Consistenet App. log error

[Matt]

I have 8 2K DC's. In checking the logs a few days ago I
noticed an error on all 8 that appears every 5 minutes
and it appears on all 8 at about the same time. I am
pretty sure this is a replication problem, but I have so
far been unable to find out the solution. Here are the 2
event ID's and descriptions. THanks for any help.

Event ID: 1202
Description: Security policies are propagated with
warning. 0x5 : Access is denied.
Please look for more details in TroubleShooting section
in Security Help

Event ID: 1000
Description: The Group Policy client-side extension
Security was passed flags (17) and returned a failure
status code of (5).

 

[Steven L Umbach]

Hi Matt.

The KB link below may be of help and looks identical to your messages. I would also
run netdiag and dcdiag on one of your domain controllers looking for any failed
tests/warning/errors that may help pinpoint the problem. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;284461

 

[Terry Liu [MSFT]]

Hi Matt,

Thank you for posting here!

Based on the problem description, I understand that event ID 1202 and event
ID 1000 are logged every five minutes on the Windows 2000 DC. I suggest you
refer to following information:

To resolve this issue, change the domain mode from mixed mode to native
mode. To do so, follow these steps.

Note: This is not the recommended method to resolve this issue. Microsoft
is researching this issue and will post new information in the Microsoft
Knowledge Base when that information is available.

1. Click "Start", point to "Programs", point to "Administrative Tools", and
then click "Active Directory Domains and Trusts".
2. Right-click the domain that you want to change, and then click
"Properties".
3. On the "General" tab, click "Change Mode" under "domain operations
mode", and then click "Yes".

Note: Make sure that all the domain controllers in the domain are upgraded
to Windows 2000 Server before you change the domain to Native Mode. After
you change to Native Mode, you cannot change back to Mixed Mode.

For your reference:

279432 Event ID 1000 and 1202 Messages May Occur Every Five Minutes on the
-- http://support.microsoft.com/?id=279432

In addition, I suggest you enable the Winlogon log to check the its log if
the issue persists after performing all the steps above: 245422 How to
Enable Logging for Security Configuration Client Processing in --
http://support.microsoft.com/?id=245422.

Hope this addresses your concern!

Have a nice day!

Best regards,

Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer

Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Terry Liu [MSFT]]

Hi,

It is nice to hear from you again. As I understand the issue can be caused
by the two reasons:

" Default Domain Controllers Policy is broken.
" Locked-down security that was originally set on the FRS through Group
Policy.

Hope this helps answer your questions. If you have any questions, please
feel free to post here!

Best regards,

Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer

Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Terry Liu [MSFT]]

Hi,

Thank you for posting back!

Please refer to the steps below to resolve the Warning 5: Access is denied:

1. Look in policy for a GPO that has configured the service.
2. "Computer configuration\windows settings\security settings\system
services"
3. Change the setting to not define or grant the system account full
control to the service.
4. Verify the edited policy has been replicated to all domain controllers.
5. Refresh policy on all the affected machines or wait until the group
policy refresh interval passes

secedit /refreshpolicy machine_policy
6. Verify that a 1704 event is looged in the application log of the
affected machine(s)

7. Start Registry Editor (Regedt32.exe).

8. Locate and click the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ClipSrv

9. Delete the Security subkey.

10. Restart the computer.

Hope this helps!

Best regards,

Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer

Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.