Posts in Category: Windows

The Virtual Storage Filter Driver is disabled through the registry. 

While looking through our new Windows 2008 SP2 server event logs, I noticed this unusual error:

Log Name: System
Source: storflt
Event ID: 5
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Description: The Virtual Storage Filter Driver is disabled through the registry. It is inactive for all disk drives.

After a little research, I found a knowledgebase article 951007 on Microsoft’s site.

How Microsoft explains this error message is so amusing to me….

If Windows Server 2008 is not running on a Hyper-V Server, this issue will not affect the performance of the operating system. Therefore, you can safely ignore this event.

Basically it’s another Warning message filling my event logs for not using a feature of the product!

Posted by Brian 03/24/2010 Categories: Hyper-V Windows

Event 29: Kerberos Key Distribution Center 

While looking through our new Windows 2008 Domain Controller’s event logs, I noticed this unusual error:

Log Name: System
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Event ID: 29
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Description: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

After a little research, I found a knowledgebase article 967623 on Microsoft’s site.

How Microsoft explains this error message is so amusing to me….

This is by design behavior.
The Kerberos-Key-Distribution-Center (KDC) service repeats this check in order to see if there is an existing, workable certificate or if a new one is present. In this case the error handling does not take into account a non-CA environment.

Basically in a nutshell, if you are not using CA, you can ignore this error message.

Posted by Brian 11/09/2009 Categories: Support System Administration Windows

DCdiag fails for NCSecDesc test on Windows 2008 Domain Controllers 

Ran into this error this morning while running DCdiag on one of our Windows 2008 Domain Controllers.

Starting test: NCSecDesc
        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
           Replicating Directory Changes In Filtered Set
        access rights for the naming context:
        DC=DomainDnsZones,DC=CONTOSO,DC=COM
        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
           Replicating Directory Changes In Filtered Set
        access rights for the naming context:
        DC=ForestDnsZones,DC=CONTOSO,DC=COM
        ......................... Contoso-DC1 failed test NCSecDesc

After a little research (967482, Known Issues for Installing and Removing AD DS & Ravindra Pamidi's Blog) I found the cause of this issue is:

If you have not run adprep/rodcprep, Dcdiag.exe will return an error when it runs the NCSecDesc test. This test checks that the security descriptors on the naming context heads have appropriate permissions for replication. The error indicates that the Enterprise Domain Controllers group does not have Replicating Directory Changes In Filtered Set access rights for the DNS application directory partitions.

So here’s Microsoft’s resolution to the issue:

If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.

So here we are again… another warning message because I’m not using a “feature” of the product!

Additional Note:

This bug is for any Windows Server 2008 domain controller with Active Directory installed in Windows 2003 mode, ie a default Windows 2008 domain.

That could be a single Windows 2008 Server domain, only Windows 2008 domain or a mix of Windows 2008/2003.

Posted by Brian 11/07/2009 Categories: Support System Administration Windows