Link to home
Start Free TrialLog in
Avatar of lakegroup
lakegroup

asked on

Can I elimnate these two event log warnings on my Server 2008 R2 Domain Controllers?

Here are two warnings I get on my Domain controllers that I’d like to eliminate:

1)  Warning      3/1/2017 1:38:26 PM      VSS                              8230      None
Volume Shadow Copy Service error: Failed resolving account SYSTEM with status 1376. Check connection to domain controller and VssAccessControl registry key.

Operation:
   Initializing Writer

Context:
   Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
   Writer Name: NTDS

Error-specific details:
   Error: NetLocalGroupGetMemebers(SYSTEM), 0x80070560, The specified local group does not exist.


2)  Warning      3/1/2017 1:37:51 PM      Kerberos-Key-Distribution-Center      29      None
Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          3/1/2017 1:37:51 PM
Event ID:      29
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      LDC2.lakegroupmedia.com
Description:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.



As much as I have researched both I cannot find a resolution to get rid of these warnings.

The VSS error is puzzling because I have Shadow Copies disabled. Also note it is complaining about the NetLocalGroupGetMemebers(SYSTEM) local group not existing. There is a typo in the name Memebers rather than Members.

Regarding the Kerberos KDC warning, according to the KB 967623  https://support.microsoft.com/en-us/help/967623/you-receive-a-key-distribution-center-event-id-29-event-message-on-a-windows-server-2008-based-domain-controller  if you have no CA in your organization it is safe to ignore this.

My question is, can I suppress these warnings or is there any kind of workaround to make these particular warnings not appear in my event logs?
Avatar of Patrick Bogers
Patrick Bogers
Flag of Netherlands image

Hi

About VSS. I assume backups are running fine. If not stop Reading my comment.
Ok, backups are fine.
Open regedit and goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS
Make a export of the key called SYSTEM and when certain you have the backup delete that entry.

Please share the result.
Avatar of lakegroup
lakegroup

ASKER

Thank you for the reply.
Should I be looking for a sub-Key under HKLM\SYSTEM\CurrentControlSet\Services\VSS called SYSTEM? Because I don't see one.

Here is the .reg export of the HKLM\SYSTEM\CurrentControlSet\Services\VSS key (I also attached a .PNG screen clip if you can view that):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS]
"DisplayName"="@%systemroot%\\system32\\vssvc.exe,-102"
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,76,\
  00,73,00,73,00,76,00,63,00,2e,00,65,00,78,00,65,00,00,00
"Description"="@%systemroot%\\system32\\vssvc.exe,-101"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000003
"Type"=dword:00000010
"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00
"ServiceSidType"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag\BITS Writer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag\FRS Writer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag\NTDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag\System Writer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag\VolSnap]
"VolumesSafeForWrite (Enter)"=hex:48,00,00,00,00,00,00,00,14,43,26,6d,c2,92,d2,\
  01,00,00,00,00,00,00,00,00,1e,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00
"VolumesSafeForWrite (Leave)"=hex:48,00,00,00,00,00,00,00,bf,20,37,76,c2,92,d2,\
  01,00,00,00,00,00,00,00,00,1f,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag\WMI Writer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Providers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Providers\{b5946137-7b9f-4925-af80-51abd60b20d5}]
@="Microsoft Software Shadow Copy provider 1.0"
"Type"=dword:00000001
"Version"="1.0.0.7"
"VersionId"="{00000001-0000-0000-0007-000000000001}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Providers\{b5946137-7b9f-4925-af80-51abd60b20d5}\CLSID]
@="{65EE1DBA-8FF4-4a58-AC1C-3470EE2F376A}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Settings]
"HotBlocksPreCopyPercentage"=dword:00000000
"FreeSpacePreCopyPercentage"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Settings\WritersBlockingRevert]
"{2707761B-2324-473D-88EB-EB007A359533}"="DFS-R Writer"
"{D76F5A28-3092-4589-BA48-2958FB88CE29}"="FRS Writer"
"{B2014C9E-8711-4C5C-A5A9-3CF384484757}"="AD Writer"
"{DD846AAA-A1B6-42a8-AAF8-03DCB6114BFD}"="ADAM Writer"
"TornComponentsBlockRevert"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\VssAccessControl]
"NT Authority\\NetworkService"=dword:00000001
vss.png
Hi,

In VssAccessControl i would expect an account named SYSTEM as per the first error in your post. It is not there?
There is an account named SYSTEM in our Domain but there is not a key called SYSTEM.
No key in the registry called SYSTEM.
When is this server rebooted for the last time?
Rebooted just this morning actually.  This machine is DC #2 in our environment and I rebuilt it from scratch this week in hopes of getting rid of these particular warnings.
As soon as I ran DCPROMO it began generating these warnings again. The same warnings also appear on our 'master' DC #1.
Ok, Lets try one more thing.
In VssAccessControl add a new DWORD (32-bit) with value 1 and name SYSTEM.

What happens?
After doing that and rebooting I still see the VSS warning...

Volume Shadow Copy Service error: Failed resolving account SYSTEM with status 1376. Check connection to domain controller and VssAccessControl registry key.

Operation:
   Initializing Writer

Context:
   Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
   Writer Name: NTDS

Error-specific details:
   Error: NetLocalGroupGetMemebers(SYSTEM), 0x80070560, The specified local group does not exist.

Volume Shadow Copy Service error: Failed resolving account SYSTEM with status 1376. Check connection to domain controller and VssAccessControl registry key.
Ah i missed something in the initial post, you have multiple domain controllers.
Question is, which one is Triggering this error while running a backup? Thats the one where the system account should be removed in registry as mentioned.
Actually both DC's get this event in their event logs, so it appears both trigger it. The backup times are 2am and 5am and correspond to the VSS warning event. The 2am backup is done by Acronis Backup & Recovery 11.7 and the 5am backup is a Windows Server backup of the system state.
Can you check start time but also succes or fail time and compare to the vss timestamp?
The vss warning timestamps in the event log correspond to the backup times as I mentioned above,  There's no doubt both the Acronis and Windows Server backup processes are causing the VSS warnings to appear in the event log, but the backups are successful. I just wish I could find a way to prevent these warnings from overcrowding my event logs,
I understand, are they both logging with system as the used account? Can imagine acronis uses its own usernames.
If I am looking in the right place, when I dig under the friendly view of the VSS warnings in Event Viewer I see the users NT AUTHORITY\SYSTEM and NT AUTHORITY\NETWORK SERVICE (event log extracts pasted below)

In Bytes

0000: 2D 20 43 6F 64 65 3A 20   - Code:
0008: 53 45 43 53 45 43 52 43   SECSECRC
0010: 30 30 30 30 31 39 37 32   00001972
0018: 2D 20 43 61 6C 6C 3A 20   - Call:
0020: 53 45 43 53 45 43 52 43   SECSECRC
0028: 30 30 30 30 31 37 35 36   00001756
0030: 2D 20 50 49 44 3A 20 20   - PID:  
0038: 30 30 30 30 33 34 31 36   00003416
0040: 2D 20 54 49 44 3A 20 20   - TID:  
0048: 30 30 30 30 32 34 30 38   00002408
0050: 2D 20 43 4D 44 3A 20 20   - CMD:  
0058: 22 43 3A 5C 57 69 6E 64   "C:\Wind
0060: 6F 77 73 5C 73 79 73 74   ows\syst
0068: 65 6D 33 32 5C 77 62 65   em32\wbe
0070: 6E 67 69 6E 65 2E 65 78   ngine.ex
0078: 65 22 20 20 20 20 20 20   e"      
0080: 2D 20 55 73 65 72 3A 20   - User:
0088: 4E 61 6D 65 3A 20 4E 54   Name: NT
0090: 20 41 55 54 48 4F 52 49    AUTHORI
0098: 54 59 5C 53 59 53 54 45   TY\SYSTE
00a0: 4D 2C 20 53 49 44 3A 53   M, SID:S
00a8: 2D 31 2D 35 2D 31 38 20   -1-5-18


In Bytes

0000: 2D 20 43 6F 64 65 3A 20   - Code:
0008: 53 45 43 53 45 43 52 43   SECSECRC
0010: 30 30 30 30 31 39 37 32   00001972
0018: 2D 20 43 61 6C 6C 3A 20   - Call:
0020: 53 45 43 53 45 43 52 43   SECSECRC
0028: 30 30 30 30 31 37 35 36   00001756
0030: 2D 20 50 49 44 3A 20 20   - PID:  
0038: 30 30 30 30 31 31 34 38   00001148
0040: 2D 20 54 49 44 3A 20 20   - TID:  
0048: 30 30 30 30 32 37 34 34   00002744
0050: 2D 20 43 4D 44 3A 20 20   - CMD:  
0058: 43 3A 5C 57 69 6E 64 6F   C:\Windo
0060: 77 73 5C 73 79 73 74 65   ws\syste
0068: 6D 33 32 5C 73 76 63 68   m32\svch
0070: 6F 73 74 2E 65 78 65 20   ost.exe
0078: 2D 6B 20 44 48 43 50 53   -k DHCPS
0080: 65 72 76 65 72 20 20 20   erver  
0088: 2D 20 55 73 65 72 3A 20   - User:
0090: 4E 61 6D 65 3A 20 4E 54   Name: NT
0098: 20 41 55 54 48 4F 52 49    AUTHORI
00a0: 54 59 5C 4E 45 54 57 4F   TY\NETWO
00a8: 52 4B 20 53 45 52 56 49   RK SERVI
00b0: 43 45 2C 20 53 49 44 3A   CE, SID:
00b8: 53 2D 31 2D 35 2D 32 30   S-1-5-20
ASKER CERTIFIED SOLUTION
Avatar of Patrick Bogers
Patrick Bogers
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I apologize for the delay getting back to you.  The problem has been solved. After following the instructions in the TechNet article I assigned full control rights to all accounts listed in my event logs. After that I still received the VSS errors and I decided to try deleting the SYSTEM account that was in my AD. This is not the same as the NT AUTHORITY\system account mind you. After deleting SYSTEM the VSS warnings are gone.

Thank you for your assistance!