirm this. This does not represent a problem. NTDS Replication Error 1481 Replication This looks to be an internal AD event that is only logged when the default logging level is changed: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1481&EvtSrc=Active+Directory&LCID=103 3 Problem Source: Type: Event ID: SCOPE: Description As per the Technet article, no action is required. The event data is needed to confirm this. This does not represent a problem. NTDS Replication Error 1791 Replication / Patched This looks like a known problem in a mixed Windows 2000 Server / Windows Server 2003 domain controller environment. It is resolved by a patch on the Windows 2000 domain controller: http://support.microsoft.com/kb/824873 Note: This patch is included in Windows 2000 Server Post Servicepack 4 Rollup 1. Problem The event data is needed to confirm this. Replication between Windows 2000 Server and Windows Server 2003 domain controllers Source: Type: Event ID: SCOPE: Description NTDS Replication Error 1960 Replication Not found on microsoft.com, eventid.net suggests this: Internal event: The following domain controller received an exception from a remote procedure call (RPC) connection. The operation may have failed. Process ID: <PID> Reported error information: Error value: The RPC server is too busy to complete this operation. (1723) Domain controller: <DC> Extended error information: Error value: The RPC server is too busy to complete this operation. (1723) Domain controller: <DC> Additional Data Internal ID: <ID>. Problem Source: Type: Event ID: SCOPE: Description The event data is needed to verify this. Unknown without the event data NTDS Replication Error 1977 Replication Microsoft.com has a document for this, but it relates to Windows Server 2008. It is a problem where a replication request from one domain controller to another is denied: The following directory service made a replication request for a writable directory partition that has been denied by the local directory service. The requesting directory service does not have access to a writable copy of this directory partition. Requesting directory service: %2 Directory partition: %1 User Action If the requesting directory service must have a writable copy of this partition, verify that the security descriptor on this directory partition has the correct configuration for the Replication Get Changes All access right. You may also get this message during the transition period after a child partition has been removed. This message will cease when knowledge of the child partition removal has replicated throughout the forest. http://technet.microsoft.com/en-us/library/dd349498.aspx Problem The event data is needed to verify this Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS Replication Error 2095 Replication This indicates that the domain controller has performed a USN rollback, which is usually caused by an incorrectly performed data restoration. The following articles have information about the cause and detection / resolution of USN rollback. Windows Server 2003 http://support.microsoft.com/kb/875495 Windows 2000 Server http://support.microsoft.com/kb/885875 Error Event ID 2095 specifically alerts to a USN Rollback. Warning events 1113 and 1115 are symptoms of replication being disabled as a result. Problem Active Directory Replication will not work for objects affected by the USN Rollback, but replication will appear to be working in Replication Monitor. User / Computer logon may fail periodically for these affected objects. WARNINGS Source: Type: Event ID: SCOPE: Description NTDS Replication Warning 1085 Replication This indicates that an RPC replication request has not received a response from the source domain controller: http://support.microsoft.com/kb/830746 Problem Source: Type: Event ID: SCOPE: Description If the source domain controller is offline then this would be expected. If it is online then there is a delay with RPC communication. Replication will be delayed or not occurring NTDS Replication Warning 1188 Replication This is the domain controller waiting for a response from an RPC call made to another domain controller: A thread in the directory is waiting in a remote procedure call (RPC) to directory %1 performing a(n) %3 operation. The directory has attempted to cancel the call and recover thread id %2. If this condition persists- stop and restart that Windows Domain Controller. http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1188&EvtSrc=Active+Directory&LCID=103 3 Problem If this continues to happen regularly then the domain controller should be rebooted. Replication will be interrupted. Source: Type: Event ID: SCOPE: Description NTDS Replication Warning 1203 Replication The local domain controller could not replicate the specified object from the source domain controller at the network address because of an Active Directory schema mismatch. Active Directory will try to synchronize the schema and then try to synchronize the directory partition again. http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.0&EvtID=1203&EvtSrc=Active+Directory&LCID=103 3 Problem Source: Type: Event ID: SCOPE: Description As per the Technet article, this does not require any action. This does not indicate a problem. NTDS Replication Warning 1232 Replication This is caused by a timeout whilst waiting for a replication request response over RPC: http://support.microsoft.com/kb/830746 Problem Source: Type: Event ID: SCOPE: Description This may indicate that the remote domain controller is offline, or a problem with the link to it. Replication delays will occur. NTDS Replication Warning 1586 Replication / Patched This is a known replication issue in Windows 2000 Server and is resolved in Servicepack 4: http://support.microsoft.com/kb/326855 Problem Replication will be disrupted Source: Type: Event ID: SCOPE: Description NTDS Replication Warning 1837 Replication Not found on microsoft.com, eventid.net suggests this: An attempt to transfer the operations master role represented by the following object failed. Object: CN=Infrastructure,DC=home,DC=rodgersent,DC=com Current operations master role: CN=NTDS Settings,CN=SPEEDY,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=home,DC=rodgersent,DC=com Proposed operations master role: CN=NTDS Settings,CN=ROCKET,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=home,DC=rodgersent,DC=com Additional Data Error value: <value>. Problem If this is in fact the case then there could be problems with the forest root domain controller. The event data is needed to confirm this. Potential forest root domain controller problems. Source: Type: Event ID: SCOPE: Description Problem NTDS Replication Warning 1838 Replication Nothing found on Microsoft.com or EventID.net Unknown without the event data Source: Type: Event ID: SCOPE: Description NTDS Replication Warning 1839 Replication Not found on microsoft.com, eventid.net suggests this: The following number of operations is waiting in the replication queue. The oldest operation has been waiting since the following time. Time: <date> <time> Number of waiting operations: <value> This condition can occur if the overall replication workload on this domain controller is too large or the replication interval is too small. Problem This could be a temporary resource issue. The event data is needed to verify this. Unknown without the event data. Source: Type: Event ID: SCOPE: Description NTDS Replication Warning 1862 Replication Not found on microsoft.com, eventid.net suggests this: This is the replication status for the following directory partition on the local domain controller. Directory partition: DC=ForestDnsZones,DC=mcsenetworks,DC=net The local domain controller has not received replication information from a number of domain controllers in other sites within the configured latency intverval. Number of domain controllers: 1 Latency Interval (Hours): 24 The latency interval can be modified with the following registry key. Registry Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours) To identify the domain controllers by name, install the support tools included on the installation CD and run dcdiag.exe. You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest. The command is "repadmin /showvector /latency <partition-dn>". Problem Source: Type: Event ID: SCOPE: Description This could indicate a comms issue with a remote site. The event data is needed to verify this. Replication between sites could be interrupted. NTDS Replication Warning 2088 Replication This is a DNS issue. The server could not resolve the IP address of a domain controller using its GUID in the CNAME record (this is part of the domain SRV records). The server managed to reach the remote domain controller via either it s FQDN or NETBIOS name, but the DNS issue needs to be resolved: http://technet.microsoft.com/en-us/library/cc787713(WS.10).aspx Problem In the first instance use ipconfig /registerDNS on the remote domain controller. If the warning still occurs then there may be other DNS issues. Replication is working, but DNS configuration is damaged. Source: Type: Event ID: SCOPE: Description NTDS Replication Warning 2089 Replication This is a warning that the System State has not been backed up recently: http://support.microsoft.com/kb/914034 Event Type: Warning Event Source: NTDS Replication Event Category: Backup Event ID: 2089 Description: This directory partition has not been backed up since at least the following number of days. Directory partition: DC=domainDC=com "Backup latency interval" (days): 30 Problem Source: Type: Event ID: SCOPE: Description The event data is needed to verify the time since the last backup, but the existence of this event means that regular backups are not taking place. Backup issues with this server. NTDS Replication Warning 2091 / 2092 / 2093 Replication This indicates that one or more FSMO roles are owned by a server that has been deleted. This indicates a dirty removal of a domain controller. http://support.microsoft.com/kb/914032 Problem Use NTDSUTIL to seize ownership of the affected FSMO roles on a suitable domain controller. FSMO dependant operations will fail. Source: Type: Event ID: SCOPE: Description NTDS Replication Warning 2094 Replication Not found on microsoft.com, eventid.net suggests this: Performance warning: replication was delayed while applying changes to the following object. If this message occurs frequently it indicates that the replication is occurring slowly and that the server may have difficulty keeping up with changes. Problem NTDS SAM ERRORS None found WARNINGS None found The event data is needed to verify this. Replication may be delayed NTDS SCRIPTING ERRORS None found WARNINGS None found NTDS SDPROP ERRORS Source: Type: Event ID: SCOPE: Description NTDS SDPROP Error 2008 Database Health This looks to be related to performance issues caused by an AD attribute having too many values, specifically ProxyAddresses (Exchange email address attribute) has too many email addresses: http://support.microsoft.com/kb/914036 . The event data is needed to verify this. The hotfix is actually an Exchange Server 2003 so would be installed on the Exchange server that runs the Recipient Update Service: http://support.microsoft.com/kb/834349/ http://support.microsoft.com/kb/835894/ Problem WARNINGS None found NTDS SECURITY ERRORS None found WARNINGS None found NTDS SETUP ERRORS None found WARNINGS None found NTDS XDS ERRORS None found Unknown without the event data WARNINGS None found File Replication Log FILE REPLICATION SERVICE ERRORS None found WARNINGS None Found NTFRS ERRORS Source: Type: Event ID: SCOPE: Description NTFRS Error (In the critical list) 13568 File Replication This indicates that the File Replication Service has entered a Journal Wrap state. This happens when files needed by the replication service have been purged from the NTFS USN journal. There can be many reasons for this happening. These articles contain information and troubleshooting tips: Windows 2000 Server http://technet.microsoft.com/en-us/library/bb727056.aspx#EFAA Windows Server 2003 http://www.microsoft.com/windowsserver2003/technologies/storage/dfs/tshootfrs.ms px Problem File replication, which is used for the SYSVOL and NETLOGON shares, is interrupted. This means that AD replication is interrupted. Source: Type: Event ID: SCOPE: Description NTFRS Error 13504 File Replication This indicates that the file replication service stopped without cleaning up. This could indicate an unexpected shutdown of the service or the entire server. More events are needed to establish whether or not replication has been affected. Event ID: 13504 Event Type: Error Rule: Collect Message Text: The File Replication Service stopped without cleaning up. Problem Unknown without the event data. Source: Type: Event ID: SCOPE: Description NTFRS Error 13506 File Replication This indicates a failed consistency check, and that the file replication service is going to restart. Other events will be logged to provide more specific information. Event ID: 13506 Event Type: Error Rule: Alert suppressed based on ID, source, computer, desc (par 3). Message Text: The File Replication Service failed a consistency check (%3) in "%1" at line %2. The File Replication Service will restart automatically at a later time. If this problem persists a subsequent entry in this event log describes the recovery procedure. For more information about the automatic restart right click on My Computer and then click on Manage, System Tools, Services, File Replication Service, and Recovery. Problem Unknown without the event data. Source: Type: Event ID: SCOPE: Description NTFRS Error 13526 File Replication This indicates that the target replication partner becomes unreachable; this means that the local domain controller has lost communication with the remote domain controller. If this happens when a DC is being rebooted then it is to be expected, but otherwise it indicates a problem with communication. Problem Communication between the servers in the event is broken. May be transient but needs to be checked if it occurs regularly. Source: Type: Event ID: SCOPE: Description NTFRS Error 13539 File Replication This could mean that the file replication service is still trying to replicate a folder that has been deleted. Event ID: 13539 Event Type: Error Rule: Alert suppressed based on ID, source, computer Message Text: The File Replication Service cannot replicate %1 because the pathname of the replicated directory is not the fully qualified pathname of an existing, accessible local directory. Problem Check the value of that path in %1. Has it recently been deleted? This could be benign if the folder detailed in the log was intentionally deleted. Source: Type: Event ID: SCOPE: Description NTFRS Error 13540 File Replication This could indicate a problem with the staging directory in the file replication service. Event ID: 13540 Event Type: Error Rule: Alert suppressed based on ID, source, computer Message Text: The File Replication Service cannot replicate %1 because the pathname of the customer designated staging directory: %2 is not the fully qualified pathname of an existing, accessible local directory. This article explains how to check / change the staging directory: http://support.microsoft.com/default.aspx?scid=kb;en-us;291823 It could also occur if the SYSVOL folder is not properly shared, which can happen after a system state restore. It could also be a badly implemented staging area change. Check that the share exists and is pointing to the correct folder. Problem File replication may be broken between one or more domain controllers. Source: Type: Event ID: SCOPE: Description NTFRS Error 13544 File Replication This could occur if changes are made to the replication settings, and a folder is added that is already replicated as a subfolder in another set: CHECK THIS Event ID: 13544 Event Type: Error Rule: Alert suppressed based on ID, source, computer Message Text: The File Replication Service cannot replicate %1 because it overlaps the replicating directory %2. Problem This may correct itself once replication is complete, but if not then the duplication needs to be manually fixed. This could be a Distributed File System issue that is not related to Active Directory SYSVOL replication. The event data would be needed to check this. File replication may be broken between one or more Servers. Source: Type: Event ID: SCOPE: Description NTFRS Error 13548 File Replication This indicates a time synchronisation issue on the network: Event ID: 13548 Event Type: Error Rule: Alert suppressed based on ID, source, computer Message Text: The File Replication Service is unable to replicate with its partner computer because the difference in clock times is outside the range of plus or minus %1 minutes. The connection to the partner computer is: "%2" The detected time difference is: %3 minutes. The Windows Time service should be reset to the proper Active Directory configuration where the Forest Root (PDC Emulator) uses a reliable NTP source, and all replica domain controllers use the NTDS time source. RM TEC article TEC843246 has detailed instructions. Problem File replication will not work until this is resolved. Users may also experience problems accessing files on the server with incorrect time. Source: Type: Event ID: SCOPE: Description NTFRS Error 13552 File Replication This is a problem starting file replication: Event ID: 13552 Event Type: Error Rule: Alert suppressed based on ID, source, computer Message Text: The File Replication Service is unable to add this computer to the following replica set: "%1" This could be caused by a number of problems such as: -- an invalid root path, -- a missing directory, -- a missing disk volume, -- a file system on the volume that does not support NTFS 5.0 The information below may help to resolve the problem: Computer DNS name is "%2" Replica set member name is "%3" Replica set root path is "%4" Replica staging directory path is "%5" Replica working directory path is "%6" Windows error status code is %7 FRS error status code is %8 Other event log messages may also help determine the problem. Correct the problem and the service will attempt to restart replication automatically at a later time. Problem The event data is needed to establish the reason for this. Unknown without the event data, but replication is not functioning. Source: Type: Event ID: SCOPE: Description NTFRS Error 13555 File Replication This indicates that the file replication is in an error state, but doesn’t say why Event ID: 13555 Event Type: Error Rule: Alert suppressed based on ID, source, computer Message Text: The File Replication Service is in an error state. Files will not replicate to or from one or all of the replica sets on this computer until the following recovery steps are performed: There can be many reasons for this error. Some things to check: 1) 2) The first step is to restart the file replication service to see if it clears. If this is a Windows 2000 Server then install Servicepack 4 + the latest Post Servicepack 4 rollup. There were hotfixes previous to Servicepack 4 that improved the reliability of the FRS service. 3) A file ID for data in the FRS database does not match the file ID for the data in the update sequence number (USN) journal database; This article explains a process to resolve this: http://support.microsoft.com/default.aspx?scid=kb;en-us;925633 Problem There could be other reasons, more investigation may be needed. Unknown without the event data. Source: Type: Event ID: SCOPE: Description NTFRS Error 13559 File Replication The File Replication Service has detected that the replica root path has changed: Event ID: 13559 Event Type: Error Rule: Alert suppressed based on ID, source, computer Message Text: The File Replication Service has detected that the replica root path has changed from "%2" to "%3". If this is an intentional move then a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path. This was detected for the following replica set: "%1" Changing the replica root path is a two step process which is triggered by the creation of the NTFRS_CMD_FILE_MOVE_ROOT file. [1] At the first poll which will occur in %4 minutes this computer will be deleted from the replica set. [2] At the poll following the deletion this computer will be re-added to the replica set with the new root path. This re-addition will trigger a full tree sync for the replica set. At the end of the sync all the files will be at the new location. The files may or may not be deleted from the old location depending on whether they are needed or not. Problem If this is a file server that is using distributed file system (DFS) then this may indicate an incorrectly implemented change. This is not expected on a domain controller as the file replication settings are not normally changed manually. File replication may be broken. More investigation is needed. Source: Type: Event ID: SCOPE: Description NTFRS Error 13561 File Replication This indicates that a journal wrap state has been encountered and that Windows will attempt to recover the situation automatically: Event ID: 13561 Event Type: Error Rule: Alert suppressed based on ID, source, computer - state to look for event ID 13560 to indicate that the error is auto recover Message Text: The File Replication Service has detected that the replica set "%1" is in JRNL_WRAP_ERROR. Replica set name is : "%1" Replica root path is : "%2" Replica root volume is : "%3" A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons. [1] Volume "%3" has been formatted. [2] The NTFS USN journal on volume "%3" has been deleted. [3] The NTFS USN journal on volume "%3" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal. [4] File Replication Service was not running on this computer for a long time. [5] File Replication Service could not keep up with the rate of Disk IO activity on "%3". Following recovery steps will be taken to automatically recover from this error state. [1] At the first poll which will occur in %4 minutes this computer will be deleted from the replica set. [2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set. Problem Windows should recover from this situation automatically Source: Type: Event ID: SCOPE: Description NTFRS Error 13570 File Replication This is a low disk space warning: EventID: 13570 Event Type: Error Rule: Low disk space detected. Message Text: The File Replication Service has detected that the volume hosting the path C: is low on disk space. Files may not replicate until disk space is made available on this volume. Problem Disk space on C: needs to be made available If C: runs out of disk space the server will stop Source: Type: Event ID: SCOPE: Description Problem NTFRS Error 13671 File Replication Nothing found Unknown without the event data WARNINGS Source: Type: Event ID: SCOPE: Description NTFRS Warning (In the critical list) 13508 File Replication This indicates that the server could not enable replication from a remote server. This could be a transient problem if the remote server is disconnected from the network for some reason, but could be a problem with the file replication service: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.2&EvtID=13508&EvtSrc=NtFrs&LCID=1033 Look out for event 13509 which indicates that replication recovered; if it occurs then replication is functional again. Problem File replication, which is used for the SYSVOL and NETLOGON shares, is interrupted. This means that AD replication is interrupted. Source: Type: Event ID: SCOPE: Description NTFRS Warning (In the critical list) 13562 File Replication This event indicates that there are file replication issues, and shows a summary of them. The event data is needed to troubleshoot the specifics. This document can help with the troubleshooting Recovering missing FRS objects and attributes in Active Directory http://support.microsoft.com/kb/312862 Problem File replication, which is used for the SYSVOL and NETLOGON shares, is interrupted. This means that AD replication is interrupted Source: Type: Event ID: SCOPE: Description NTFRS Warning (In the critical list) 13564 File Replication This indicates that the volume that holds the FRS debug logs is running out of space: http://support.microsoft.com/kb/308406 Problem On a typical domain controller this is likely to be the C: drive. If disk space does run out then the server will stop. Services on that server will be unavailable. Source: Type: Event ID: SCOPE: Description NTFRS Warning 13509 File Replication This indicates that the file replication service has enabled replication, and is expected after a temporary interruption in replication: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+ Operating+System&ProdVer=5.2&EvtID=13509&EvtSrc=NtFrs&LCID=1033 As per the Technet article, no action is required. Problem This does not indicate a problem. Source: Type: Event ID: SCOPE: Description NTFRS Warning 13512 File Replication This indicates that the system has detected write caching on the C: drive. Although this is not a specific problem, it is not recommended for domain controllers as it increases the risk of data corruption. http://support.microsoft.com/kb/316504 Problem Disk caching should be disabled for the C: drive Source: Type: Event ID: SCOPE: Description NTFRS Warning 13520 File Replication This is the event data: Event ID: 13520 Event Type: Warning Rule: Collect Message Text: The File Replication Service moved the preexisting files in %1 to %2. The File Replication Service may delete the files in %2 at any time. Files can be saved from deletion by copying them out of %2. Copying the files into %1 may lead to name conflicts if the files already exist on some other replicating partner. In some cases, the File Replication Service may copy a file from %2 into %1 instead of replicating the file from some other replicating partner. Space can be recovered at any time by deleting the files in %2. Problem If this is a file server that is using distributed file system (DFS) then this may indicate an incorrectly implemented change. This is not expected on a domain controller as the file replication settings are not normally changed manually More information is needed. Source: Type: Event ID: SCOPE: Description NTFRS Warning 13525 File Replication This indicates that the system could not find the DNS name for the computer with which it is trying to replicate files? Event ID: 13525 Event Type: Warning Rule: Alert suppressed based on ID, source, computer Message Text: The File Replication Service cannot find the DNS name for the computer %1 because the "%2" attribute could not be read from the distinguished name "%3". The File Replication Service will try using the name "%1" until the computer's DNS name appears. Problem Check that the computer mentioned in the event is properly configured for DNS; try running ipconfig /registerdns at the command prompt of the remote computer Replication between the two servers may be broken Source: Type: Event ID: SCOPE: Description NTFRS Warning 13560 File Replication This is the server attempting to recover from an error state: Event ID: 13560 Event Type: Warning Rule: Collect Message Text: The File Replication Service is deleting this computer from the replica set "%1" as an attempt to recover from the error state, Error status = %2 At the next poll, which will occur in %3 minutes, this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set. The procedure in this article may resolve the problem on a Windows 2000 Server: http://support.microsoft.com/default.aspx?scid=kb;en-us;887440 Problem Replication may be interrupted Source: Type: Event ID: SCOPE: Description NTFRS Warning 13563 File Replication This is the system warning that the file path for a replica set has changed, but the change has not yet taken effect as the service has not been restarted: Event ID: 13563 Event Type: Warning Rule: Warning alert suppressed based on ID, source and computer Message Text: The File Replication Service has detected that the staging path for the replica set %1 has changed. Current staging path = %2 New staging path = %3 The service will start using the new staging path after it restarts. Restart the file replication service to apply the new path. The following article explains how to change the staging path for a replica set: http://technet.microsoft.com/en-us/library/cc780215.aspx Problem File replication may be interrupted Source: Type: Event ID: SCOPE: Description NTFRS Warning 13565 File Replication This may occur after a System State recovery on a single domain controller domain: http://support.microsoft.com/default.aspx?scid=kb;en-us;316790 Event ID: 13565 Event Type: Warning Rule: Initial non-authoritative restore in progress Message Text: File Replication Service is initializing the system volume with data from another domain controller. Computer %1 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL. To check for the SYSVOL share, at the command prompt, type net share. When File Replication Service completes the initialization process, the SYSVOL share will appear. The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers. Problem Source: Type: Event ID: SCOPE: Description It may also indicate that the file replication service cannot locate a valid replication partner in the domain. Replication may be interrupted NTFRS Warning 13566 File Replication This is expected immediately after a server is promoted to become a domain controller: Event ID: 13566 Event Type: Warning Rule: Authoritative restore in progress Message Text: File Replication Service is scanning the data in the system volume. Computer %1 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL. To check for the SYSVOL share, at the command prompt, type net share. When File Replication Service completes the scanning process, the SYSVOL share will appear.The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume. Problem If the server has not been promoted then more investigation is needed. Check the event log for more events to help establish the state of the server If the server has been promoted to be a domain controller then this does not indicate a problem. If not then more data is needed. Source: Type: Event ID: SCOPE: Description NTFRS Warning 13567 File Replication This is the file replication service suppressing replication of duplicate changes to preserve bandwidth. This is by design: http://support.microsoft.com/kb/315045 Event ID:13567 Event Type: Warning Rule: Excess file updates detected Message Text: File Replication Service has detected and suppressed an average of %1 or more file updates every hour for the last %2 hours because the updates did not change the contents of the file. The tracking records in FRS debug logs will have the filename and event time for the suppressed updates. The tracking records have the date and time followed by :T: as their prefix. Updates that do not change the content of the file are suppressed to prevent unnecessary replication traffic. Following are common examples of updates that do not change the contents of the file. [1] Overwriting a file with a copy of the same file. [2] Setting the same ACLs on a file multiple times. [3] Restoring an identical copy of the file over an existing one. Suppression of updates can be disabled by running regedit. Click on Start, Run and type regedit. Expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters and create or update the value "Suppress Identical Updates To Files" to 0 (Default is 1) to force identical updates to replicate. Problem This does not indicate a problem WINDOWS SERVER PATCHES WINDOWS SERVER 2003 SERVICEPACK 2 http://technet.microsoft.com/en-gb/windowsserver/bb229701.aspx WINDOWS 2000 SERVER SERVICEPACK 4 http://www.microsoft.com/downloads/details.aspx?familyid=1001AAF1-749F-49F4-8010297BD6CA33A0&displaylang=en POST SERVICEPACK 4 ROLLUP http://www.microsoft.com/downloads/details.aspx?familyid=B54730CF-8850-4531-B52BBF28B324C662&displaylang=en