Microsoft KB Archive/136251

= System Log Event 5705 with > 500 Security Object Changes =

Article ID: 136251

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Workstation 3.5
 * Microsoft Windows NT Workstation 4.0
 * Microsoft Windows NT Server 3.5
 * Microsoft Windows NT 4.0 Service Pack 5

-



This article was previously published under Q136251



SYMPTOMS
The following event appears in your backup domain controller (BDC) system log:

  Date:       N/A             Event ID:   5705 Time:      N/A             Source:     NETLOGON User:      N/A             Type:       Error Computer:  BDC             Category:   None

  Description:

  The change log cache maintained by the Netlogon service for database changes is corrupted. The Netlogon service is resetting the change log.

  Data, Byte:

  000:    02



CAUSE
This problem occurs, if you enable auditing of security objects and more than 500 changes are made to an individually replicated security object from the Security Account Manager (SAM), local security authority (LSA), or built-in databases.

How Event ID 5705 is Triggered with the Netlogon Service
On a heavily used server configured to audit many objects, if the security log fills up, the LSA security object is updated with each attempt to record an event in the full security log. With each LSA update a change is registered in the Netlogon change log file. If more than 500 of these events occur within the primary domain controller (PDC) to BDC Netlogon update cycle, the PDC does not replicate the individual changes to the BDCs, but sends a record that indicates a serial number skip and another record with the entire object that contains the accumulation of all changes. When the BDC encounters the skip in serial numbers, it records Event 5705 in the BDC system log.



RESOLUTION
To work around this problem, you can use any of the following methods to prevent the security log from becoming full:
 * Clear the security log more frequently.
 * Set the security log to overwrite events when it gets full.
 * Audit fewer items.

You must change the security log settings to Overwrite as Needed at the PDC and apply the settings to all potential BDCs. You do not have to restart the computer, but if you are prompted to clear the existing security log, do so.



MORE INFORMATION
The following Netlogon log is a sample Netlogon log from a BDC experiencing this issue. There is a serial number skip as the BDC detects and the resulting Event 5705 event log: 04/09 11:37:57 [CHANGELOG] NlWriteDeltaToChangeLog: Serial number skip from 0 4b44 to 0 54ce: fo4rward skip of 242 deltas 04/09 11:37:57 [SYNC] UnPacking Policy Object 04/09 11:37:58 [CRITICAL] NlWriteChangeLogEntry: Serial numbers not contiguous 0 54ce and 0 4b44 04/09 11:37:58 [MISC] Eventlog: 5705 (1) Sample Netlogon log on the PDC logging: 04/09 13:01:08 [SYNC] NetrDatabaseDeltas: LSA partial sync called by  SerialNumber:10 863f. 04/09 13:01:08 [SYNC] Packing skip to serial number delta: 10 a2aa 04/09 13:01:08 [SYNC] Packing Policy Object 04/09 13:01:08 [CHANGELOG] DeltaType AddOrChangeLsaPolicy (13) SerialNumber: 10 a2ab Name: 'Policy' 04/09 13:01:08 [SYNC] NetrDatabaseDeltas: Modified count of the packed record: 10 a2aa 04/09 13:01:08 [SYNC] Packing Policy Object 04/09 13:01:08 [SYNC] NetrDatabaseDeltas: Modified count of the packed record: 10 a2ab 04/09 13:01:08 [MISC] Eventlog: 5711 (4) "" "3" 04/09 13:01:08 [SYNC] NetrDatabaseDeltas: LSA returning (0x0) to 

Additional query words: prodnt

Keywords: KB136251

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.