Here’s the deal: i’ve been assigned a task, to figure out a way to rotate security logs on a Windows server, which has leveraged auditing policies.

Problem: Eventlog retention mechanism under Windows does not allow for creating new log files when the current logfile grows to a certain limit (which is plain stupid and short-sighted). Windows built in mechanism can only overwrite the oldest entries with newer ones if the logfile size limit has been reached.

After some extensive googling, i finally stumbled upon one blog entry that has put me on the right track. Microsoft does have a tool for parsing the binary logfiles (and not only that, but you’ll have to figure it out by yourself), using SQL format queries as commands. It’s called „Log Parser” (how obvious!), and is featured here.

I’ve downloaded the tool and started playing with VBScript (damn you Microsoft for not adopting Bash) and Log Parser, to get the desired result. I won’t go into details, as the file posted below is pretty self-explanatory (and well commented too).

Anyway, here’s „the result” (it’s a gzipped/tared vbscript, some antiviruses might go crazy ’bout it).

Enjoy!

P.S. I’ve yet to add a zipping function to it.
P.S.(2) It’s my first VBScript batch, please don’t laugh. Thank you.

• ntdsutil – narzędzie zarządzania Active Directory na poziomie administracyjnym (tak – wiem, masło maślane!)
• dcdiag – narzędzie diagnostyczne kontrolera domeny
• gpotool – narzędzie do sprawdzania poprawności GPO (z pakietu Windows Server 2003 Resource Kit Tools)

MSDTC Event ID 4143 and 53258 on Windows Server 2003 SP1 Domain Controller

I got hit by a problem on a freshly installed virtual machine using a slipstreamed SP1 installation and promoted to a domain controller. Two events were appearing in the event log which were unexpected.

Source: MSDTC Event ID: 4143 Information
MS DTC has detected that a DC Promotion has happened since the last time the MS DTC service was started.

followed by

Source: MSDTC Event ID: 53258 Warning
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings.

To resolve this, go through the following steps:
- Start/Administrative Tools/Component Services
- Navigate the tree view on the left to:
– Console Root
– Component Services
– Computers
– My Computer
- Right click on „My Computer” and select properties
- Select the MSDTC Tab
- Under „Transaction Configuration” near the bottom, click „Security Configuration”
- On the Security Configuration screen, just click OK – don’t change anything.
- Back on the „My Computer Properties” screen, click OK again to dismiss
- Right click on „My Computer” in the tree view and select „Stop MS DTC”
- Right click on „My Computer” in the tree view and select „Start MS DTC”
- Close the Component Services snapin.

All should now be well again. Hope this helps someone.

Źródło: link