local security policy of DC corrupted

[francoise]

hi,
We have events 1000 and 1202 every 5 minutes on some of ours DCs.
the local security.edb database is corrupted .
Some people of my team have exclude \winnt\security and \security\database
from the real time monitoring of antivirus e-trust . and the errors stop.
But i don't understand the logic of it.
there's no scan of disk, there's just a real time monitoring for outbound
and inbound flows. So how comes the secedit.edb may be corrupted.
When the security policy is updated , it takes data from the local \sysvol
folder of the DC (I think), so there's nothing coming from outside to modify
this file and the antivirus has no reason to scan the security database.

does somebody knows about the detailed process of applying policy that could
explain this corruption ?

thanks
francoise

 

[David Pharr [MSFT]]

What is the description provided in the Userenv 1000 and 1202 error
messages? Without more information it's not clear why you believe the
security.edb database is corrupt.

The reason the errors appear every 5 minutes is because that is the default
interval at which domain controllers poll each other for policy updates.

If the problem does not occur with antivirus removed but occurs when it is
put back in place you should talk with the antivirus vendor (in this case,
Computer Associates) for assistance.

Take a look at the following article and run through the steps listed here
for troubleshooting the problem.
324383 Troubleshooting SCECLI 1202 Events
http://support.microsoft.com/?id=324383

To rebuild the secedit.sdb you can perform the steps outlined in the
following article, although this may not actually be the problem you are
encountering in this case:
278316 ESENT Event IDs 1000, 1202, 412, and 454 Are Logged Repeatedly in the
http://support.microsoft.com/?id=278316


David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.