Continuing problems with event logs (Service Control Manager Logs)

On my home network, I have a Windows 2003 server that is a domain
controller. This server has begun acting strangely. Where I was once able
to connect with Remote Desktop, I no longer can. I have checked the
registry, and remote desktop is enabled on the server. While trying to
decipher this problem, I opened the event log on the server. I have noticed
that there are no Service Control Manager events since mid-august. The last
thing I did back then was apply the updates below:
- Cumulative Security Update for Internet Explorer for Windows Server 2003
(KB896727)
- Windows Malicious Software Removal Tool - August 2005 (KB890830)
- Security Update for Windows Server 2003 (KB899591)
- Security Update for Windows Server 2003 (KB899588)
- Security Update for Windows Server 2003 (KB899587)
- Security Update for Windows Server 2003 (KB893756)

I also noticed that I can't start or stop services using the remote computer
management console. I have been able to restart the machine, and it appears
to be otherwise working normally. Before I shut the server down, move it,
and connect it to a monitor, I'm wondering what else I could look for.

I was running enterprise because at the time, it was all I had. I now have
Standard, and that is on the server that I was supposed to install SQL on.
I'm now building it as a replacement DC (I'm going to transfer the roles,
etc.). Then I'll rebuild my original.

Now I have another more interesting problem. On the server that is now
running standard, I applied all the most recent updates, and restarted. No
problem. Check the logs, everything as expected. Join the domain, still no
issue with the logs. Once I promoted it, the system log is no longer
logging Service Control Manager events. I can't see if I'm running into
problems or not. the last service control message is from prior to the
restart after running DCPROMO; 'File Replication Service has entered the
running state'. I tried starting and stopping a service, and nothing is
logged.

 

Sounds like the event log file is (or files are) corrupt.

Control Panel|Administrative Tools|Services|Event Log Service|General, set
the "Startup Type:" to "Disabled" restart the pc, then delete (or move) the
corrupt *.evt file(s) from %windir%\system32\config then set the Event Log
Service "Startup Type:" back to "Automatic", restart for effect.

You need to get this issue fixed before moving on. SP1 and some network
interfaces running at half duplex were causing event log file corruption.



--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

Thank you; I am trying this on my Standard server now. I still cannot log
in to my Enterprise box; I have attempted to disable the service remotely.

If my Standard server comes up OK, I will be transfering the FSMO roles to
it, and rebuilding the enterprise box as a standard box.

Thanks
-Hank

 

OK good luck.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

OK, I tried this, and I still am not getting Service Control messages. Is
this DCOM message a clue? Did I mention this issue started on my 'new'
server after I ran DCPROMO on it?

The COM sub system is suppressing duplicate event log entries for a duration
of 86400 seconds. The suppression timeout can be controlled by a REG_DWORD
value named SuppressDuplicateDuration under the following registry key:
HKLM\Software\Microsoft\Ole\EventLog.

 

Does it log;

Event ID: 6005
The Event log service was started.

when you restart? If so there is no event log file corruption.

You need to get to the bottom of why the COM sub system is suppressing
duplicate........ What errors precede this one?

When you view the logged events in Event Viewer (double-click them in the
right-hand pane) in the upper right corner, third button down is a copy to
clipboard, then you can paste in the body of a reply message.

Please do so for each of the different System Log events (that are a Type:
'Error' or 'Warning') since last boot so we can see all of the event detail.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

Yes, I get the startup message. I get 6009 (Windows...etc), then 6005. The
next message is the DCOM message. This is in the system log.

I get this in the Application log from source 'EventSystem'

The EventSystem sub system is suppressing duplicate event log entries for a
duration of 86400 seconds. The suppression timeout can be controlled by a
REG_DWORD value named SuppressDuplicateDuration under the following registry
key: HKLM\Software\Microsoft\EventSystem\EventLog.

-Hank

 

When you view the logged events in Event Viewer (double-click them in the
right-hand pane) in the upper right corner, third button down is a copy to
clipboard, then you can paste in the body of a reply message.

Please do so for each of the different System Log events (that are a Type:
'Error' or 'Warning') since last boot. It's important for us to see all of
the events and their details.


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

These are the only warnings in the log since I followed your recommendations
to disable the eventlog service.
BTW, I am A+ Certified, and MCP (2989748), as well as stumped. No need to
descibe what to click on.

Thanks for your assistance.

Event Type: Warning
Event Source: MSDTC
Event Category: SVC
Event ID: 53258
Date: 10/26/2005
Time: 5:40:45 PM
User: N/A
Computer: SVRHOME
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC
will continue to function and will use the existing security settings. Error
Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9280, Pid: 1184
No Callstack,
CmdLine: C:\WINDOWS\system32\msdtc.exe


Event Type: Warning
Event Source: MSDTC
Event Category: SVC
Event ID: 53258
Date: 10/26/2005
Time: 5:40:45 PM
User: N/A
Computer: SVRHOME
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC
will continue to function and will use the existing security settings. Error
Specifics: %1

 

The only reason to disable the Event Log service was to release the lock on
the suspected corrupt event log files so you could delete them. After doing
so you must set the Event Log service back to 'Automatic' and restart for
effect.

It's a generic response and in no way is meant to be demeaning or suggest
whether anyone knows what to click on. We really have no idea.

See if these ideas help.

http://eventid.net/display.asp?eventid=53258&eventno=4493&source=MSDTC&phase=1

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

This correctted the MSDTC Problem, but not the service control issue. After
a restart, I still show no services starting in the system log. From what I
can see, the important services are running.

 

I don't think you'll get an event logged for every automatic-start service
at startup. Only in the event of a service status change, or whenever a
control code is sent to a service requesting a change (start or stop).

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

That hasn't been my experience, not since Windows 2000. Every time I reboot
any Windows NT based machine, the system log has logged the service startup
events, no matter what they were.
I don't get any messages that services are starting, stopping, had errors,
entered a stopped state...nothing. If I go to services and stop DHCP, I
should see two messages in the event log; a stop command was issued for the
service, and the service has entered the stopped state. Similarly when the
service is started, I should see the service is sent a start command, the
service is started, and then that the DHCP server is authorized on the
machine. When I execute this, I get only the DHCP Server is authorized to
start.

 

* This has never been my experience. This would mean on a default
installation you would see 40 some service related events logged at every
startup.

* Hmm this isn't right. I looked through group policy and local security
policy and don't see anything to change this specific behavior.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

Not 40, 15 to 20. On my XP box, I get 23, including the ipod service and
Symantec AV. This has been the way every NT(2000) system I have ever worked
on.

I didn't see anything in policy either. I thought it was a policy issue
because the problem didn't surface until I ran DCPROMO on the new machine.
What I'm going to try tonight is to undo the DCPROMO, and see if the event
log goes back to normal.

I've been googling this issue, and I find nothing. It may be worth opening
a case with MS.
-Hank

 

No idea what you've got going there. I just went through the list of service
related event log entries that follow a restart and only events of a service
status change are logged, or whenever a control code is sent to a service
requesting a change (start or stop) are logged. None of the 'Automatic'
start services are logged.

The 40 (or so) was in reference to a DC I happened to look at.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

Demoting the server did not help.

The last successful startup I have with log entries I expect logged the
folowing service startups:
Terminal Services sent a start control
Network Location Awareness sent a start control
Network Location Awareness entered running state
Terminal Services entered running state
Network Connections sent a start control
Network Connections entered running state
Windows Installer sent a start control
Windows Installer entered running state

The last service item logged before I restarted after running DCPROMO was
the File Replication Service entered a running state. Only error prior to
the restart, is a w32time error (The time provider NtpClient cannot
determine whether the response received from svrhank.newhome.domain has a
valid signature. The response will be ignored. The error was: The interface
is unknown. (0x800706B5))

There are no errors after restart, just a warning that my DHCP service
doesn't have credentials to update DNS.

 

I just searched Microsoft's KB, and found nothing. I'm going to continue
with my original plan, and see what happens when I rebuild my original
server.

 

OK but I think you're going to find that not logging the start of auto-start
services is expected behavior.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

I can live with that, but if I manually stop and start services, I should
see a log entry and I don't.