Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
The DSRestore Filter failed to connect to local SAM server. Error returned is <id:997>.
|English: This information is only available to subscribers. An example of English, please!|
From a newsgroup post: "Please perform the following steps to resolve this issue:
1. Use the administrator account to log on the SBS Server, run "regedit".
2. Locate this registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
3. In the right panel, double-click ''Notification Packages'', and delete "dsrestor" from the value data.
4. Then monitor this issue".
From a newsgroup post: "You can safely ignore this event, however be aware of what it means. Prior to Windows 2003 SP1 when you changed the admin password in SBS, a hidden wizard automatically changed the dsrm (directory restore mode) administrator password to match when you rebooted. Windows 2003 SP1 broke this functionality, so now if you change the admin password you should also change the dsrm password or make very sure you know what it is in case you ever need it. You will see this error logged on every reboot because the server tries to synchronize the passwords". See "MCPMag Forum Thread 2938" for the original post.
From a newsgroup post: "DSRestore's job is to synchronize the domain admin password with the dsrm password. The dsrestore process will run every 30 minutes to verify that the passwords are coordinated. If they are not, dsretore will synchronize them. The 1005 error indicates that dsrestore was unable to connect to the SAM and verify if the passwords are coordinated when the server boots. My guess is that it fails at boot due to a race condition. If the process fails, it does not run again until the server is rebooted. As a workaround, you can manually reset the DSRM password to match the domain admin password by using ntdsutil. See ME322672 for information on how to reset the Directory Services Restore Mode administrator account".
|Private comment: Subscribers only. See example of private comment|
|Links: ME322672, MCPMag Forum Thread 2938|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated