Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1110 Source: Userenv

Source
Level
Description
Attempt to determine whether user and machine accounts are in the same forest failed (There are currently no logon servers available to service the logon request. ).
Comments
 
We have from time to time on Windows 2003 SP with Citrix 4.5. In our case this event is in the moment when Net Log service is not working after automatically restart of the server (Event ID: 3056 source: Netlogon). Start Net Logon and Windows Time service is solving problem.
In my case, I solved the problem by running “sfc /scannow”.
In my case, this event was being generated along with EventID 1053 from source Userenv. The PC was not logging to the domain and I was not able to re-join the PC to the domain because the "Network ID" button under the "System Properties" computer name tab was grayed out. In addition, the following services failed to start "Computer browser service", "Net logon Service", "Workstation Service", and "Messenger Service".
The PC had internet connectivity but was not able to authenticate with the domain and therefore was not able to access network resources. I was able to fix this issue when I realized that my "wkssvc.dll" file, which normally resides in "C:\WINDOWS\system32" got mysteriously deleted. Once I replaced the missing "wkssvc.dll" file by copying it from another XP (Professional) machine and rebooted all went back to normal.
This event can be ignored if it occurred when Windows was started in Active Directory Restore mode or some other form of Safe Mode. Otherwise, investigate further.
In my case, I found that this error was related to EventID 7 from source Kerberos. In spite of what Microsoft says about this Kerberos error, the domain controller was not down. Running nltest.exe on the domain controller also found no problems. What appears to have caused the problem was a policy setting in Group policy objects. If in either the domain controller policy or the domain policy - Security Settings -> Local policies -> Security options, "Domain Member: Digitally encrypt or sign secure channel (always)" is enabled, it will cause this problem. If you disable this policy in both areas, this problem will go away. (Note: it may take up to 2 hours to notice if it has taken).


Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...