We help IT Professionals succeed at work.

Domain controllers messages

I have 2 Domain controllers (main and backup) the servers are only tasked with DNS, DHCP and AD. Started seeing the following messages in the applications log.

lsass (544) A database location change was detected from 'C:\Windows\NTDS\ntds.dit' to '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy97\Windows\NTDS\ntds.dit'.

lsass (544) The database engine has begun replaying logfile \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy97\Windows\NTDS\edb000EF.log.

lsass (544) The database engine has begun replaying logfile \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy97\Windows\NTDS\edb.log.

lsass (544) The database engine has successfully completed recovery steps.

these are not reported as errors but as information events.. I'm just concerned why I'm seeing this?

Can someone explain why this is happening?

Comment
Watch Question

Darrell PorterEnterprise Business Process Architect
BRONZE EXPERT

Commented:
Did you just recently add a domain controller?  Has anything else changed in the environment such as adding printers, expanding to a new site, adding new VLANs or new network segments for which Active Directory is aware?

Author

Commented:
nope nothing new, we do have printers added for the main DC for shared access but that's it.
DarinTCHSenior CyberSecurity Engineer
BRONZE EXPERT

Commented:
and have you examined those logs it references?

edb are transaction logs

see
http://www.informit.com/articles/article.aspx?p=101405&seqNum=10

Author

Commented:
No i was first checking to see if its a matter for concern or the possible cause for the log rewrites I will look the logs
Darrell PorterEnterprise Business Process Architect
BRONZE EXPERT

Commented:
Do you see any replication errors or other anomolies in the Directory Services logs?

Author

Commented:
In the Directory Services log i see this warning once a day

Event ID 2887

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection
 
This directory server is not currently configured to reject such binds.  The security of this directory server can be significantly enhanced by configuring the server to reject such binds.  For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
Summary information on the number of these binds received within the past 24 hours is below.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
 
Number of simple binds performed without SSL/TLS: 0
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 529
Senior CyberSecurity Engineer
BRONZE EXPERT
Commented:
those are not particulary troublesome notices

LDAP - Lightweight Directory Access Protocol

The LDAP bind operation can be used to authenticate to the Directory Server. There are two basic types of bind operations:
 ¦A simple bind operation, which uses simple authentication involving a bind DN and password to authenticate to the server.
 ¦A SASL bind operation, which uses the Simple Authentication and Security Layer to authenticate the client, which can use a variety of types of credentials based on the selected SASL mechanism.
 
see
https://www.opends.org/wiki/page/DefinitionLDAPBindOperation

Author

Commented:
Ok thats ok.. then, but im still left wondering about these log replay mesages

Explore More ContentExplore courses, solutions, and other research materials related to this topic.