EVENT ID 12317

We’ve seen numerous reports of the following event within Microsoft and from our customers.
EVENT LOG Application
EVENT TYPE Warning
SOURCE SRMSVC
EVENT ID 12317
COMPUTERNAME SERVER2
TIME 5/1/2006 12:15:45 PM
MESSAGE File Server Resource Manager failed to enumerate share paths or DFS paths. Mappings from local file paths to share and DFS paths may be incomplete or temporarily unavailable. FSRM will retry the operation at a later time.
Error-specific details:
Error: (0x80070005) Access is denied.
Although this event doesn’t affect quota functionality, the fact that it occurs hourly has prompted numerous support calls from customers. We’ve isolated the cause and the solution for this event…well, most of the cause anyway.
An Event 12317 showing access denied is caused when the NT AUTHORITY\Authenticated Users group is not a member of the BUILTIN\Users group in the domain. (As you might know, the local BUILTIN\Users group on a domain controller is mapped to the domain built-in group Users. Therefore, the effect of removing NT AUTHORITY\Authenticated Users from the BUILTIN\Users group on a domain controller has a domain-wide effect.)
Why does this cause the event error? Because the DFS RPC endpoint is configured to allow both BUILTIN\Administrators access and BUILTIN\Users access, the latter of which is assumed to contain NT AUTHORITY\Authenticated Users (the default setting). Without NT AUTHORITY\Authenticated Users in the mix, the NetDfsEnum API fails to enumerate the domain-based roots because the FSRM service is authenticating with that identity. The resulting ERROR_ACCESS_DENIED error causes the event to fire.
What we haven’t solved is why NT AUTHORITY\Authenticated Users would be removed from the BUILTIN\Users group. We’ve looked for Active Directory guidance indicating this is a best practice, but we couldn’t find any. We suspect that admins might intentionally remove this group in an attempt to increase security.
So, to resolve this event, add NT AUTHORITY\Authenticated Users to BUILTIN\Users group on the PDC emulator. You can check this by launching Active Directory Users and Computers and looking in the Builtin folder for the domain. The Users group must contain the Authenticated Users group. If it does not, you can add it using the snap-in. Next, stop and restart the FSRM-related services (srmreports and srmsvc) on the file servers where FSRM is running.

 

Comments

Post a Comment

Popular posts from this blog

Exchange Server Error -1018: How Microsoft IT Recovers Damaged Exchange Databases

Image
I found this paper on the showcase site from microsoft I hope it is of help to you. It sure helped me!     Technical White Paper Published: August 1, 2005 Executive Summary Error –1018 (JET_errReadVerifyFailure) is a familiar—and dreaded—error in Microsoft® Exchange Server. It indicates that an Exchange database file has been damaged by a failure or problem in the underlying file system or hardware. This paper explains the conditions that result in error –1018. It also covers the detection mechanisms that Exchange uses to discover and recover from damage to its database files. The Microsoft Information Technology group (Microsoft IT) runs one of the most extensive Exchange Server organizations in the world. Exchange administrators at Microsoft have investigated and recovered from dozens of –1018 error problems. This paper shows you how Microsoft IT monitors fo
Read more

Server and Domain Isolation Using IPsec and Group Policy

Image
Microsoft Solutions for Security and Compliance Server and Domain Isolation Using IPsec and Group Policy © 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. Table of Contents Chapter 1: Introduction to Server and Domain Isolation. 1 Executive Summary. 1 Who Should Read This Guide. 2 The Business Challenge. 3 The Business Benefits. 3 The Technology Challenge. 4 Creating a Project Team.. 6 Guide Overview.. 7 Chapter 1: Introduction to Server and Domain Isolation. 7 Chapter 2: Understanding Server and Domain Isolation. 7 Chapter 3: Determining the Current State of Your IT Infrastructure. 7 Chapter 4: Designing and Planning Isolation Groups. 8 Chapter 5: Creating IPsec Policies for Isolation Groups.
Read more

[Solved] The Group Policy client-side extension Internet Explorer Zonemapping failed to execute

Image
I had the error below in my application eventlog.     Event Type:    Error Event Source:    Userenv Event Category:    None Event ID:    1085 Date:        30-09-2008 Time:        15:20:30 User:        NT AUTHORITY\SYSTEM Computer:    TBG-TS01 Description: The Group Policy client-side extension Internet Explorer Zonemapping failed to execute. Please look for any errors reported earlier by that extension. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp .   My problem was with my site to zone assignment list I used a wildcard like this: “ *microsoft.com ” but what you need to do is this “ *.microsoft.com ” So it is safe to say that the documentation from microsoft needs some sort of an update stating that you can only use a wildcard infront of dot. Below is the microsoft explaination:   This policy setting allows you to manage a list of sites that you want to associate with a particular s
Read more