RAID Admin Event Log?

Similar Messages

• RAID Admin logs problem -- how to avoid 2-day truncation?

  Folks:
  I have a problem that appears to have started about April 5 when I updated RAID Admin and Xerve RAID firmware to latest versions. Since then, I'm only seeing last two days of entries in the log (ie: what you see in the "Events" tab in RAID Admin). Strangely, entries up to to April 5 are preserved.
  Of course I did't notice this until some was already lost. But now I want to fix it. I don't see any setting for "max log length" or similar.
  Further more, I could use an explanation of where this log lives -- is it something that RAID Admin retrieves from the RAID box, or is it somehow preserved on the computer running RAID Admin or what?
  Thanks,
  Graham

  Simply? There is no simple way.
  But if you will accept a way that is not so simple, there is a company that sells a product that allows you to run a Java class as a service under NT. I don't remember its name but it has been named several times in the past in answers to this same question. A search of the forums would probably find it.

• Raid performance deteriorates, looses drive, but no messages in event log

  We have a PATA XServer Raid running, which was fine until a few weeks ago. Suddenly performance tanked, writing a 70 MB file via a 100 Mbps network would take an hour.
  The Raid volume, a 6 drive 250 GB raid with one hotspare, had 100 GB left.
  First we thought it was the network, there was a loose DHCP server, but nothing was available that could really explain the performance deterioration. The only thing that was noticed was that with Helios Lan test the first write to the raid would take more time as the subsequent writes. So we decided to upgrade the firmware and do a volume test, with diskutility. That gave a interleaf problem.
  After upgrading the network (which was planned anyway) to 1 GBps, we rebooted the Xserve and the Raid. Now, the 6th drive had an orange status in Raid Admin, a warning, saying it was part of an Unknown Array. The 7th drive, the hot-swap, was now part of the Raid.
  The strange thing is that in the event log there are no messages what so ever about a failed drive, nor any other messages relating to this. All I get is Coprocessor offline/Online, Raid Controller Restarted and Riad Controller 1 Fibre LIP, and Firmwareupdate
  I also noticed that the time was off to local time, so I synchronized both to time.euro.apple.com.
  Shouldn't we be getting messages something is very wrong in the event log?
  XServe G5 Xserve Raid   Mac OS X (10.3.9)  

  We updated the firmware to 1.5.1. After that, the network switch was replaced by a 1Gbps switch, and the XServe and the XServe raid were rebooted. After that one of the people discovered that disk 6 had an orange led burning.
  XServe G5, XServe Raid   Mac OS X Server (10.3.9)   Raid Firmware 1.5.1

• Creating a Custom Event Log View Shortcut on a server desktop for an admin

  Good morning,
  We have a new admin starting and I would like to create custom event log view shortcut on there desktop for each server they need to check. Is there a way to do this in Server 2012 and Server 2008?
   I have figured out how to create a shortcut of the Application and System log, but not Custom Views. Thanks.

  Hi,
  Based on my research, you can create a custom view like
  this.However, I tried miltiple ways to create a shortcut of the custom view of the event viewer and no result. I can only create a shortcut of the event viewer. You may need a script can achieve that.
  Best regards,
  Susie

• Where can I find Event Log ID's, produced by Intel ICH9R RAID controller on Windows Server 2003?

  I need to monitor RAID errors and events by parsing Event Log, but I need a list of possible errors that I can find in event log. I'm using Intel ICH9R RAID controller. Server manufacturer (SuperMicro) said, that errors, produced by controller, are interpreted
  by Winows and than are put to Event Log, so I need to find this info somewhere else.

  Hi,
  As far as I know, there isn’t such as list present those Event Log ID’s for Intel ICH9R RAID controller, you may contact Intel to perform
  the further research, you may also wait for other customer's experience sharing on this.
  By the way, based on my experience, most of the IT guys will use the monitor application/toolkit comes with the RAID controller, so you may contact Intel
  also to get more information. Thanks for your understanding.
  Best Regards,
  Vincent Hu

• No event logs when RAID fails in Server 2008 and R2

  From what I'm finding out (by web searching) they forgot to include event logging in Server 2008 for when a Windows software RAID fails in some way such as missing disk, failed redundancy, etc. This is REALLY annoying as I was trying to setup email notifications
  for when this happens so I can fix it. I'm just using this on my servers at home, so I'm not big on the idea of spending a lot of money on a hardware RAID, it just does some simple network file sharing and streaming and software RAID is fine. Is there anyway
  to get this to work properly, like it used to?! Hotfix? Sacrifice a small animal? Free third-party tools that would work if nothing else? Would a MOM server be able to notify me? (been considering setting up one of those and SCCM to mess with)

  Thanks guys for chiming in. The only way Microsoft will know this is a big deal (you would think they would, but apparently not), is for people to complain. I found this out myself when I was trying to set up event triggered tasks to email on low disk space
  and RAID failure, only to find no events are created on RAID failures!
  I have setup a SCOM 2007 R2 server in my testing environment. It registers and alerts me for low disk space just fine, but the availability monitor is not tripped when I break a RAID volume. I have tried offlining a disk, which results in failed redundancy,
  and also shutting down the VM and removing a drive, and neither seems to trip an alert. Do I have to do something to get it to monitor correctly?

• Big Events.log in $COMMON_TOP/admin/log

  Hello,
  I have noticed there are always many logs in the $COMMON_TOP/admin/log. Apart from the concurrent managers logs etc, there are those Events.logs which can grow to any size as long as the apps keeps running.
  New ones are however created upon restart of apps and I can clear the old ones.
  I will like to reduce what is written to the Events.log so that they do not grow too big. Can someone let me how to do this or point me to an article on these logs?
  Regards

  I have found the solution I wanted and I think it may be useful to someone later and that is why I am posting this.
  Those LARGE eventxx.logs under $COMMON_TOP/admin/log are Fulfillment Server logs and looking through them, I don't really know their benefits and I have been deleting them but I can swtich off the loggings now.
  This is detailed in the metalink note ID 601375.1
  I got this when I came across this link on the internet:
  http://newappsdba.blogspot.com/2008/12/huge-eventslog-files-in-applcsfappllog.html
  Regards
  Edited by: user12191278 on 18-Jan-2010 05:24

• Can I use rebuild parity data in raid admin with these conditions?

  4 disks in array, one went bad, replaced disk (same type of disk). Light on slot is red but in raid admin its says in event log that disk 2 is online, but when I select the drive to check info on that drive it says disk not installed. If I use the rebuild parity data function will it only rebuild the data from the 3 disks?
  will disk 2 be recognized?
  It seems I am getting conflicting info from raid admin and indicator lights on disk slot. I took the drive back out checked connections and rebooted the xraid.
  I thought the array would rebuild itself when the new drive was inserted, am I missing something?
  Thanks

  Sometimes you have to go into the RAID utilities and use "make drive available" option.

• Can't perform any functions on my new drive from Raid admin?

  I had a drive go bad in my Raid, (amber light) raid admin stated that the array was degraded and the drive was unknown.
  I ordered a new drive (same type of drive) inserted new drive and a red light was above disk slot and the data would not rebuild automatically. In Raid admin it stated that the drive was not installed but that the disk was online in the events log. (that seemed conflicting to me)
  I placed the old disk back in just for giggles to see if I could do anything with rebuilding parity data and none of the functions in the utility will let me do anything, Raid admin only shows that I have 3 disks in my array. It will not include the 4disk as part of the array. It says alredy belongs to ma raid set but will not let it be included with raid 1
  If I have another disk go bad I am sunk.
  I am fairly new at messing with raid set ups. I know we are set up with a RAID 5 with 4 disks.
  I am just nervous to do anything with the data I already have thinking I am gonna wipe something out.
  Any suggestions would be great.

  Have you read this post?  may help you
  https://discussions.apple.com/message/18149044#18149044

• Raid Admin on 2nd ethernet controller, is firmware safe?

  Hi,
  Have an XRAID and am having problems using the Admin util to configure new set of drives. Admin util does not work with gathering the right info and letting me make changes.
  BACKGROUND=
  Was initially built with 7 drives in the first controller and used for editing. Built fine RAID5, in use for several months. Network monitoring port is not connected and was only used during setup. No changes to ip's were made.
  Several months later (that being now). We need to the second controller for a seperate host. Aquired 7 drives, physically inserted them into the XRAID, lights went red then green. All green lights.
  Went to configure. Connected ethernet monitor port on the 2ND controller (never before used) to a hub and a machine used to configure / run RAIDAdmin. Finds it via rendezvous / bonjour (whatever they call it) connect to it. Admin says Gathering info and hangs.
  Lights show up in RAIDAdmin as orange | red | nothing | red
  It gives me some info such as location, and event log. Can view event log back several weeks etc. However it does NOT give me any info on drives, luns, hardware nothing.. shows the drives as not installed. Including the 7 on the left which are currently operational.
  tried restarting raid2 controller. Made changes to ip etc which did not save either.
  Then tried the other top ethernet port, the used on the first install. Could not be found running via the admin util. Tried tcpdumping the hub and finding what ip but there was nothing. Tried putting a dhcp server on the network nothing.
  BACKGROUND-
  Am I doing something wrong? The big question I have at this stage is doing the firmware upgrade to 1.5 safe?. Its the last thing I havnt done. Its still the same as out of the box.
  How likely is it to succeed updating for one. Two for fixing my problem with not being able to admin the raid. What possible problems could i be faced with, the READ ME FIRST makes no mention of dangers such as the RAID being destroyed etc. or is that not a possibility? I do not want to affect the current RAID on controller 1.
  p.s sorry if its long winded. like to give details. thanks.

  I imagine that its some web server/ snmp thing that runs on the xraid and just binds to both ips to allow access. The first one, say eth0 i used when i first set it up and worked fine and have tried it periodically to check things. This one now doesnt work as far as i cant find the ip it has or connect to it. Lights on back are fine. No traffic on hub though.
  2nd one, call it eth1. the one ive first started using now is its first use as far as i recall. It is the one that half works that just keeps trying to gather info and not get anywhere.
  I might try running the RAIDAdmin on another monitor system. The more I think about it im just not sure if its the management bit or the monitoring system. The monitoring system is the same as the one used previously.
  I do not look forward to having to recover terabytes

• Questions about BT Home Hub 4A event log - WIFI c...

  Hope someone can help please ?
  I had BT inifinity installed 2 weeks ago with the HH 4 (type A) and everything has worked - connection found, no problem.
  This week, my ipod touch was unable to join the network but the iphone 5, another ipod and a tablet could connect without a problem. The ipod touch managed to connect to another WIFI used at the property and my work wifi without a problem.
  I thought it maybe the ipod touch as it was quite old but that doesn't make sense since it connects fine to other networks.  I restored network settings and other options suggested by Apple but to no avail.
  I have turned my attention to the Hub. My laptop (older than the ipod touch) gets the connection no problem along with the other devices.  I went into the hub management page but I am not smart enough to decifer the event log so would like some help so I can fix this because I thought BT infinity was the better more reliable option?
  The ipod touch Wifi IP address is 00:25:00:b7:35:f6.
  On the event log, it shows STA before the address - but it shows STA before all the device IP addresses. Should I change this to DCHP ? or is this (Static ? alright)
  The Lease on all the devices on the event log is set to 1440 min. (1 day) is that alright too, what does it mean ?
  Do I have to keep renewing the lease ? How do I do that ? I read it can be set to 21 days ?
  Going back to the IP address on the ipod it shows the Hostname as 00:25:00:B7:35:f6-2 this is different to the IP address with the -2. Could that be a cause of the unable to join network or is it because I attempted to recreate the network on the ipod so its the second version of that host name ?
  Is there any setting I can change to fix this because I am concerned the same this will happen to the other devices and then the laptop....
  What do I need to do to be able to get my ipod touch to connect to the BT network setting ?
  I think its the hub 4A causing the 'block' on the ipod touch not the device and I think its maybe a matter of changing a setting - but then why was it all fine before when Infinity was first installed ?
  Lastly my laptop (7 Years old) seems to be attached to the 5GHZ Wireless channel - is that alright ? The other more recent devices are on the 2.4ghz channel (except the ipod touch which isn't on any !!)
  Is it alright to turn the hub on / off ? -I am resisting that because I don't want to make the situation worse. 
  Sorry but what does client disassociated mean and all the BLOCKS - do they relate to firewall ?
  Please can you review the event log and my questions ?
  Many thanks
  angie 2601 
  The time frame is 3.55am 8/8/2013 - 7.16 am 8/8/2013
  (Latest (7.16am) at the top
  Message
  07:16:39, 08AUG
  (1224785.050000) Admin login successful by 192.168.1.64 on HTTP (1224766.610000) Admin login FAILED by 192.168.1.64 on HTTP (1224648.050000) New GUIsession  from IP 192.168.1.64
  (1224466.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
  IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
  wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client  disassociated
  (1224362.750000) lease for IP 192.168.1.65 renewed by host Unknown­ d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1224362.750000) Device connected: Hostname:Unknown-d8:d1:cb:ec:a6:feiP:
  192.168.1.65 MAC:d8:dl:cb:ec:a6:fe lease time: 1440 min. link rate:90.0 Mbps
  (1224362.690000) Lease requested
  wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
  (1224241.150000) lease for IP 192.168.1.64 renewed by host FAMILY (MAC
  00:13:02:de:6d:e6). Lease duration:1440 min
  (1224241.150000) Device connected: Hostname: FAMii.Y IP:192.168.1.64 MAC:
  00:13:02:de:6d:e6 Lease time: 1440 min. link rate: 54.0 Mbps
  (1224241.090Cl00) Lease requested
  wlan1TA  00:13:02:de:6d:e6 IEEE 802.11:Client associated
  OUT: BLOCK [9] Packet invalid in connection (TCP
  192.168.1.66:34905->31.13.72.38:443 on ppp1)
  (1223644.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
  IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
  wlanl: STA d8:d1:cb:ec:a6:-fe IEEE 802.11:CHent diSassociated
  (1223489.390000) Lease for IP 192.168.1.65 renewed by host Unknown­ d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1223489.380000) Device connected:Hostname:Unknown-d8:dl:cb:ec:a6:fe IP:
  192.168.1.65 MAC: d kd1:cb ec:-a6-:fe Lease time: 1440 min. Link  rare: 90.0 Mbps
  (1223489.330000) Lease requested
  wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client  associated wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11: Client disasSociated
  wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
  OUT;BLOCK [9] Packet i valid in connection (TCP
  192.168.1.66:34375->31.13.72.38:443 on pppl)
  l'N':BLOCK [16-} Remote administration {ICMP type 8 code 0
  117.1.42.94->86.182.228.205 on ppp1)
  IN: BLOCK [9] Packet invalid in connection (TCP
  31.13.72.33:443->86.182.228.205:44156 on ppp1) IN: BLOCK [9] Packet invalid in connection (TCP
  31.13.72.33:443->86.182.228.205:36615 on ppp1)
  OUT: BLOCK [9] Packet invalid  in connection (TCP
  192.1-68.1.68:49476->173.252.103.16:443 OR ppp1)
  BLOCKED 5 more  packets (because of Packet invalid in connection) OUT: BLOCK [9] Packet invalid  in connection (TCP
  192.168.1.68:49443->95.100.195.205:443 on ppp1)
  OUT:BLOCK {9] PaCket invalid in connection (TCP
  192.168.1.68:49438->95.100.194.217:443 on ppp1)
  IN:BLOCK [9] Packet invalid in connection (TCP
  95.100.194.217:443->86.182.228.205:49444 on ppp1)
  (1222111.810000) Lease for IP 192.168.1.68 renewed by host Unknown-
  70:56:81:46:bf:d9 (MAC 70:56:81:46:bf:d9).Lease duration:1440 min
  (1222111.810000) Device connected:Hostname:Unknown-70:56:81:46:bf:d9 IP:,
  192.168.1.68 MAC:70:56:8:t:46:bf:d9lease time:1440 min. Link rate:52.0 Mbps
  (1222111.750000) Lease requested  .-
  wlanO: STA 70:56:81:46:bf:d9 IEEE 802.11: Client  associated • (1222093.690000) Device dlsconn: Hostname:Unknown-
  00:25:00:b7:35:f6-2 IP: 192.168. MAC: 00:25:00:b7:35:f6 wlanoTA  00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
  OUT:BLOCK [9] Packet invalid in connection (TCP
  192.168.1.66-:43272->31.13.72.33:443 on ppp1)
  221969.130000) lease for IP 192.168.1.67 renewed  by host Unknown-
  00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
  (1221969.130000} Devicconnected: Hostname·:Unknowwoo·:25:00:b7 35:f6-2
  IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk  rate: 54.0
  Mbps
  (1221969.070000) Lease requested
  wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
  (1220365.290000) Device disconnected: Hostname:Unknown-
  00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
  (1220348.230000) Lease for IP 192.168.1.67 renewed by host Unlmown-
  00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6).lease duration: 1440 min
  (1220348.230000) Device connected: Hostname:Unknown-00:25:00:b7:35:f6-2
  IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk rate: 54.0
  Mbps
  (1220348.170000) lease requested
  wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
  IN: BLOCK f16] Remote administration (TCP
  123.151.42.61:12233->86.182.228.205:8080 on ppp1) OUT: BLOCK [9] Packet invalid  in connection (TCP
  :t92.Hi8.1.66:53813->31.13.72.33:443 on ppp1)
  OUT:BLOCK [9] Packet invalid in connection (TCP
  192.168.1.66:43989->31.13.72.33:443 on ppp1)
  IN: BLOCK [16] Remote administration (ICMP type 8 rode 0
  2.7.251.109.227->86.182.228.205 on pppl)
  (1216770.650000) Device disconnected:Hostname:Unknown-
  00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6
  OUT:BLOCK [9j Packet invalid in connection (TCF
  192.168.1.67:49180->74.125.136.109:993 on ppp1)
  wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
  (1216753.280000) Lease for IP 192.168.1.67 renewed  by host Unknown-
  00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
  (1216753.270000) Device connected: Hostname: Unknown-00:25:00:b7:35:f6-2
  IP: 192.168.1.67 MAC: 00:25.:00-:.b7.:35:f6 Lease time: 1440 min. Unk  rate: 54.0
  Mbps
  (1216753.220000) lease requested
  wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client assodat
  OUT: BLOCK [9] Packet invalid in connection (TCP
  192.168.1.66:55944->23.21.78.229:443 on ppp1)
  OUT: BLOCK [9J  Packet invafid in connection (TCP
  192.168.1.66:34794->31.13.72.33:443 on ppp1)
  OUT:BLOCK [9] Packet invalid in connection (TCP
  192.168.1.66:41441->31.13.72.33:443 on ppp1)
  {1213176.020000) Device disconnected:.Hostname:Unknown-
  00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC:00:25:00:b7:35:f6 wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client disassociated
  (1213158.410000) Lease for IP 192.168.1.67 renewed  by host Unknown-
  00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min                           _./:\ (1213158.400000) Device connected:Hostname:Unknown-00:25:00:b7:35:ftt.Y IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min.Unk rate: 54.0
  Mbps
  (1213158.340000) Lease requested
  wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client associated
  OUT:BLOCK (9] Packet invalid in connection (TCP
  192.168.1.66:59767->176.34.180.243:443 on ppp1) OUT;BLOCK [9] P.acket invalid in connection {TCP
  192.168.1.66:56075->31.13.72.33:443 on ppp1) OUT: BLOCK [9] Packet invalid  in connection (TCP
  192.168.1.66 581:1:0->31.13.72.33:443 on ppp1)
  BL.OCKED 2 more packets (because of Packet invalid in connection) OUT:BLOCK [9] Packet invalid in connection (TCP
  192.168.1.66:56251->31.13.72.33:443 on ppp1)
  OUT:BLOCK [9] Packet invalid in connection (TCP
  192.168.1.66:36959->31.13.72.33:443 on ppp1)
  BlOCKED 1more packets (because of Packet invalid in connection)

  It could be that the Ipod touch is having problems with both the 2.4GHz and 5GHz frequencies being named the same. If you give them separate SSids it may help. ie add a 5 to the 5GHz SSid.
  If you do this you will need to re-connect all your devices that can see both frequencies to both SSids so that they will swap between the frequencies seamlessly when ever they need to
  See link how to change SSid.
  http://bt.custhelp.com/app/answers/detail/a_id/445​04/related/1/session/L2F2LzEvdGltZS8xMzc1OTY2ODIxL​...
  Once you have changed the SSid I would delete the network connection on the Ipod touch and start again.

• Exception write to event log when user not found in active directory

  I'm trying to use a exception to write to a event log to show which user did not get imported from my csv file. Any help to write this exception is appreciated. Thanks
  Import-CSV $importfile | ForEach-Object{
  $samaccountname = $_.sAMAccountName.ToLower() #samaccountname on csv file
  Try {
  $exists = Get-ADUser -LDAPFilter "(sAMAccountName=$samaccountname)" #Filter user by samaccountname
  Catch
  write-host "Users did not exist." #user does not exisit

  To your question:
  "How can I create a new event log every time without saving to the original event log textfile?"
  The answer provided by Mike Laughlin doesn't require you save anything to a text file - so either I'm misunderstanding this follow-up, or you are misunderstanding Mike's post. :)
  To answer your other follow up... try:
  $goodCount = 0
  $badCount = 0
  Import-Csv $importFile | ForEach {
  $SamAccountName = $_.SamAccountName
  try {
  $user = Get-ADUser -Identity $SamAccountName -ErrorAction Stop
  $goodCount++
  } catch {
  Write-EventLog # <-finish this command however you want
  $badCount++
  write-host "Users imported: $goodCount"
  write-host "Users not imported: $badCount"
  G. Samuel Hays, MCT, MCSE 2012, MCITP: Enterprise Admin
  Blog:gsamuelhays.blogspot.com
  twitter:twitter.com/gsamuelhays

• Seemingly successful install of Exchange 2013 SP1 turns into many errors in event logs after upgrade to CU7

  I have a new Exchange 2013 server with plans to migrate from my current Exchange 2007 Server. 
  I installed Exchange 2013 SP1 and the only errors I saw in the event log seemed to be long standing known issues that did not indicate an actual problem (based on what I read online). 
  I updated to CU7 and now lots of errors have appeared (although the old ones seem to have been fixed so I have that going for me). 
  Currently the Exchange 2013 server is not in use and clients are still hitting the 2007 server.
  Issue 1)
  After each reboot I get a Kernel-EventTracing 2 error.  I cannot find anything on this on the internet so I have no idea what it is.
  Session "FastDocTracingSession" failed to start with the following error: 0xC0000035
  I did read other accounts of this error with a different name in the quotes but still can’t tell what this is or where it is coming from.
  Issue 2)
  I am still getting 5 MSExchange Common 106 errors even after reregistering all of the perf counters per this page:
  https://support.microsoft.com/kb/2870416?wa=wsignin1.0
  One of the perf counters fails to register using the script from the link above.
  66 C:\Program Files\Microsoft\Exchange Server\V15\Setup\Perf\InfoWorkerMultiMailboxSearchPerformanceCounters.xml
  New-PerfCounters : The performance counter definition file is invalid.
  At C:\Users\administrator.<my domain>\Downloads\script\ReloadPerfCounters.ps1:19 char:4
  +    New-PerfCounters -DefinitionFileName $f
  +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo         
  : InvalidData: (:) [New-PerfCounters], TaskException
      + FullyQualifiedErrorId : [Server=VALIS,RequestId=71b6bcde-d73e-4c14-9a32-03f06e3b2607,TimeStamp=12/18/2014 10:09:
     12 PM] [FailureCategory=Cmdlet-TaskException] 33EBD286,Microsoft.Exchange.Management.Tasks.NewPerfCounters
  But that one seems unrelated to the ones that still throw errors. 
  Three of the remaining five errors are (the forum is removing my spacing between the error text so it looks like a wall of text - sorry):
  Performance counter updating error. Counter name is Count Matched LowFidelity FingerPrint, but missed HighFidelity FingerPrint, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The
  exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Performance counter updating error. Counter name is Number of items, item is matched with finger printing cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown
  is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Performance counter updating error. Counter name is Number of items in Malware Fingerprint cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown is : System.InvalidOperationException:
  The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Issue 3)
  I appear to have some issues related to the healthmailboxes. 
  I get MSExchangeTransport 1025 errors for multiple healthmailboxes.
  SMTP rejected a (P1) mail from 'HealthMailbox23b10b91745648819139ee691dc97eb6@<my domain>.local' with 'Client Proxy <my server>' connector and the user authenticated as 'HealthMailbox23b10b91745648819139ee691dc97eb6'. The Active Directory
  lookup for the sender address returned validation errors. Microsoft.Exchange.Data.ProviderError
  I reran setup /prepareAD to try and remedy this but I am still getting some.
  Issue 4)
  I am getting an MSExchange RBAC 74 error. 
  (Process w3wp.exe, PID 984) Connection leak detected for key <my domain>.local/Admins/Administrator in Microsoft.Exchange.Configuration.Authorization.WSManBudgetManager class. Leaked Value 1.
  Issue 5)
  I am getting MSExchange Assistants 9042 warnings on both databases.
  Service MSExchangeMailboxAssistants. Probe Time Based Assistant for database Database02 (c83dbd91-7cc4-4412-912e-1b87ca6eb0ab) is exiting a work cycle. No mailboxes were successfully processed. 2 mailboxes were skipped due to errors. 0 mailboxes were
  skipped due to failure to open a store session. 0 mailboxes were retried. There are 0 mailboxes in this database remaining to be processed.
  Some research suggested this may be related to deleted mailboxes however I have never had any actual user mailboxes on this server. 
  If they are healthmailboxes or arbitration mailboxes that might make sense but I am unsure of what to do on this.
  Issue 6)
  At boot I am getting an MSExchange ActiveSync warning 1033
  The setting SupportedIPMTypes in the Web.Config file was missing. 
  Using default value of System.Collections.Generic.List`1[System.String].
  I don't know why but this forum is removing some of my spacing that would make parts of this easier to read.

  Hi Eric
  Yes I have uninstalled and reinstalled Exchange 2013 CU7 for the 3^rd time. 
  I realize you said one issue per forum thread but since I already started this thread with many issues I will at least post what I have discovered on them in case someone finds their way here from a web search.
  I have an existing Exchange 2007 server in the environment so I am unable to create email address policies that are defined by “recipient container”. 
  If I try and do so I get “You can't specify the recipient container because legacy servers are detected.”
   So I cannot create a normal email address policy and restrict it to an OU without resorting to some fancy filtering. 
  Instead what I have done is use PS to modify extensionAttribute1 (otherwise known as Custom Attribute 1 to exchange) for all of my users. 
  I then applied an address policy to them and gave it the highest priority. 
  Then I set a default email address policy for the entire organization. 
  After reinstalling Exchange all of my system mailboxes were created with the internal domain name. 
  So issue number 3 above has not come up. 
  For issue number one above I have created a new thread:
  https://social.technet.microsoft.com/Forums/office/en-US/7eb12b89-ae9b-46b2-bd34-e50cd52a4c15/microsoftwindowskerneleventtracing-error-2-happens-twice-at-boot-ex2013cu7?forum=exchangesvrdeploy
  For issue number four I have posted to this existing thread where there is so far no resolution:
  https://social.technet.microsoft.com/Forums/exchange/en-US/2343730c-7303-4067-ae1a-b106cffc3583/exchange-error-id-74-connection-leak-detected-for-key?forum=exchangesvradmin
  Issue number Five I have managed to recreate and get rid of in more than one way. 
  If I create a new database in ECP and set the database and log paths where I want, then this error will appear. 
  If I create the database in the default location and then use EMS to move it and set the log path, then the error will not appear. 
  The error will also appear (along with other errors) if I delete the health mailboxes and let them get recreated by restarting the server or the Health Manager service. 
  If I then go and set the retention period for deleted mailboxes to 0 days and wait a little while, these will all go away. 
  So my off hand guess is that these are caused by orphaned system mailboxes.
  For issue number six I have posted to this existing thread where there is so far no resolution:
  https://social.technet.microsoft.com/Forums/exchange/en-US/dff62411-fad8-4d0c-9bdb-037374644845/event-1033-msexchangeactivesync-warning?forum=exchangesvrmobility
  So for the remainder of this thread we can try and tackle issue number two which is the perf counters. 
  The exact same 5 perf counter were coming up and this had been true each time I have uninstalled and reinstalled Exchange 2013CU7. 
  Actually to be more accurate a LOT of perf counter errors come up after the initial install, but reloading the perf counters using the script I posted above reduces it to the same five. 
  Using all of your suggestions so far has not removed these 5 remaining errors either.  Since there is no discernible impact other than these errors at boot I am not seriously bothered by them but as will all event log errors, I would prefer
  to make them go away if possible.

• Allow Non-Administrator accounts to create event sources and write to event logs

  We are setting up BizTalk 2013 in Windows Server 2012 and one of the requirements is to allow the service account to create sources and write in event logs (Application) of the BizTalk servers. We have found what it seems to be a simple solution for this
  without giving service accounts local admin rights.
  Give Full control for the following registry keys to the service accounts or groups to allow creating of event sources and write to event logs:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
  Note: when changing permissions for EventLog key, the child keys will inherit the permissions by default except Security key which must be done manually.
  Initial tests using a .net test app seems to work as expected. New event sources are being created in the event logs and writing to the event logs after that works perfectly.
  The above method has been deployed in production and this is the most suitable solution for us.

  Hi Keong6806,
  Thanks a lot for posting and sharing here.
  Do you have any other questions regarding this topic? If not I would change the type as 'Discussion' then.
  Best Regards,
  Elaine
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• DFSN-Server ID 516 Flooding Event Log

  Good Day,
   Since setting up a Server 2012 server as a DFS root the Administrative Events log is getting flooded with DFSN-Server ID 516 warning events. We have multiple name spaces and we get a message for each every 15 minutes, so for our 6 name spaces
  that is over 500 messages a day.
  DFSN service has started performing complete refresh of metadata for namespace <DFS-Root>. This task can take time if the namespace has large number of folders and may delay namespace administration operations.
  Although I found one solution on the Russian Technet forum DFSN-Server EventID 516 this disables the entire DFSN-Server
  Admin log, so if there are any problems with the refresh they will not appear.
  The main cause of the problem appears to be that the 516 Events have a Warning level 3 for something that should be Information level 4. There is no reason for a warning to be issued for what is a regular update process.
  Thanks,
  James

  What bothers me is that those events mention only "started a complete refresh", but they never mention so far completing one ... weird...
  Thank you Microsoft (sarcasm).
  If you look directly at the log, you'll see this message is quickly followed by ID 517 which states it has completed the refresh.  Event 517 is an informational event, so it won't display in the default "Administrative Events" filter.
  My suggestion to Microsoft:  Change the severity on ID 516 to Informational.  I don't believe
  anyone would consider this routine refresh a warning-level concern!!
  yes, you are right. sorry for super late reply, but I was swamped in company move and server upgrades, new installations, new IP phone system, new IP cams, site-to-site VPN, new faster firewall for new faster Internet link, NAT config changes ... man ...
  a bit too much for a single person to manage sometimes ...
  anyways, I didn't see the 517 events in "Custom Views - Administrative Events" that's why I was alerted with a flood of 516 (there is 1 every 12 minutes), can't understand why MS would drop one informational event (categorized wrongly as warning)
  and not add the other one stating it was completed right after (because it's still informational only) ... I finally found the following 517's when I went to the tree of Apps and Services Logs - MS - Win - DFSN-Server - Admin ... it's kinda buried down there
  very annoying it still is in end of October, especially then I am troubleshooting a non-replication conditions without any errors between two DFS servers (also DC roles installed) running 2012R2. Ended up removing DFS from secondary DC (VM actually) and
  building a new DFS dedicated VM with fixed sized disks on Hyper-V 2012 R2 server, hoping it resolves the issue when replication would just stop without error creating a huge file count (and content!) mismatch over time... a flood of meaningless events in administrative
  logs in not helping with troubleshooting ...