System Log Event 5705 with > 500 Security Object Changes

The information in this article applies to:

• Microsoft Windows NT Workstation version 3.5
• Microsoft Windows NT Server version 3.5

SYMPTOMS

The following event appears in your backup domain controller (BDC) system log:

   Date:       N/A             Event ID:   5705
   Time:       N/A             Source:     NETLOGON
   User:       N/A             Type:       Error
   Computer:   BDC             Category:   None

   Description:

   The change log cache maintained by the Netlogon service for database
   changes is corrupted. The Netlogon service is resetting the change log.

   Data, Byte:

   000:    02

CAUSE

This problem occurs, if you enable auditing of security objects and more than 500 changes are made to an individually replicated security object from the Security Account Manager (SAM), local security authority (LSA), or built-in databases.

How Event ID 5705 is Triggered with the Netlogon Service

On a heavily used server configured to audit many objects, if the security log fills up, the LSA security object is updated with each attempt to record an event in the full security log. With each LSA update a change is registered in the Netlogon change log file. If more than 500 of these events occur within the primary domain controller (PDC) to BDC Netlogon update cycle, the PDC does not replicate the individual changes to the BDCs, but sends a record that indicates a serial number skip and another record with the entire object that contains the accumulation of all changes. When the BDC encounters the skip in serial numbers, it records Event 5705 in the BDC system log.

WORKAROUND

To work around this problem, prevent the security log from becoming full by doing one or more of the following:

• Clear the security log more frequently.
• Set the security log to overwrite events when it gets full.
• Audit less items.