Re: Can't read event logs on Win2003 server

From: Arch Willingham (arch_at_tuparks.com)
Date: 11/19/03


Date: Wed, 19 Nov 2003 12:04:47 -0500

You are correct on both counts. Very weird!!!

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:uaRvLoorDHA.1744@TK2MSFTNGP12.phx.gbl...
> So, to be certain:
> - You do not have problems reading the event log, etc, when you log on to
> the DC itself
> - You have problems when you are on a remote machine and try to "manage"
it.
>
> The only common thing that I see between all your failures is that they
> require DCOM on the server. I do not know what ports DCOM and RPC uses,
but
> they're the same one that the Blaster worm would attack... so maybe your
> network itself blocking those ports, hence remote access fails but local
> access succeeds.
>
> I really have no more ideas after this.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Arch Willingham" <arch@tuparks.com> wrote in message
> news:Ohj7p5erDHA.2628@TK2MSFTNGP09.phx.gbl...
> 1. Yes on the RemoteRegistry server.
> 2. Uh...I can run Dcomcnfg.exe...does that mean DCOM is running??? How do
I
> know which ports it is using (or is supposed to use)?
> 3. The service "Remote Procedure Call (RPC)" is running but ditto on the
> question on the ports...which does it use and which should be open?
>
> Arch
>
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:eNpR$EBrDHA.2536@tk2msftngp13.phx.gbl...
> > Is DCOM and RCP enabled/working on your machine, and are their ports
open?
> > Is RemoteRegistry service enabled (for MBSA) ?
> > Do you know how this W2K DC was locked down in the past?
> >
> > Otherwise, I really am out of ideas, so if you want issue resolution,
you
> > should call MS PSS Support. I think you have some fundamental service
or
> > permission disabled, and it was preserved across the upgrade, hence
> causing
> > your present issues.
> >
> > --
> > //David
> > IIS
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > //
> > "Arch Willingham" <arch@tuparks.com> wrote in message
> > news:OrRTsh8qDHA.1496@TK2MSFTNGP11.phx.gbl...
> > Yep...its running.
> >
> >
> > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> > news:%23dmY0s3qDHA.2000@TK2MSFTNGP09.phx.gbl...
> > > Hmm, I'm not certain why, then.
> > >
> > > Can you check in the Services applet whether the "Event Log" service
is
> > > running?
> > >
> > > --
> > > //David
> > > IIS
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > //
> > > "Arch Willingham" <arch@tuparks.com> wrote in message
> > > news:eVvwkBvqDHA.3732@tk2msftngp13.phx.gbl...
> > > If the firewall is the service called "Internet Connection Firewall
> (ICF)
> > /
> > > Internet Connection Sharing (ICS)", then nope..its not turned
on...would
> > it
> > > be called another name?
> > >
> > > Arch
> > >
> > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> > > news:OvaHbIPqDHA.1632@TK2MSFTNGP10.phx.gbl...
> > > > What I mean to ask is -- is the Firewall in Windows Server 2003
turned
>
> > on
> > > > somehow?
> > > >
> > > > I'm not certain of what else, but what it sounds like is that you
have
> a
> > > > single service that is not running on Windows Server 2003 when you
> need
> > it
> > > > to be running to provide the necessary functionality. I've found
> > machines
> > > > with RPCSS (the target of Blaster) stopped to behave quite weirdly
in
> > > > similar manner.
> > > >
> > > > --
> > > > //David
> > > > IIS
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > > //
> > > > "Arch Willingham" <arch@tuparks.com> wrote in message
> > > > news:uJu9DdJqDHA.2000@TK2MSFTNGP10.phx.gbl...
> > > > Nope...they are all on the same subnet. Prior to converting the
> machine,
> > a
> > > > domain admin could do all of the above. Once upgraded, no one
> (including
> > > > Enterprise Admin) and do any of the above.....in the words of Chris
> > > > Rock..."That ain't right".<G>
> > > >
> > > > Arch
> > > >
> > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> > > > news:%23TkKbwzpDHA.644@TK2MSFTNGP11.phx.gbl...
> > > > > That actually sounds like good behavior to me. :-)
> > > > >
> > > > > Maybe you have a firewall blocking ports somewhere?
> > > > >
> > > > > --
> > > > > //David
> > > > > IIS
> > > > > This posting is provided "AS IS" with no warranties, and confers
no
> > > > rights.
> > > > > //
> > > > > "Arch Willingham" <arch@tuparks.com> wrote in message
> > > > > news:O6VjjAuoDHA.360@TK2MSFTNGP12.phx.gbl...
> > > > > I upgraded one of DC servers yesterday from Win2000 (sp4) to
> NET2003.
> > > > > Everything works great except for two things:
> > > > >
> > > > > 1. I cannot use the event viewer to look at the event log on that
> > server
> > > > > unless I am logged on to the server (even when logged on as the
> domain
> > > > > admin).
> > > > > 2. If I use MBSA (Baseline Security Analyzer) to check that
server,
> > > every
> > > > > line says "Check could not be performed because registry could not
> be
> > > > > accessed"
> > > > > 3. If I click "manage" on "my computer" and then connect to that
> > > computer,
> > > > > everything I click on results in "System Information
> > > > > The connection to BLAHBLAH could not be established. Check to see
> that
> > > the
> > > > > network path name is correct, that you have sufficient permission
to
> > > > access
> > > > > Windows Management Instrumentation, and that the Windows
Management
> > > > > Instrumentation service is started on the computer."
> > > > >
> > > > > Any ideas?
> > > > >
> > > > > Arch
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>
>



Relevant Pages

  • Re: How to stop this hacker activity?
    ... The ports that are mapped via "virtual server" services (per dlink "allows ... LAN services to be accessed via the internet) of the dlink router 808HV. ... The event log says Source Port: ...
    (microsoft.public.windows.server.sbs)
  • RE: Cannot open Conection to Analysis server....
    ... Please check the application event log especially for 128 entries, ... be that this server is restarting\crashing\restarting etc. ...
    (microsoft.public.sqlserver.olap)
  • RE: Hardening IIS / Open ports
    ... The best way to harden your server is to place it behind a firewall and on ... the only inbound ports that you need to ... TCP; and Port 443 TCP for SSL. ... This posting is provided “AS IS” with no warranties, and confers no rights. ...
    (microsoft.public.inetserver.iis.security)
  • Re: What are the best general things to do after a dirty shutdown (Server SBS)
    ... Microsoft Windows Small Business Server 2003 Best Practices Analyzer ... After that, please post any event log errors, just the EventID# and Source names, not the whole error message. ... error 15100 Win32 Error 15100. ... One is indicating it can't retrieve info about the System log. ...
    (microsoft.public.windows.server.sbs)
  • Re: What are the best general things to do after a dirty shutdown (Server SBS)
    ... test network connectivity to local domain controllers. ... Directory Server Diagnosis ... Verifying that the local machine ALPHA, ... The File Replication Service Event log test ...
    (microsoft.public.windows.server.sbs)