none
Absurd Number Of Event ID 1107 RRS feed

  • Question

  • Hi Everyone!

    Need help/advice on this as I'm unable to find a solution after searching the forum for the past month

    I have this peculiar issue of this event in my Windows Server 2016 Security logs. It is filling up my event log till the point that 800K+ of events are the same. Only both Pri and Sec AD exhibit this issue.

    Of all the posts I viewed, most of it will state the event publisher name but in my case it is empty! I have even tried to stop or uninstall suspected services and software but no avail.

    Getting stressed as this causes me not able to see user account login/lockout success/failures events, and these events are important for our InfoSec audits.

    Hope someone can point me to the right solution. Thanks!

    



    • Edited by hh.ng Tuesday, July 16, 2019 3:45 PM
    Tuesday, July 16, 2019 3:37 PM

All replies

  • Might check the name of Excecution ProcessID for clues.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Tuesday, July 16, 2019 3:49 PM
  • Hi Dave,

    Thanks for replying.

    I went back into my AD to look for the ProcessID and it is a generic svchost.exe process but it doesn't give more clues.


    I did a right-click to go to the services and it highlighted these services.

    I'm not sure how to proceed further on this as all the above are essential services which I doubt can be stopped.

    Tuesday, July 16, 2019 4:07 PM
  • Maybe the ThreadId would help? 

    https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

    I'd ask here for help with this.

    https://social.technet.microsoft.com/Forums/en-US/home?forum=procmon

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Tuesday, July 16, 2019 4:14 PM
  • Hi Dave,

    Yeah. I went this route before but all I get is millions of records that still doesn't make sense to me. :-(

    I assume ThreadID is TID in the ProcessMon (need to zoom in within browser to see my attached image).


    • Edited by hh.ng Tuesday, July 16, 2019 4:36 PM
    Tuesday, July 16, 2019 4:33 PM
  • Might try standing up a new one, patch fully, join domain and promote it as a test.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Tuesday, July 16, 2019 4:47 PM
  • Hi Dave,

    OMG... is this the only choice I have?

    This is quite drastic because this is my production server and it is also the Pri AD with all the DHCP/DNS/CA services. It will also be very painful to re-configure all my network devices since they are also pointing to this AD.

    As I dig further, I really suspect this issue is related to some Windows patches. But when I tried to uninstall available patches, it either gave me errors or Windows will roll-back the changes itself.

    Does Microsoft have any forms of paid support that I can explore on? Or is there any other avenues that I can direct my questions to?

    Wednesday, July 17, 2019 2:39 PM
  • Standing up a new domain controller for a test should be quite painless and could be done in about 30 minutes. As to support you can start a case here with product support.

    https://support.microsoft.com/en-us/hub/4343728/support-for-business

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, July 17, 2019 2:53 PM
  • Hi Dave,

    Thanks! I will give it a try then. *fingers crossed*

    Wednesday, July 17, 2019 3:32 PM
  • Sounds good, you're welcome.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, July 17, 2019 3:33 PM
  • Hi,

     

    Just want to confirm the current situations.

     

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    Fan

     


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, July 22, 2019 6:13 AM
  • Hello,

    If your question has solved please choose the "Mark as an answer" in order to keep forums updated.

    Thanks


    Hamid Sadeghpour Saleh Microsoft MCT Regional Lead

    hamidsadeghpour.net

    Mark it as answer if your question has solved in order to keep forums updated.

    Monday, July 22, 2019 8:00 AM
  • Hi Hamid,

    I didn't have a chance to try it out yet as I'm worried about bringing on a 3rd AD which might introduce new issues. This is because we need the AD01's CA to work properly since there is an on-going project that requires some internal CA cert.

    Monday, July 22, 2019 8:44 AM
  • Hi,

    If there are any progress, welcome to update here.

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, July 22, 2019 9:50 AM