Event id 1202

G

Greg

OK - event id 1202 is being logged in my app log every 5
minutes - there is no associated userenv 1000 (there is
no other event being logged at all).

This is only occurring on one DC (there are 62 other DCs
in the enterprise). The DC is W2K sp4 and is up to date
with service packs/hotfixes.

The details of the event:
Security policies are propagated with warning. 0x4b88: An
extended error has occurred. (this is nice and generic)

ExtensionDebugLevel has been added to the registry and
the value = 2.
The only errors that are being identified are as follows:

Error 0 to send control flag 1 over to server.
...
...
...
----Configure Security Policy
Error opening SAM account domain.
(I can provide the entire log if anyone from MS wants to
peruse it)

I am thinking that there may be some corruption in the
local security policy, and I am debating reapplying the
setup security template; however if I can avoid that I
would like to. (the change management process is brutal,
plus I would probably have to be in DS restore mode as it
seems that there is a handle on the edb.log --- so if I
can avoid the change management then that would be great.)

Oh, yeah....Since the 0x4b8 is a generic error this could
be caused by incorrect data in the following registry
values:
HKLM\Security\Policies\PolAcDmN (is not set to the
domain name)
HKLM\Security\Policies\\PolPrDmN (is not set to the
domain name)
***however, I have verified that the binary values are
correct.

So, if there is anyone with any other ideas - please
reply.
 
G

Glenn L

Often the extended error means the secedit.sdb file is corrupted. (not
always though)
If the winlogon.log file is essentally empty, after turning up debug logging
on it, then this almost certainly means the database is corrupted.
Unfortunately you will need to perform some recovery tasks.

You rename the following files in %systemroot%\system32\security directory
and sub directories. If they are locked, then reboot your server to unlock
them.
secedit.sdb
edb.chk
edb.log
res1.log
res2.log

Reboot your server.
It will create a new blank database, checkpoint file, and log files. If it
doesn't, don't panic
Obviously, any hardening you did at the local server level (local group
policy) is gone. This includes out of the box defaults.
At this point you will want to reapply the defaults.
Type secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb
/verbose, and then press ENTER
After this is complete, reapply the secdc.inf template
Type secedit /configure /cfg %windir%\repair\secdc.inf /db secdc.sdb
/verbose, and then press ENTER

Since you have a stringent change control process, it is also possible you
have modified the default out of the box file/registry/service permissions
on your DCs
It is important to understand what the secsetup.inf and secdc.inf actually
do to the system. You simply view the .infs, or you can use the security
template MMC to view the settings though the easier to read UI.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event ID 1202 and 1085 on Windows XP Client 0
Event ID 1202 (SceCli) 0
SceCli Id.: 1202 1
Event 1202 every 5 minutes after removing IIS on a DC 2
Event ID: 1202 14
SCECLI 1202 Event 3
Event Id 1202 4
Event IDs 1000 and 1202 1

Top