RE: Security Log

Hi David,

Thank you for posting in SBS newsgroup.

As for this issue, I recommend that you first make sure that DCOM is not
configured to use Datagram User Datagram Protocol/Internet Protocol
(UDP/IP) and Datagram Internet packet exchange (IPX) protocols in the
Default Protocols tab.

1. Bring up the Component Services Administrative tool. On the Start menu,
point to Programs, Administrative Tools, and then click Component Services.

2. In the console tree of the Component Services Administrative tool,
expand Component Services-> Computers. Right-click the computer on which
you want to configure the protocol to bring up the context menu.

3. Click the Properties menu to bring up Computer Properties dialog box.

4. Click the Default Protocols tab.

5. If you have any of the Datagram protocols (UDP/IP or IPX) protocols
listed here, click to select, and then click Remove.

6. If you do not have any of the connection-oriented protocols in the list,
click Add to bring up Select DCOM protocol and endpoint dialog box.

7. Choose Connection-oriented TCP/IP Protocol as the protocol sequence, and
then click OK.

8. Add any or all of the connection-oriented protocols to the default
protocols this way.

9. Move Connection-oriented TCP/IP Protocol to the top of the list.

10. Restart the computer for the changes to take effect.

For more information, please see:

245197 BUG: COM+ Incorrectly Lets You Configure Datagram Protocol
http://support.microsoft.com/?id=245197

242022 INFO: DCOM Does Not Support Any Datagram (UDP) Protocols
http://support.microsoft.com/?id=242022

If the issue still exists, it is possible that the TCP ports have been
exhausted on the server. Please run the "netstat -an" (without quotes) in a
command prompt and see if there are some abnormal usage of network
connections. Run netstat -an > C:\netstat.txt and post the netstat.txt to
SBS newsgroup. Also, you may refer to the following KB article:

196271 Unable to Connect from TCP Ports Above 5000
http://support.microsoft.com/?id=196271

In addition, you may refer to the Event 10009 of the following KB article

823159 How to troubleshoot the "503 Service Unavailable" error message in
http://support.microsoft.com/?id=823159

It also can be generated by a certain application running in the
background. Let us disable all non-Microsoft services and startup items to
see if the error still appears:

1. Click Start, click Run, and then in the Open box, type "MSCONFIG"
(without the quotation marks). Click OK.
2. In the System Configuration Utility (MSConfig) window, click to select
the Selective Startup button.
3. Click to clear the check mark from the "Load startup items" below
Selective Startup.
4. Click the Services tab, click to check the "Hide All Microsoft Services"
box, and remove all the check marks from the remained Non-Microsoft
Services. Please note that the Exchange services could be marked as
non-Microsoft. Please do not disable those services.
5. Click OK to close the MSConfig window. Click Yes when you are asked to
restart your computer in order to enable the changes.
6. After restarting, please check whether this issue will reoccur.

If the problem does not occur, it indicates that the problem is related to
one application or service we have disabled.

If the problem still occurs, would you please help me confirm if you can
ping the computer that mentioned in the DCOM message.

Thanks for your time and I look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "David Parkes" <Wibble@xxxxxxxxxx>
| Subject: Security Log
| Date: Fri, 11 Nov 2005 14:01:24 -0000
| | Newsgroups: microsoft.public.windows.server.sbs
| |
| Thanks for reading this. We are getting a load of these messages in our
| security log on the server. This is happening on two individual domains.
The
| servers are both SBS2003 and the Clients are Windows XP Pro.
|
| Logon Failure:
|
| Event ID: 537
|
| Reason: An error occurred during logon
|
| User Name: %username%
| Domain: %DomainName%
| Logon Type: 3
| Logon Process: Kerberos
| Authentication Package: Kerberos
| Workstation Name: -
| Status code: 0xC00002EE
| Substatus code: 0x0
| Caller User Name: -
| Caller Domain: -
| Caller Logon ID: -
| Caller Process ID: -
| Transited Services: -
| Source Network Address: -
| Source Port: -
|
| If you then look at the system log on the computers that those particular
| users are loggin on from you get hundreds of these events.
|
| These errors are occurring on the windows xp clients. If you look at the
| Microsoft help. It says to check the registry
|
| HKey_Local_Machine/software/microsoft/rpc/dcom_protocol
|
| This string does not exist
|
|
| Event ID:10009
| DCOM was unable to communicate with the computer %ServerName% using any
of
| the configured protocols.
|
| Now the first event only occurs for users that are getting this second
| error. Are these two related.
|
|
|
|
|
|
|
|
|
|
|
|
|
|

.