DOCUMENT:Q136251 08-AUG-2001 [winnt] TITLE :System Log Event 5705 with > 500 Security Object Changes PRODUCT :Microsoft Windows NT PROD/VER:winnt:3.5,4.0 SP5 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation versions 3.5, 4.0 SP5 - Microsoft Windows NT Server versions 3.5, 4.0 SP5 ------------------------------------------------------------------------------- SYMPTOMS ======== The following event appears in your backup domain controller (BDC) system log: Date: N/A Event ID: 5705 Time: N/A Source: NETLOGON User: N/A Type: Error Computer: BDC Category: None Description: The change log cache maintained by the Netlogon service for database changes is corrupted. The Netlogon service is resetting the change log. Data, Byte: 000: 02 CAUSE ===== This problem occurs, if you enable auditing of security objects and more than 500 changes are made to an individually replicated security object from the Security Account Manager (SAM), local security authority (LSA), or built-in databases. How Event ID 5705 is Triggered with the Netlogon Service -------------------------------------------------------- On a heavily used server configured to audit many objects, if the security log fills up, the LSA security object is updated with each attempt to record an event in the full security log. With each LSA update a change is registered in the Netlogon change log file. If more than 500 of these events occur within the primary domain controller (PDC) to BDC Netlogon update cycle, the PDC does not replicate the individual changes to the BDCs, but sends a record that indicates a serial number skip and another record with the entire object that contains the accumulation of all changes. When the BDC encounters the skip in serial numbers, it records Event 5705 in the BDC system log. RESOLUTION ========== To work around this problem, prevent the security log from becoming full by doing one or more of the following: - Clear the security log more frequently. - Set the security log to overwrite events when it gets full. - Audit fewer items. Additional query words: prodnt ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400search kbWinNT350search kbWinNT400search kbWinNTW350 kbWinNTW350search kbWinNTW400sp5 kbWinNTSsearch kbWinNTS400sp5 kbWinNTS400search kbWinNTS350 kbWinNTS350search Version : winnt:3.5,4.0 SP5 ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.