lakegroup
asked on
Can I elimnate these two event log warnings on my Server 2008 R2 Domain Controllers?
Here are two warnings I get on my Domain controllers that I’d like to eliminate:
1) Warning 3/1/2017 1:38:26 PM VSS 8230 None
Volume Shadow Copy Service error: Failed resolving account SYSTEM with status 1376. Check connection to domain controller and VssAccessControl registry key.
Operation:
Initializing Writer
Context:
Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3 cf38448475 7}
Writer Name: NTDS
Error-specific details:
Error: NetLocalGroupGetMemebers(S YSTEM), 0x80070560, The specified local group does not exist.
2) Warning 3/1/2017 1:37:51 PM Kerberos-Key-Distribution- Center 29 None
Log Name: System
Source: Microsoft-Windows-Kerberos -Key-Distr ibution-Ce nter
Date: 3/1/2017 1:37:51 PM
Event ID: 29
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: LDC2.lakegroupmedia.com
Description:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
As much as I have researched both I cannot find a resolution to get rid of these warnings.
The VSS error is puzzling because I have Shadow Copies disabled. Also note it is complaining about the NetLocalGroupGetMemebers(S YSTEM) local group not existing. There is a typo in the name Memebers rather than Members.
Regarding the Kerberos KDC warning, according to the KB 967623 https://support.microsoft.com/en-us/help/967623/you-receive-a-key-distribution-center-event-id-29-event-message-on-a-windows-server-2008-based-domain-controller if you have no CA in your organization it is safe to ignore this.
My question is, can I suppress these warnings or is there any kind of workaround to make these particular warnings not appear in my event logs?
1) Warning 3/1/2017 1:38:26 PM VSS 8230 None
Volume Shadow Copy Service error: Failed resolving account SYSTEM with status 1376. Check connection to domain controller and VssAccessControl registry key.
Operation:
Initializing Writer
Context:
Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3
Writer Name: NTDS
Error-specific details:
Error: NetLocalGroupGetMemebers(S
2) Warning 3/1/2017 1:37:51 PM Kerberos-Key-Distribution-
Log Name: System
Source: Microsoft-Windows-Kerberos
Date: 3/1/2017 1:37:51 PM
Event ID: 29
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: LDC2.lakegroupmedia.com
Description:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
As much as I have researched both I cannot find a resolution to get rid of these warnings.
The VSS error is puzzling because I have Shadow Copies disabled. Also note it is complaining about the NetLocalGroupGetMemebers(S
Regarding the Kerberos KDC warning, according to the KB 967623 https://support.microsoft.com/en-us/help/967623/you-receive-a-key-distribution-center-event-id-29-event-message-on-a-windows-server-2008-based-domain-controller if you have no CA in your organization it is safe to ignore this.
My question is, can I suppress these warnings or is there any kind of workaround to make these particular warnings not appear in my event logs?
ASKER
Thank you for the reply.
Should I be looking for a sub-Key under HKLM\SYSTEM\CurrentControl Set\Servic es\VSS called SYSTEM? Because I don't see one.
Here is the .reg export of the HKLM\SYSTEM\CurrentControl Set\Servic es\VSS key (I also attached a .PNG screen clip if you can view that):
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\s ervices\VS S]
"DisplayName"="@%systemroo t%\\system 32\\vssvc. exe,-102"
"ImagePath"=hex(2):25,00,7 3,00,79,00 ,73,00,74, 00,65,00,6 d,00,72,00 ,6f,00,6f, 00,\
74,00,25,00,5c,00,73,00,79 ,00,73,00, 74,00,65,0 0,6d,00,33 ,00,32,00, 5c,00,76,\
00,73,00,73,00,76,00,63,00 ,2e,00,65, 00,78,00,6 5,00,00,00
"Description"="@%systemroo t%\\system 32\\vssvc. exe,-101"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000 001
"Start"=dword:00000003
"Type"=dword:00000010
"DependOnService"=hex(7):5 2,00,50,00 ,43,00,53, 00,53,00,0 0,00,00,00
"ServiceSidType"=dword:000 00001
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\s ervices\VS S\Diag]
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\s ervices\VS S\Diag\BIT S Writer]
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\s ervices\VS S\Diag\FRS Writer]
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\s ervices\VS S\Diag\NTD S]
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\s ervices\VS S\Diag\Sys tem Writer]
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\s ervices\VS S\Diag\Vol Snap]
"VolumesSafeForWrite (Enter)"=hex:48,00,00,00,0 0,00,00,00 ,14,43,26, 6d,c2,92,d 2,\
01,00,00,00,00,00,00,00,00 ,1e,00,00, 00,01,00,0 0,00,00,00 ,00,00,00, 00,00,00,\
00,00,00,00,00,00,00,00,00 ,00,00,00, 00,00,00,0 0,00,00,00 ,00,00,00, 00,00,00,\
00,00,00,00,00,00,00
"VolumesSafeForWrite (Leave)"=hex:48,00,00,00,0 0,00,00,00 ,bf,20,37, 76,c2,92,d 2,\
01,00,00,00,00,00,00,00,00 ,1f,00,00, 00,00,00,0 0,00,00,00 ,00,00,00, 00,00,00,\
00,00,00,00,00,00,00,00,00 ,00,00,00, 00,00,00,0 0,00,00,00 ,00,00,00, 00,00,00,\
00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\s ervices\VS S\Diag\WMI Writer]
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\s ervices\VS S\Provider s]
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\s ervices\VS S\Provider s\{b594613 7-7b9f-492 5-af80-51a bd60b20d5} ]
@="Microsoft Software Shadow Copy provider 1.0"
"Type"=dword:00000001
"Version"="1.0.0.7"
"VersionId"="{00000001-000 0-0000-000 7-00000000 0001}"
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\s ervices\VS S\Provider s\{b594613 7-7b9f-492 5-af80-51a bd60b20d5} \CLSID]
@="{65EE1DBA-8FF4-4a58-AC1 C-3470EE2F 376A}"
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\s ervices\VS S\Settings ]
"HotBlocksPreCopyPercentag e"=dword:0 0000000
"FreeSpacePreCopyPercentag e"=dword:0 0000000
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\s ervices\VS S\Settings \WritersBl ockingReve rt]
"{2707761B-2324-473D-88EB- EB007A3595 33}"="DFS- R Writer"
"{D76F5A28-3092-4589-BA48- 2958FB88CE 29}"="FRS Writer"
"{B2014C9E-8711-4C5C-A5A9- 3CF3844847 57}"="AD Writer"
"{DD846AAA-A1B6-42a8-AAF8- 03DCB6114B FD}"="ADAM Writer"
"TornComponentsBlockRevert "=dword:00 000001
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\s ervices\VS S\VssAcces sControl]
"NT Authority\\NetworkService" =dword:000 00001
vss.png
Should I be looking for a sub-Key under HKLM\SYSTEM\CurrentControl
Here is the .reg export of the HKLM\SYSTEM\CurrentControl
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM
"DisplayName"="@%systemroo
"ImagePath"=hex(2):25,00,7
74,00,25,00,5c,00,73,00,79
00,73,00,73,00,76,00,63,00
"Description"="@%systemroo
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000
"Start"=dword:00000003
"Type"=dword:00000010
"DependOnService"=hex(7):5
"ServiceSidType"=dword:000
[HKEY_LOCAL_MACHINE\SYSTEM
[HKEY_LOCAL_MACHINE\SYSTEM
[HKEY_LOCAL_MACHINE\SYSTEM
[HKEY_LOCAL_MACHINE\SYSTEM
[HKEY_LOCAL_MACHINE\SYSTEM
[HKEY_LOCAL_MACHINE\SYSTEM
"VolumesSafeForWrite (Enter)"=hex:48,00,00,00,0
01,00,00,00,00,00,00,00,00
00,00,00,00,00,00,00,00,00
00,00,00,00,00,00,00
"VolumesSafeForWrite (Leave)"=hex:48,00,00,00,0
01,00,00,00,00,00,00,00,00
00,00,00,00,00,00,00,00,00
00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM
[HKEY_LOCAL_MACHINE\SYSTEM
[HKEY_LOCAL_MACHINE\SYSTEM
@="Microsoft Software Shadow Copy provider 1.0"
"Type"=dword:00000001
"Version"="1.0.0.7"
"VersionId"="{00000001-000
[HKEY_LOCAL_MACHINE\SYSTEM
@="{65EE1DBA-8FF4-4a58-AC1
[HKEY_LOCAL_MACHINE\SYSTEM
"HotBlocksPreCopyPercentag
"FreeSpacePreCopyPercentag
[HKEY_LOCAL_MACHINE\SYSTEM
"{2707761B-2324-473D-88EB-
"{D76F5A28-3092-4589-BA48-
"{B2014C9E-8711-4C5C-A5A9-
"{DD846AAA-A1B6-42a8-AAF8-
"TornComponentsBlockRevert
[HKEY_LOCAL_MACHINE\SYSTEM
"NT Authority\\NetworkService"
vss.png
Hi,
In VssAccessControl i would expect an account named SYSTEM as per the first error in your post. It is not there?
In VssAccessControl i would expect an account named SYSTEM as per the first error in your post. It is not there?
ASKER
There is an account named SYSTEM in our Domain but there is not a key called SYSTEM.
No key in the registry called SYSTEM.
When is this server rebooted for the last time?
When is this server rebooted for the last time?
ASKER
Rebooted just this morning actually. This machine is DC #2 in our environment and I rebuilt it from scratch this week in hopes of getting rid of these particular warnings.
As soon as I ran DCPROMO it began generating these warnings again. The same warnings also appear on our 'master' DC #1.
As soon as I ran DCPROMO it began generating these warnings again. The same warnings also appear on our 'master' DC #1.
Ok, Lets try one more thing.
In VssAccessControl add a new DWORD (32-bit) with value 1 and name SYSTEM.
What happens?
In VssAccessControl add a new DWORD (32-bit) with value 1 and name SYSTEM.
What happens?
ASKER
After doing that and rebooting I still see the VSS warning...
Volume Shadow Copy Service error: Failed resolving account SYSTEM with status 1376. Check connection to domain controller and VssAccessControl registry key.
Operation:
Initializing Writer
Context:
Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3 cf38448475 7}
Writer Name: NTDS
Error-specific details:
Error: NetLocalGroupGetMemebers(S YSTEM), 0x80070560, The specified local group does not exist.
Volume Shadow Copy Service error: Failed resolving account SYSTEM with status 1376. Check connection to domain controller and VssAccessControl registry key.
Volume Shadow Copy Service error: Failed resolving account SYSTEM with status 1376. Check connection to domain controller and VssAccessControl registry key.
Operation:
Initializing Writer
Context:
Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3
Writer Name: NTDS
Error-specific details:
Error: NetLocalGroupGetMemebers(S
Volume Shadow Copy Service error: Failed resolving account SYSTEM with status 1376. Check connection to domain controller and VssAccessControl registry key.
Ah i missed something in the initial post, you have multiple domain controllers.
Question is, which one is Triggering this error while running a backup? Thats the one where the system account should be removed in registry as mentioned.
Question is, which one is Triggering this error while running a backup? Thats the one where the system account should be removed in registry as mentioned.
ASKER
Actually both DC's get this event in their event logs, so it appears both trigger it. The backup times are 2am and 5am and correspond to the VSS warning event. The 2am backup is done by Acronis Backup & Recovery 11.7 and the 5am backup is a Windows Server backup of the system state.
Can you check start time but also succes or fail time and compare to the vss timestamp?
ASKER
The vss warning timestamps in the event log correspond to the backup times as I mentioned above, There's no doubt both the Acronis and Windows Server backup processes are causing the VSS warnings to appear in the event log, but the backups are successful. I just wish I could find a way to prevent these warnings from overcrowding my event logs,
I understand, are they both logging with system as the used account? Can imagine acronis uses its own usernames.
ASKER
If I am looking in the right place, when I dig under the friendly view of the VSS warnings in Event Viewer I see the users NT AUTHORITY\SYSTEM and NT AUTHORITY\NETWORK SERVICE (event log extracts pasted below)
In Bytes
0000: 2D 20 43 6F 64 65 3A 20 - Code:
0008: 53 45 43 53 45 43 52 43 SECSECRC
0010: 30 30 30 30 31 39 37 32 00001972
0018: 2D 20 43 61 6C 6C 3A 20 - Call:
0020: 53 45 43 53 45 43 52 43 SECSECRC
0028: 30 30 30 30 31 37 35 36 00001756
0030: 2D 20 50 49 44 3A 20 20 - PID:
0038: 30 30 30 30 33 34 31 36 00003416
0040: 2D 20 54 49 44 3A 20 20 - TID:
0048: 30 30 30 30 32 34 30 38 00002408
0050: 2D 20 43 4D 44 3A 20 20 - CMD:
0058: 22 43 3A 5C 57 69 6E 64 "C:\Wind
0060: 6F 77 73 5C 73 79 73 74 ows\syst
0068: 65 6D 33 32 5C 77 62 65 em32\wbe
0070: 6E 67 69 6E 65 2E 65 78 ngine.ex
0078: 65 22 20 20 20 20 20 20 e"
0080: 2D 20 55 73 65 72 3A 20 - User:
0088: 4E 61 6D 65 3A 20 4E 54 Name: NT
0090: 20 41 55 54 48 4F 52 49 AUTHORI
0098: 54 59 5C 53 59 53 54 45 TY\SYSTE
00a0: 4D 2C 20 53 49 44 3A 53 M, SID:S
00a8: 2D 31 2D 35 2D 31 38 20 -1-5-18
In Bytes
0000: 2D 20 43 6F 64 65 3A 20 - Code:
0008: 53 45 43 53 45 43 52 43 SECSECRC
0010: 30 30 30 30 31 39 37 32 00001972
0018: 2D 20 43 61 6C 6C 3A 20 - Call:
0020: 53 45 43 53 45 43 52 43 SECSECRC
0028: 30 30 30 30 31 37 35 36 00001756
0030: 2D 20 50 49 44 3A 20 20 - PID:
0038: 30 30 30 30 31 31 34 38 00001148
0040: 2D 20 54 49 44 3A 20 20 - TID:
0048: 30 30 30 30 32 37 34 34 00002744
0050: 2D 20 43 4D 44 3A 20 20 - CMD:
0058: 43 3A 5C 57 69 6E 64 6F C:\Windo
0060: 77 73 5C 73 79 73 74 65 ws\syste
0068: 6D 33 32 5C 73 76 63 68 m32\svch
0070: 6F 73 74 2E 65 78 65 20 ost.exe
0078: 2D 6B 20 44 48 43 50 53 -k DHCPS
0080: 65 72 76 65 72 20 20 20 erver
0088: 2D 20 55 73 65 72 3A 20 - User:
0090: 4E 61 6D 65 3A 20 4E 54 Name: NT
0098: 20 41 55 54 48 4F 52 49 AUTHORI
00a0: 54 59 5C 4E 45 54 57 4F TY\NETWO
00a8: 52 4B 20 53 45 52 56 49 RK SERVI
00b0: 43 45 2C 20 53 49 44 3A CE, SID:
00b8: 53 2D 31 2D 35 2D 32 30 S-1-5-20
In Bytes
0000: 2D 20 43 6F 64 65 3A 20 - Code:
0008: 53 45 43 53 45 43 52 43 SECSECRC
0010: 30 30 30 30 31 39 37 32 00001972
0018: 2D 20 43 61 6C 6C 3A 20 - Call:
0020: 53 45 43 53 45 43 52 43 SECSECRC
0028: 30 30 30 30 31 37 35 36 00001756
0030: 2D 20 50 49 44 3A 20 20 - PID:
0038: 30 30 30 30 33 34 31 36 00003416
0040: 2D 20 54 49 44 3A 20 20 - TID:
0048: 30 30 30 30 32 34 30 38 00002408
0050: 2D 20 43 4D 44 3A 20 20 - CMD:
0058: 22 43 3A 5C 57 69 6E 64 "C:\Wind
0060: 6F 77 73 5C 73 79 73 74 ows\syst
0068: 65 6D 33 32 5C 77 62 65 em32\wbe
0070: 6E 67 69 6E 65 2E 65 78 ngine.ex
0078: 65 22 20 20 20 20 20 20 e"
0080: 2D 20 55 73 65 72 3A 20 - User:
0088: 4E 61 6D 65 3A 20 4E 54 Name: NT
0090: 20 41 55 54 48 4F 52 49 AUTHORI
0098: 54 59 5C 53 59 53 54 45 TY\SYSTE
00a0: 4D 2C 20 53 49 44 3A 53 M, SID:S
00a8: 2D 31 2D 35 2D 31 38 20 -1-5-18
In Bytes
0000: 2D 20 43 6F 64 65 3A 20 - Code:
0008: 53 45 43 53 45 43 52 43 SECSECRC
0010: 30 30 30 30 31 39 37 32 00001972
0018: 2D 20 43 61 6C 6C 3A 20 - Call:
0020: 53 45 43 53 45 43 52 43 SECSECRC
0028: 30 30 30 30 31 37 35 36 00001756
0030: 2D 20 50 49 44 3A 20 20 - PID:
0038: 30 30 30 30 31 31 34 38 00001148
0040: 2D 20 54 49 44 3A 20 20 - TID:
0048: 30 30 30 30 32 37 34 34 00002744
0050: 2D 20 43 4D 44 3A 20 20 - CMD:
0058: 43 3A 5C 57 69 6E 64 6F C:\Windo
0060: 77 73 5C 73 79 73 74 65 ws\syste
0068: 6D 33 32 5C 73 76 63 68 m32\svch
0070: 6F 73 74 2E 65 78 65 20 ost.exe
0078: 2D 6B 20 44 48 43 50 53 -k DHCPS
0080: 65 72 76 65 72 20 20 20 erver
0088: 2D 20 55 73 65 72 3A 20 - User:
0090: 4E 61 6D 65 3A 20 4E 54 Name: NT
0098: 20 41 55 54 48 4F 52 49 AUTHORI
00a0: 54 59 5C 4E 45 54 57 4F TY\NETWO
00a8: 52 4B 20 53 45 52 56 49 RK SERVI
00b0: 43 45 2C 20 53 49 44 3A CE, SID:
00b8: 53 2D 31 2D 35 2D 32 30 S-1-5-20
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I apologize for the delay getting back to you. The problem has been solved. After following the instructions in the TechNet article I assigned full control rights to all accounts listed in my event logs. After that I still received the VSS errors and I decided to try deleting the SYSTEM account that was in my AD. This is not the same as the NT AUTHORITY\system account mind you. After deleting SYSTEM the VSS warnings are gone.
Thank you for your assistance!
Thank you for your assistance!
About VSS. I assume backups are running fine. If not stop Reading my comment.
Ok, backups are fine.
Open regedit and goto HKEY_LOCAL_MACHINE\SYSTEM\
Make a export of the key called SYSTEM and when certain you have the backup delete that entry.
Please share the result.