Антивирус съел файлы локальной политики
На одном серваке(small business) контроллере домена неожиданно начали идти ошибки 454 от ESENT и 1005 от SceCli
================================================
SCECLI 1005 - Some JET database is corrupt. Run esentutl /g to check the
integrity of the security database %%windir%%\security\Database\secedit.sdb.
If it is corrupt, attempt a soft recovery first by running esentutl /r in the
%%windir%%\security directory. If soft recovery fails, attempt a repair with
esentutl /p on %%windir%%\security\Database\secedit.sdb. Then delete the log
files in %%windir%%\security. Error opening some security database(s) such as
%windir%\security\database\secedit.sdb.
=================================================
ESENT 454 - (248) Database recovery/restore failed with unexpected error ''.
=================================================
Порывшись по инету наткнулся на http://forums.techarena.in/small-business-server/434820.htm
где была похожая проблема, которая к тому же проявилась повторно после первого решения
--------------------------------------------------
Hello Damaru,
Thank you for posting in the SBS newsgroup.
I. What does the "windows 2003 small enterprise server" mean? Please
kindly let me know the exact OS Edition is running. Is it an SBS 2003
Server? If you are using pure Windows 2003 Enterprise Server, I would like
to suggest that post a new thread to Windows newsgroup. The reason why I
recommend this is that you will get the most qualified pool of respondents,
and other partners who the newsgroups regularly can share their knowledge.
Thank you for your understanding.
For your convenience, I have listed the Internet Explorer newsgroup below:
microsoft.public.windows.server.general
II. Based on my research, this issue occurs if the local Group Policy
database file is corrupt.
To resolve this issue, use the procedure described in this section to
re-create the local Group Policy file.
1. Open the %SystemRoot%\Security folder, create a new folder, and then
name it "OldSecurity".
2. Move all of the files ending in .log from the %SystemRoot%\Security
folder to the OldSecurity folder.
3. Find the Secedit.sdb file in the %SystemRoot%\Security\Database folder,
and then rename this file to "Secedit.old".
4. Click Start, click Run, type mmc, and then click OK.
5. Click Console, click Add/Remove Snap-in, and then add the Security and
Configuration snap-in.
6. Right-click Security and Configuration and Analysis, and then click Open
Database.
7. Browse to the %SystemRoot%\Security\Database folder, type Secedit.sdb in
the File name box, and then click Open.
8. When you are prompted to import a template, click Setup Security.inf,
and then click Open.
Note If you receive an "Access denied" message, you can safely ignore it.
More information:
278316 ESENT event IDs 1000, 1202, 412, and 454 are logged repeatedly in
the Application log
http://support.microsoft.com/default...b;EN-US;278316
I appreciate your time and cooperation. If anything is unclear, please feel
free to let me know. I am looking forward to hearing from you.
Have a nice day!
Best regards,
Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support
--------------------------------------------------
Hi Damaru,
Thank you for posting back! I'm glad to hear that things are working
correctly for you now.
Here's a summary of this post for your reference:
PROBLEM: Receive Event Scecli, 1005, 1202
CAUSE: This issue occurs if the local Group Policy database file is corrupt.
RESOLUTION: To resolve this issue, use the procedure described in the KB
article 278316 to re-create the local Group Policy file.
278316 ESENT event IDs 1000, 1202, 412, and 454 are logged repeatedly in
the Application log
http://support.microsoft.com/default...b;EN-US;278316
Meanwhile, I would like to list the following question template here and
you can use it as a guideline for your future issues. By answering the
questions when submitting a post, it will greatly help us understand your
problem and situation more quickly. Thank you!
1. Has the server/client/product ever worked?
2. If so, what has been changed?
3. What service packs and updates were applied?
4. What are the steps to reproduce the problem?
5. Does it happen the same way on any other systems?
6. Please provide the exact error message with any screenshots if possible.
Please do not hesitate to post in this great newsgroup if you need any
assistance in the future. I look forward to working with you again.
Thank you and best regards,
Have a nice day!
------------------------------------------------------------
Hi Damaru,
Thank you for your kind update.
As you mentioned, this issue occurred again, let's refer to use the
procedure described in the KB article 278316 to re-create the local Group
Policy file.
278316 ESENT event IDs 1000, 1202, 412, and 454 are logged repeatedly in
the Application log
http://support.microsoft.com/default...b;EN-US;278316
Since the issue may occurs if the local Group Policy database file is
corrupt, this issue can also be caused by antivirus software. Make 100%
sure that you do NOT have any File-level antivirus scanning ANY exchange
directories. The most common cause of missing log files is because a
File-level antivirus application has quarantined or deleted a log file
because it detected a virus in one of them. If you are running file-level
AV, then you need to make sure you exclude all of the exchange directories,
especially the log file directory and database directory:
-Exchange databases and log files
-Exchange .mta files (default location: \Exchsrvr\Mtadata)
-Exchange message tracking log files (default location:
\Exchsrvr\Server_Name.log)
-Virtual server folders (default location: \Exchsrvr\Mailroot)
-Site Replication Service (SRS) files (default location: \Exchsrvr\Srsdata)
-Internet Information Service (IIS) system files (default location:
\%SystemRoot%\System32\Inetsrv)
-Internet Mail Connector files (default location: \Exchsrvr\IMCData)
-The working folder that is used to store streaming temporary files that
are used for message conversion. By default, this working folder is located
at \Exchsrvr\MDBData.
-A temporary folder that is used in conjunction with offline maintenance
utilities such as Eseutil.exe. By default, this folder is the location that
you run the .exe files from, but you can configure this when you run the
utility.
-DC's sysvol folder and all its subfolders (C:\Windows\Sysvol)
See:
823166 Overview of Exchange Server 2003 and antivirus software
http://support.microsoft.com/?id=823166
822158 Virus Scanning Recommendations on a Windows 2000 Domain Controller
http://support.microsoft.com/?id=822158
Please do not hesitate to let me know if you have any further concerns.
Have a nice day!
Best regards,
Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support
----------------------------------------------------------------
Из всего этого следовало, что испортился файлик Secedit.sdb в каталоге %SystemRoot%\Security\Database
но в моем случае его там вообще не оказалось, и поэтому есстественно что рекомендации типа "Run esentutl /g to check the integrity of the security database %%windir%%\security\Database\secedit.sdb" не помогали. Решилось все совсем просто, база пересоздалась сама в момент когда я забэкапил файлы логов, перенеся из в другую папку, видимо они тоже были испорчены.
Не совсем понятно как он мог исчезнуть, но в его убийстве я подозреваю Др.Веба. Поэтому пока просто добавил рекомендованные папки в исключения.
================================================
SCECLI 1005 - Some JET database is corrupt. Run esentutl /g to check the
integrity of the security database %%windir%%\security\Database\secedit.sdb.
If it is corrupt, attempt a soft recovery first by running esentutl /r in the
%%windir%%\security directory. If soft recovery fails, attempt a repair with
esentutl /p on %%windir%%\security\Database\secedit.sdb. Then delete the log
files in %%windir%%\security. Error opening some security database(s) such as
%windir%\security\database\secedit.sdb.
=================================================
ESENT 454 - (248) Database recovery/restore failed with unexpected error ''.
=================================================
Порывшись по инету наткнулся на http://forums.techarena.in/small-business-server/434820.htm
где была похожая проблема, которая к тому же проявилась повторно после первого решения
--------------------------------------------------
Hello Damaru,
Thank you for posting in the SBS newsgroup.
I. What does the "windows 2003 small enterprise server" mean? Please
kindly let me know the exact OS Edition is running. Is it an SBS 2003
Server? If you are using pure Windows 2003 Enterprise Server, I would like
to suggest that post a new thread to Windows newsgroup. The reason why I
recommend this is that you will get the most qualified pool of respondents,
and other partners who the newsgroups regularly can share their knowledge.
Thank you for your understanding.
For your convenience, I have listed the Internet Explorer newsgroup below:
microsoft.public.windows.server.general
II. Based on my research, this issue occurs if the local Group Policy
database file is corrupt.
To resolve this issue, use the procedure described in this section to
re-create the local Group Policy file.
1. Open the %SystemRoot%\Security folder, create a new folder, and then
name it "OldSecurity".
2. Move all of the files ending in .log from the %SystemRoot%\Security
folder to the OldSecurity folder.
3. Find the Secedit.sdb file in the %SystemRoot%\Security\Database folder,
and then rename this file to "Secedit.old".
4. Click Start, click Run, type mmc, and then click OK.
5. Click Console, click Add/Remove Snap-in, and then add the Security and
Configuration snap-in.
6. Right-click Security and Configuration and Analysis, and then click Open
Database.
7. Browse to the %SystemRoot%\Security\Database folder, type Secedit.sdb in
the File name box, and then click Open.
8. When you are prompted to import a template, click Setup Security.inf,
and then click Open.
Note If you receive an "Access denied" message, you can safely ignore it.
More information:
278316 ESENT event IDs 1000, 1202, 412, and 454 are logged repeatedly in
the Application log
http://support.microsoft.com/default...b;EN-US;278316
I appreciate your time and cooperation. If anything is unclear, please feel
free to let me know. I am looking forward to hearing from you.
Have a nice day!
Best regards,
Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support
--------------------------------------------------
Hi Damaru,
Thank you for posting back! I'm glad to hear that things are working
correctly for you now.
Here's a summary of this post for your reference:
PROBLEM: Receive Event Scecli, 1005, 1202
CAUSE: This issue occurs if the local Group Policy database file is corrupt.
RESOLUTION: To resolve this issue, use the procedure described in the KB
article 278316 to re-create the local Group Policy file.
278316 ESENT event IDs 1000, 1202, 412, and 454 are logged repeatedly in
the Application log
http://support.microsoft.com/default...b;EN-US;278316
Meanwhile, I would like to list the following question template here and
you can use it as a guideline for your future issues. By answering the
questions when submitting a post, it will greatly help us understand your
problem and situation more quickly. Thank you!
1. Has the server/client/product ever worked?
2. If so, what has been changed?
3. What service packs and updates were applied?
4. What are the steps to reproduce the problem?
5. Does it happen the same way on any other systems?
6. Please provide the exact error message with any screenshots if possible.
Please do not hesitate to post in this great newsgroup if you need any
assistance in the future. I look forward to working with you again.
Thank you and best regards,
Have a nice day!
------------------------------------------------------------
Hi Damaru,
Thank you for your kind update.
As you mentioned, this issue occurred again, let's refer to use the
procedure described in the KB article 278316 to re-create the local Group
Policy file.
278316 ESENT event IDs 1000, 1202, 412, and 454 are logged repeatedly in
the Application log
http://support.microsoft.com/default...b;EN-US;278316
Since the issue may occurs if the local Group Policy database file is
corrupt, this issue can also be caused by antivirus software. Make 100%
sure that you do NOT have any File-level antivirus scanning ANY exchange
directories. The most common cause of missing log files is because a
File-level antivirus application has quarantined or deleted a log file
because it detected a virus in one of them. If you are running file-level
AV, then you need to make sure you exclude all of the exchange directories,
especially the log file directory and database directory:
-Exchange databases and log files
-Exchange .mta files (default location: \Exchsrvr\Mtadata)
-Exchange message tracking log files (default location:
\Exchsrvr\Server_Name.log)
-Virtual server folders (default location: \Exchsrvr\Mailroot)
-Site Replication Service (SRS) files (default location: \Exchsrvr\Srsdata)
-Internet Information Service (IIS) system files (default location:
\%SystemRoot%\System32\Inetsrv)
-Internet Mail Connector files (default location: \Exchsrvr\IMCData)
-The working folder that is used to store streaming temporary files that
are used for message conversion. By default, this working folder is located
at \Exchsrvr\MDBData.
-A temporary folder that is used in conjunction with offline maintenance
utilities such as Eseutil.exe. By default, this folder is the location that
you run the .exe files from, but you can configure this when you run the
utility.
-DC's sysvol folder and all its subfolders (C:\Windows\Sysvol)
See:
823166 Overview of Exchange Server 2003 and antivirus software
http://support.microsoft.com/?id=823166
822158 Virus Scanning Recommendations on a Windows 2000 Domain Controller
http://support.microsoft.com/?id=822158
Please do not hesitate to let me know if you have any further concerns.
Have a nice day!
Best regards,
Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support
----------------------------------------------------------------
Из всего этого следовало, что испортился файлик Secedit.sdb в каталоге %SystemRoot%\Security\Database
но в моем случае его там вообще не оказалось, и поэтому есстественно что рекомендации типа "Run esentutl /g to check the integrity of the security database %%windir%%\security\Database\secedit.sdb" не помогали. Решилось все совсем просто, база пересоздалась сама в момент когда я забэкапил файлы логов, перенеся из в другую папку, видимо они тоже были испорчены.
Не совсем понятно как он мог исчезнуть, но в его убийстве я подозреваю Др.Веба. Поэтому пока просто добавил рекомендованные папки в исключения.