Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
The File Replication Service may be preventing the computer NEMESIS from becoming a domain controller while the system volume is being initialized and then shared as SYSVOL. Type net share to check for the SYSVOL share. The File Replication Service has stopped preventing the computer from becoming a domain controller once the SYSVOL share appears. The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume. The initialization of the system volume can be bypassed by first typing regedt32 and setting the value of SysvolReady to 1 and then restarting the Netlogon service. WARNING - BYPASSING THE SYSTEM VOLUME INITIALIZATION IS NOT RECOMMENDED. Applications may fail in unexpected ways. The value SysvolReady is located by clicking on HKEY_LOCAL_MACHINE and then clicking on System, CurrentControlSet, Services, Netlogon, and Parameters. T2001-03-27,22:47:18,127.0.0.1,5,4,EvntSLog:214520: [AUF] Tue Mar 27 22:47:17 2001: KANT/Security (578) - Privileged object operation: Object Server: Security Object Handle: 4294967295 Process ID: 1656 Primary User Name: DOMPDC$ Primary Domain:CORPDOM Primary Logon ID: (0x0,0x3E7) Client User Name: adrian Client Domain: CORPDOM Client Logon ID: (0x0,0x5ECEE65) Privileges: SeIncreaseBasePriorityPrivilege
|English: Request a translation of the event description in plain English.|
|Concepts to understand:|
What is the role of File Replication Service?
What is the role of the Netlogon share?
Windows 2000 does not support the SYSVOL folder on a mounted volume. The File Replication service takes the full path of the SYSVOL folder and opens a journal on that volume to track changes. Also, a number of functions internal to the File Replication service use the volume handle as an argument. With a mounted volume, the SYSVOL folder and the data it contains actually resides on another volume entirely; the journal cannot track changes and the internal File Replication service functions mentioned earlier do not work.
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated