As the event description mentions, the error codes and the options spececified in the event can be found in EV100641
(RFC 4120). Examples:
- Options: 0x60810010, Failure Code: 0xE
Failure code 0xE means "Server's key encrypted in old master key" - According to EV100642
(DCE 1.1: Authentication and Security Services - Chapter 4), server's key encrypted in an old (expired) master key., in the following sense. It is recommended that implementations of DCE protect all copies of the RS datastore other than those actually in use (in the address spaces of trusted programs) at any given moment (such as on-disk files, tape backups, and so on) by encrypting them (or at least the sensitive data contained in them, especially accounts' long-term keys), using some policy-dependent or implementation-dependent trusted encryption mechanism. An encryption key used for this purpose is known as a master key. A master key is said to be "old" if it is expired or unavailable (for whatever reason-it may just have been lost). In such a case, accounts' keys are unavailable; that is, accounts are "locked out" until a new key is established by the security administrator. (Typical implementations use different master keys for different datastore entries, disambiguating them with version numbers, so that the datastore can be incrementally upgraded from one master key to another.) Thus, the master key plays no direct part in the protocol, but surfaces only in this failure code.
In our particular case, this error came up when an old domain controller was brought online after being removed from the AD, without removing the DC role from the server itself. After the DC role was removed, the error was gone.