System Log Event 5705 with > 500 Security Object Changes (136251)


The information in this article applies to:

  • Microsoft Windows NT Workstation 3.5
  • Microsoft Windows NT Workstation 4.0 SP5
  • Microsoft Windows NT Server 3.5
  • Microsoft Windows NT Server 4.0 SP5
This article was previously published under Q136251

SYMPTOMS

The following event appears in your backup domain controller (BDC) system log: 
   Date:       N/A             Event ID:   5705
   Time:       N/A             Source:     NETLOGON
   User:       N/A             Type:       Error
   Computer:   BDC             Category:   None
				

   Description:
				

   The change log cache maintained by the Netlogon service for database
   changes is corrupted. The Netlogon service is resetting the change log.
				

   Data, Byte:
				

   000:    02

CAUSE

This problem occurs, if you enable auditing of security objects and more than 500 changes are made to an individually replicated security object from the Security Account Manager (SAM), local security authority (LSA), or built-in databases.

How Event ID 5705 is Triggered with the Netlogon Service

On a heavily used server configured to audit many objects, if the security log fills up, the LSA security object is updated with each attempt to record an event in the full security log. With each LSA update a change is registered in the Netlogon change log file. If more than 500 of these events occur within the primary domain controller (PDC) to BDC Netlogon update cycle, the PDC does not replicate the individual changes to the BDCs, but sends a record that indicates a serial number skip and another record with the entire object that contains the accumulation of all changes. When the BDC encounters the skip in serial numbers, it records Event 5705 in the BDC system log.

RESOLUTION

To work around this problem, you can use any of the following methods to prevent the security log from becoming full:
  • Clear the security log more frequently.
  • Set the security log to overwrite events when it gets full.
  • Audit fewer items.
You must change the security log settings to Overwrite as Needed at the PDC and apply the settings to all potential BDCs. You do not have to restart the computer, but if you are prompted to clear the existing security log, do so.

MORE INFORMATION

The following Netlogon log is a sample Netlogon log from a BDC experiencing this issue. There is a serial number skip as the BDC detects and the resulting Event 5705 event log:
04/09 11:37:57 [CHANGELOG] NlWriteDeltaToChangeLog: Serial number skip from 0 4b44 to 0 54ce: fo4rward skip of 242 deltas 
04/09 11:37:57 [SYNC] UnPacking Policy Object 
04/09 11:37:58 [CRITICAL] NlWriteChangeLogEntry: Serial numbers not contiguous 0 54ce and 0 4b44 
04/09 11:37:58 [MISC] Eventlog: 5705 (1)
Sample Netlogon log on the PDC logging:
04/09 13:01:08 [SYNC] NetrDatabaseDeltas: LSA partial sync called by <computer_name> SerialNumber:10 863f. 
04/09 13:01:08 [SYNC] Packing skip to serial number delta: 10 a2aa 
04/09 13:01:08 [SYNC] Packing Policy Object 
04/09 13:01:08 [CHANGELOG] DeltaType AddOrChangeLsaPolicy (13) SerialNumber: 10 a2ab Name: 'Policy' 
04/09 13:01:08 [SYNC] NetrDatabaseDeltas: Modified count of the packed record: 10 a2aa 
04/09 13:01:08 [SYNC] Packing Policy Object 
04/09 13:01:08 [SYNC] NetrDatabaseDeltas: Modified count of the packed record: 10 a2ab 
04/09 13:01:08 [MISC] Eventlog: 5711 (4) "<computer_name>" "3" 
04/09 13:01:08 [SYNC] NetrDatabaseDeltas: LSA returning (0x0) to <computer_name>
Modification Type:MajorLast Reviewed:6/6/2003
Keywords:KB136251
©2002 Microsoft Corporation. All rights reserved.