Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 8197 Source: MSExchangeFBPublish

Error initializing session for virtual machine . The error number is 0x80040111. Make sure Microsoft Exchange Store is running.
In my case I installed Computer Associates Etrust Antivirus 8.1 with the Exchange Mail Option on a 2003 Exchange Server SP2. Along with this event, I also got event id 9564 from MSExchangeIS.

From CA technical Hotline I've got an email with some missing DLL's attached. Copying these into the ITM directory and rebooting the server fixed the problem.
- Error: 0x80040111 - See ME918006 and Error code 0x80040111.
See the link to "MSDN Posts" for general troubleshooting on this event and for information about related problems.
- Error: 0x80040111 - See ME828764.
- Error: 0x8004011d - See ME266312, ME282964, ME821889, ME822579, and ME896703.

As per Microsoft: "Free/Busy Publishing has encountered errors when attempting to log on to the private or public Exchange stores. Transient occurrences of this event are not a problem, but if the recurrence is every 25 to 30 minutes, then Free/Busy Publishing is down for all Outlook Web Access (OWA) users. This event can also be generated if relevant services have recently been cycled or re-started". See MSEX2K3DB for more information on this event.
In our case, it turned out that Active Directory issues caused the problem. More precisely, there were multiple entries of a servicePrincipalName "HOST/<Machine>". To see if this is your problem look for KDC error messages in your Windows System event logs.

I recently upgraded Exchange 2000 to SP3. After the upgrade, the Information Store was unable to mount. I received the following Event IDs: 505, 8197, 9175, and 9519. I searched the Internet and found a solution. It turns out that Exchange 2000 SP3 is not able to mount a compressed store. My drive was not compressed but the folder where the Information store was located had compression enabled. The solution I found stated the following: “Although our drive that stores the database files was not compressed, the database files (priv1.edb, priv1.stm, pub1.edb, pub1.stm) themselves had their compressed attributes checked; I unchecked them and rebooted. Now everything appears to be working". See the link “EventID 505 from source ESE” for additional information on this issue.
A missing Schedule+ Free/Busy System Folder could cause this error. To correct this see ME284200.
- Error 0x8004011d - On an Exchange 2003 server, I received this message with Information Store running and both private and public stores mounted. I eliminated the error by stopping Exchange System Attendant and its dependent services, then restarting SA and each dependency individually. MS Exchange Free Busy Publish then initialized properly.
I was receiving EventID 8197 along with EventID 8207 in the application log every 50 minutes on my Exchange 2000 SP3 server. The 8197 event had the error code: 0x80040111. The 8207 error code was 0x80004003. Clicking on the link in the 8197 log entry, I found a suggestion from Microsoft to restart the System Attendant service. I did this and it cleared up the problem, and the events stopped.
- Error: 0x80040111 - This problem can be caused by having more then one domain in the same AD site with the Exchange 2003 server. Exchange will query AD for all the GCs in the AD site and pick one at random. If your Exchange 5.5 server has a trust with a child domain and not the parent, the error will happen every 25 minutes if Exchange picks a GC in the parent domain. Put the Exchange 2003 server in a new AD either site with a couple of GCs, or create a two-way trust between the Exchange 5.5 domain and all domains in the AD site. You could also see article ME319206 to force a GC (not recommend).
- Error: 0x8004011c - Our users could not access the PF and the OAB but they could continue to send/receive mails. To fix this, in the "Mailbox Store <server name> Properties", we reapplied the Default Public Store and the Offline Address List (as before without changing anything).
Check the disk space remaining of the drive volumes where the exchange logs and/or Mailbox stores are located. If you are running out of disk space, free some by deleting or moving some old log files. When done, mount the information store in the exchange system manager.
This error was in fact generated due to the autonegotiate port configuration of a switch. The server network card had 100 full duplex and the switch port 100 half duplex. The switch port was changed to 100 full duplex and Autonegotiate disabled and all is workking fine after without any reboot. This event was accompanied with event id 8206 from MSExchangeFBPublish.
- Error: 0x8004011d - See ME252543, ME261319, ME266330, ME313865, and ME316709.
- Error: 0x80070005 - See ME271410.

I recently added 2 new Exchange 2000 servers to my 5.5/2000 mixed environment (running parallel while migration is taking place), and encountered this error on both servers after installing Exchange 2000 server SP3. I was able to resolve this issue by performing the following steps:
1. Reinstall Exchange 2000 server using the 'reinstall' option in setup - Restart the system when reinstallation completes.
2. Reinstall Exchange 2000 server SP3 - Restart the system after completion.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.