Category Archives: 5644

DCDIAG and Redirected Printers

Body:

I’m doing a migration this weekend in a large, non SBS site.  As part of that I’ve replaced the domain controller in a remote site with a new box.  After making it a domain controller, I ran DCDIAG to check that all was fine.  I got a number of errors in the output log that didn’t make sense.  The error below is from the DCDIAG output.

Starting test: systemlog
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 11/17/2007   13:36:00
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 11/17/2007   13:36:00
            (Event String could not be retrieved)

 

A little googling showed that many people had these but didn’t seem to show a resolution.  I was concerned as at first, I didn’t see what the issue was.  I then realised that the number of errors coincided with the errors in the system log i was getting due to me managing the server from my laptop.  Doh!  So the error below is actually what the error in the DCDIAG log file is talking about.  Now I can move on and finish the job!

Event Type:    Error
Event Source:    TermServDevices
Event Category:    None
Event ID:    1111
Date:        17/11/2007
Time:        1:36:00 PM
User:        N/A
Computer:    UALBRSVR1
Description:
Driver Microsoft Shared Fax Driver required for printer !!smallsvr1!fax is unknown. Contact the administrator to install the driver before you log in again.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 12 0d 00 00   ……..

Category: Event Log Errors
Published: 17/11/2007 2:38 PM

The description for Event ID… in source…. cannot be found

Body:

Don’t you hate it when you go to a server to review the event logs and it’s filled with

"The description for Event ID (NNNN ) in Source ( SOMETHINGGOODHERE ) cannot be found."

Now – in itself these don’t constitute a big problem. They may however be symptomatic of a larger issue. This is a pain as it means it’s very hard to read and decipher what is going on with a server and therefore how to fix it. I had this recently on one of my servers, and left it be for a while until last week when I had the sharepoint issues. I decided then that I had to take the time to clean up my servers event logs and get this fixed once and for all.

Each program or service that logs events to the event logs, needs to provide a set of registry settings that point to the location of the dll files that are used to decode the event log messages. If you take event logs from an SBS server and try to read them on an XP client then you’ll get lost of these "The description for event id.." messages simply due to the fact that the XP client has no way to interpret the messages themselves. With that knowledge in mind, we can star to look at my specific issue.

In my server I had the following error;

Event Type:                Information

Event Source:            MSSQL$MICROSOFT##SSEE

Event Category:            (2)

Event ID:                17147

Date:                        14/10/2007

Time:                        7:02:01 PM

User:                        N/A

Computer:                SERVERNAME

Description:

The description for Event ID ( 17147 ) in Source ( MSSQL$MICROSOFT##SSEE ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: .

Data: <Removed Data here as it does not matter for this blog post>

 

So the first place I looked was in the registry for this particular service to see what it was pointing to for the event log reader dlls. Under HKLM\System\CurrentControlSet\Services\EventLog you will find the sub hives of each event log. Within those you will see further sub hives for each program or service that is configured to log events to the event logs. The screen shot below shows that my event message file dll for this service is sqlevn70.dll and should be located under C:\Windows\sysmsi\ssee\mssql.2005\mssql\binn\resources – note this screen shot is from the system I was troubleshooting.


 

Knowing this, I went to that folder location and found that there was a 3kb file there with that name. Strange I thought – let’s compare it to a known working machine. The screen below is from a good server. Note that the event log dll is in a 1033 subdirectory.


 

I checked the faulty server and whilst we had this directory, it didn’t have the right file. I figured that the given there were other instances of SQL 2005 on this server, I could find the right file and put it into the right location. I did a search on the servers hard drive and found the following;


 

I then copied and pasted it into the correct location (as per my known good server), modified the registry entries to reflect the new file location, and then did a reboot of the server.


 

Ok – so after the reboot, of the server, I can now read the event log messages. The one from the top of this post now reads correctly as per below.

Event Type:        Information

Event Source:        MSSQL$MICROSOFT##SSEE

Event Category:    (2)

Event ID:        17147

Date:            14/10/2007

Time:            7:02:01 PM

User:            N/A

Computer:        SERVERNAME

Description:

SQL Server is terminating because of a system shutdown. This is an informational message only. No user action is required.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data: <Removed Data here as it does not matter for this blog post>

 

See – much easier to read now that we can see whats in the event logs. This example hopefully will help you figure out how to go about sorting things for your own event logs.

Category: Event Log Errors
Published: 16/10/2007 2:18 PM

DHCP Server Error

Body:

Category – Common Errors

The error below occurs during startup only on a number of SBS 2003 servers. It does not occur on ALL of them for some reason.

Event Type:    Warning

Event Source:    DhcpServer

Event Category:    None

Event ID:    1056

Date:        16/09/2007

Time:        8:25:54 PM

User:        N/A

Computer:    SERVERNAME

Description:

The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:        0000: 00 00 00 00 ….

 

The solution is pretty self explanatory. Go to a CMD prompt and run the command as follows

Netsh dhcp server set dnscredentials administrator DOMAIN password

 

Of course substitute your own Netbios domain for DOMAIN above and a password. You could use the administrator account for it if you wish.

Category: Event Log Errors
Published: 16/09/2007 9:58 AM