Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1005 Source: dsrestor

Source
Level
Description
The DSRestore Filter failed to connect to local SAM server. Error returned is <id:997>.
Comments
 
From a newsgroup post: "Please perform the following steps to resolve this issue:
1. Use the administrator account to log on the SBS Server, run "regedit".
2. Locate this registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
3. In the right panel, double-click ''Notification Packages'', and delete "dsrestor" from the value data.
4. Then monitor this issue".
From a newsgroup post: "You can safely ignore this event, however be aware of what it means. Prior to Windows 2003 SP1 when you changed the admin password in SBS, a hidden wizard automatically changed the dsrm (directory restore mode) administrator password to match when you rebooted. Windows 2003 SP1 broke this functionality, so now if you change the admin password you should also change the dsrm password or make very sure you know what it is in case you ever need it. You will see this error logged on every reboot because the server tries to synchronize the passwords". See "MCPMag Forum Thread 2938" for the original post.
From a newsgroup post: "DSRestore's job is to synchronize the domain admin password with the dsrm password. The dsrestore process will run every 30 minutes to verify that the passwords are coordinated. If they are not, dsretore will synchronize them. The 1005 error indicates that dsrestore was unable to connect to the SAM and verify if the passwords are coordinated when the server boots. My guess is that it fails at boot due to a race condition. If the process fails, it does not run again until the server is rebooted. As a workaround, you can manually reset the DSRM password to match the domain admin password by using ntdsutil. See ME322672 for information on how to reset the Directory Services Restore Mode administrator account".

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...