Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
Description: Referral Interface cannot contact any Global Catalog that supports the NSPI Service. Clients making RFR requests will fail to connect until a Global Catalog becomes available again. After a Domain Controller is promoted to a Global Catalog, it must be rebooted to support MAPI Clients.
|English: Request a translation of the event description in plain English.|
|Concepts to understand:|
What is the role of the Microsoft Exchange System Attendant (MSExchangeSA) service?
What is the role of the Global Catalog?
What is MAPI?
What is NSPI?
We had this event on Windows 2000/Exchange 2000 server where someone disabled the only network card on the server. So, in a way, it was false alarm for us.
This problem can occur on a multihomed SBS 2000 or 2003 machine, if the external network card is before the internal network card in the binding order.
As per Microsoft: "Make sure that at least one global catalog server is available for the Exchange server to communicate with. If a domain controller has recently been promoted to be a global catalog, you will need to reboot that machine in order for Exchange server to use it". See MSEX2K3DB for more details.
From a newsgroup post: "Turns out that my old trojan scanner (Moosoft's The Cleaner) on the server was useless, even though the database had been updated. I installed "Anti-Trojan" and it picked up 2 trojan files. On inspection of the server's registry, a batch file had been added to the "Run" folder in "HKLM\software\ms\win" that used the "net share" command to delete the IPC$ and admin$ shares, which, I understand, stops 9x logins. I presume this had been done to allow the hacker to take control and to block other users. I must admit, we were originally looking at the users to start with".
As per Microsoft, this problem is caused by the File and Printer Sharing services not being bound to all the network cards in a multihomed machine. See the link below for more details and resolution.
|Private comment: Subscribers only. See example of private comment|
|Links: ME279742, MSEX2K3DB|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated