locked
Event ID 11 Source KDC RRS feed

  • Domanda

  • This server is Small Business Server 2003 running DNA, DHCP, IIS and Exchange along with other programs like Quickbooks.  The server locks up every night.  I have a laundry list of Event errors.  Most pertaining to Exchange and Quickbooks.  The one I think is closer to the root of my problems is Event ID 11 Source KDC.

    Event Type: Error
    Event Source: KDC
    Event Category: None
    Event ID: 11
    Date:  9/11/2012
    Time:  8:10:29 PM
    User:  N/A
    Computer: Server
    Description:
    There are multiple accounts with name MSSQLSvc/Servername.Domain.local:47663 of type DS_SERVICE_PRINCIPAL_NAME.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    This event happens once an hour.

    Other event errors in the System log include 1111 TermServDevices, 4321 NetBT (this one hasnt come up but a couiple times), 7000 Service Control Manager (Referrs to WQuickbooks).  I also found 1010 and 1017 from the DHCP service a couple times.

    I have found posts pertaining to my error telling me to pull the computer out of the domain, delete the account and rejoin.  With this being a SBS server it is the only domain controller, so that is not an option.

    mercoledì 12 settembre 2012 21:07

Risposte

  • To resolve 13568 follow http://support.microsoft.com/kb/290762  (backup startup and policies folder in sysvol . I am assuming this is the only dc in domain)

    Stop File replication service

    - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup\ BurFlags modified the value to D4 .

    Restart FRS. wait till event 13516 appears.

    Have you ran SBS BPA to check if it reports of anything?

    • Contrassegnato come risposta Sean Zhu - martedì 18 settembre 2012 06:28
    • Contrassegno come risposta annullato Definix giovedì 27 settembre 2012 14:10
    • Contrassegnato come risposta Definix giovedì 27 settembre 2012 14:25
    giovedì 13 settembre 2012 19:22

Tutte le risposte

  • Is there a schedule task running at night? I would suggest if there is/are any disable them first and monitor if it still hangs.
    mercoledì 12 settembre 2012 21:26
  • The only scheduled task that was set to run at night was a task to check for flash player updates that was set to run hourly.  I have disabled it, but seriously doubt it has anything to do with my problems.

    I am kinda leaning towards drive format corruption.  I will talk to my supervisor about running chkdsk on it today or tonight.

    The server is showing multiple errors about different things.  Seems to be more towards larger files like databases.  Exchange, Quickbooks, and even "MSSQLSvc/Servername.Domain.local:47663" is referring to another database that is showing bad or wrong information.  If the file system has errors on it I would think it to be a more central point for all these errors and also the server eventually locking up.

    giovedì 13 settembre 2012 15:58
  • If file system has errors search for NTFS events or disk errors in system event logs . Alternatively disable all sql services , reboot ,and monitor for one more night to rule or pin point SQL
    giovedì 13 settembre 2012 16:24
  • I checked NtFs and only found a couple warnings.  ID 50 source Ntfs {Delayed Write Failed} at around 4 AM.  I found one I had forgotten about earlier in the File Replication Service log.

    Event Type: Error
    Event Source: NtFrs
    Event Category: None
    Event ID: 13568
    Date:  9/13/2012
    Time:  12:48:03 AM
    User:  N/A
    Computer: Server
    Description:
    The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
     
     Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
     Replica root path is   : "c:\windows\sysvol\domain"
     Replica root volume is : "\\.\C:"
     A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons.
     
     [1] Volume "\\.\C:" has been formatted.
     [2] The NTFS USN journal on volume "\\.\C:" has been deleted.
     [3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
     [4] File Replication Service was not running on this computer for a long time.
     [5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
     Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
     [1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
     [2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
     
    WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.
     
    To change this registry parameter, run regedit.
     
    Click on Start, Run and type regedit.
     
    Expand HKEY_LOCAL_MACHINE.
    Click down the key path:
       "System\CurrentControlSet\Services\NtFrs\Parameters"
    Double click on the value name
       "Enable Journal Wrap Automatic Restore"
    and update the value.
     
    If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Performing the steps below solved this problem:
    1. Expand "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters"
    2. Change value for "Enable Journal Wrap Automatic Restore" from 0 to 1. If the DWORD Value does not exist, create a new one with the exact spelling as above, including spaces but without the quotes.
    3. Stop the NTFRS Service (open a command prompt and type "net stop ntfrs")
    4. Start the NTFRS Service (net start ntfrs)
    5. Monitor the File Replication Service Event Logs for events:
    • 13553 – The DC is performing the recovery process
    • 13554 – The DC is ready to pull the replica from another DC.
    • 13516 - At this point go to step 6. (the problem is resolved if you receive this event)
    6. Using a command prompt type: "net share" and look for the Netlogon and Sysvol Shares to appear. The Journal Wrap error is only fixed after the Domain Controller receives the new SYSVOL replica from a peer Domain Controller. This may take a period of time depending on where your peer DC is located and on bandwidth.
    7. Change value for "Enable Journal Wrap Automatic Restore" from 1 to 0.

    giovedì 13 settembre 2012 17:23
  • To resolve 13568 follow http://support.microsoft.com/kb/290762  (backup startup and policies folder in sysvol . I am assuming this is the only dc in domain)

    Stop File replication service

    - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup\ BurFlags modified the value to D4 .

    Restart FRS. wait till event 13516 appears.

    Have you ran SBS BPA to check if it reports of anything?

    • Contrassegnato come risposta Sean Zhu - martedì 18 settembre 2012 06:28
    • Contrassegno come risposta annullato Definix giovedì 27 settembre 2012 14:10
    • Contrassegnato come risposta Definix giovedì 27 settembre 2012 14:25
    giovedì 13 settembre 2012 19:22