Event ID 34 — NLB Host Configuration

Event ID 34 — NLB Host Configuration

Updated: November 25, 2009

Applies To: Windows Server 2008 R2

Hosts in a Network Load Balancing (NLB) cluster are configured to load balance network traffic. Host configuration is set by using NLB Manager, and if it is not configured properly, the NLB cluster may not function correctly.

 

Event Details

Product: Windows Operating System
ID: 34
Source: Microsoft-Windows-NLB
Version: 6.1
Symbolic Name: MSG_ERROR_REGISTRY
Message: NLB cluster [%2]: NLB failed to query parameters from the registry key HKLM\SYSTEM\CurrentControlSet\Services\WLBS\Parameters\Interface\%3. This might be due to an improper configuration. Please use Network Load Balancing Manager to configure NLB. Once the configuration is fixed, you should run the PowerShell cmdlet ‘Set-NlbClusterNode -Reload’ followed by ‘Start-NlbClusterNode’.

Resolve
Confirm NLB configuration settings

If Network Load Balancing (NLB) is unable to process its configuration settings, you should confirm that the settings are correctly configured, and then, if changes are made, restart the NLB cluster.

When you are using NLB Manager, you must be a member of the Administrators group on the host that you are configuring, or you must have been delegated the appropriate authority. If you are configuring a cluster or host by running NLB Manager from a computer that is not part of the cluster, you do not have to be a member of the Administrators group on that computer.

Confirm the NLB configuration

To confirm the NLB configuration:

  1. Click Start, click Administrative Tools, and then click Network Load Balancing Manager. You can also open NLB Manager by typing Nlbmgr at a command prompt.
  2. If NLB Manager does not already list the cluster, connect to the cluster.
  3. Right-click the cluster, and then click Cluster Properties.
  4. As required, reconfigure the properties.

When you are using nlb.exe, you must be a member of the Administrators group on the host that you are configuring, or you must have been delegated the appropriate authority. If you are configuring a cluster or host by running nlb.exe from a computer that is not part of the cluster, you do not have to be a member of the Administrators group on that computer.

Restart the NLB cluster

To restart the NLB cluster:

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. Type nlb.exe reload, which reloads the NLB driver’s current parameters from the registry.
  3. Type nlb.exe start, which starts cluster operations on the specified hosts.

Verify

When you are using nlb.exe, you must be a member of the Administrators group on the host that you are configuring, or you must have been delegated the appropriate authority. If you are configuring a cluster or host by running nlb.exe from a computer that is not part of the cluster, you do not have to be a member of the Administrators group on that computer.

To verify that all Network Load Balancing (NLB) hosts are in the converged state:

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. Type nlb.exe query, which displays the current cluster state and the list of host priorities for the current hosts of the cluster.
  3. Confirm that all hosts display converged as their current state.

Related Management Information

NLB Host Configuration

NLB Cluster

Related:

Event ID 34 — AD CS Online Responder Service

Event ID 34 — AD CS Online Responder Service

Updated: November 27, 2007

Applies To: Windows Server 2008

The status and functioning of the Microsoft Online Responder service has dependencies on numerous features and components, including the ability to access timely certificate revocation data, the validity of the certification authority (CA) certificate and chain, and overall system response and availability.

Event Details

Product: Windows Operating System
ID: 34
Source: Microsoft-Windows-OnlineResponder
Version: 6.0
Symbolic Name: MSG_E_CACONFIG_SUBMIT_ENROLLMENT_REQUEST_FAILED
Message: Online Responder Service: For configuration %1, an error occurred while submitting the enrollment request to the certification authority %2.%3(%4)

Resolve
Submit an enrollment request for a properly configured signing certificate

 To resolve this problem:

  • Follow the procedure in the “Enroll manually for an OCSP Response Signing certificate” section.
  • If enrollment for an OCSP Response Signing certificate was successful but the certificate cannot be used by the Online Responder service, complete the procedure in the “Confirm access to the OCSP Response Signing certificate by NETWORK SERVICE” section.

To perform these procedures, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

Enroll manually for an OCSP Response Signing certificate

To manually enroll for an OCSP Response Signing certificate:

  1. Click Start, type mmc, and then click OK.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Select the Computer account check box, and click Next.
  5. Select the computer hosting the Online Responder, click Finish, and then click OK.
  6. Double-click Personal, and then double-click Certificates.
  7. Right-click Personal, point to All Tasks, and then click Request New Certificate to start the Certificate Request Wizard.
  8. Use the wizard to complete the enrollment process.

Note: The previous procedure assumes that the OCSP Response Signing certificate was configured for manual enrollment. If the OCSP Response Signing certificate template was configured for autoenrollment, you can use the same procedure but open the Certificates snap-in for the Online Responder service account rather than the computer account.

If the certificate enrollment process fails, then it may be that:

  • There is a problem connecting to the CA. Confirm that the computer on which the Online Responder service is running can connect to a CA. 
  • The OCSP Response Signing certificate template has not been configured with Read and Enroll permissions for the computer account on which the Online Responder has been installed. Open the Certificate Templates snap-in, right-click the OCSP Response Signing certificate template, click Properties, and then click the Security tab to confirm that the computer running the Online Responder has these permissions.
  • The OCSP Response Signing certificate template has not been properly configured for use by the CA. Click Start, point to Administrative Tools, and click Certification Authority on the CA, and click the Certificate Templates container to confirm that it contains the OCSP Response Signing template.

Confirm access to the OCSP Response Signing certificate by NETWORK SERVICE

To ensure that the private key for the OCSP Response Signing certificate is accessible to NETWORK SERVICE:

  1. Click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and click Add.
  4. Click Computer account, and click Next.
  5. Select the computer hosting the Online Responder, click Finish, and then click OK.
  6. In the console tree, double-click Certificates, double-click Personal, and click Certificates.
  7. In the details pane, click OCSP Response Signing.
  8. On the Actions menu, point to All Tasks, and click Manage Private Keys.
  9. Click Add, type NETWORK SERVICE, and then click OK.
  10. Ensure that only the Read permission is allowed for NETWORK SERVICE, and then click OK.
  11. Restart the Online Responder service.

If the OCSP Response Signing certificate is not valid for signature purposes, enroll for a certificate that includes the id-kp-OCSPSigning enhanced key usage, labeled OCSP Signing (1.3.6.1.5.5.7.3.9).

If the error persists, check the event log on the CA for any other events related to enrollment failures. For more information, see Troubleshooting: AD CS – Certificate Request (Enrollment) Processing (http://go.microsoft.com/fwlink/?LinkId=104210).

Resolve any issues related to processing requests for OCSP Response Signing certificates, and then restart the Online Responder service to attempt the request again. 

Verify

An Online Responder serves as an intermediary between clients that need to check certificate validity and a certification authority (CA) that issues certificates and certificate revocation lists (CRLs). To verify that the Online Responder service is functioning properly, you need to isolate the Online Responder and client from the CA and any CRL distribution points to confirm that revocation checking continues to take place and that revocation data is originating only from the Online Responder. The best way to confirm this scenario is to complete the following steps that involve the CA, the client, CRL distribution points, and the Online Responder:

  • Issue new certificates.
  • Revoke a certificate.
  • Publish a CRL.
  • Remove CRL distribution point extensions from the issuing CA.
  • Confirm that client computers can still obtain revocation data.

To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and on the client computer, and you must have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.

Issue new certificates

To issue new certificates:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Configure several certificate templates to autoenroll certificates for a computer running Windows Vista or Windows XP Professional.
  3. When information about the new certificates has been published to Active Directory domain controllers, open a command prompt window on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse.

    Note: It can take up to eight hours for information about new certificates to be replicated to Active Directory domain controllers.

  4. On the client computer, use the Certificates snap-in to confirm that the certificates have been issued to the user and to the computer, as appropriate. If they have not been issued, repeat step 2. You can also stop and restart the client computer to initiate certificate autoenrollment.

Revoke a certificate

To revoke a certificate:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Issued Certificates, and then select the certificate you want to revoke.
  3. On the Action menu, point to All Tasks, and then click Revoke Certificate.
  4. Select the reason for revoking the certificate, and click Yes.

Publish a CRL

To publish a CRL:

  1. On the computer hosting the CA, clickStart, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Revoked Certificates.
  3. On the Action menu, point to All Tasks, and then click Publish.

Remove all CRL distribution point extensions from the issuing CA

To remove all CRL distribution point extensions from the issuing CA:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Select the CA.
  3. On the Action menu, click Properties.
  4. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).
  5. Click any CRL distribution points that are listed, click Remove, and click OK.
  6. Stop and restart the CA.
  7. Configure a new certificate template, and complete autoenrollment again.

Confirm that client computers can obtain revocation data

To confirm that client computers can obtain revocation data:

  1. Click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Select the user or computer account to whom the certificate was issued, click Finish, and then click OK.
  5. Open the Personal Certificates store, right-click the most recently issued certificate, point to All Tasks, and then click Export to start the Certificate Export Wizard. Export the certificate to a .cer file.
  6. Open a command prompt window.
  7. Type certutil -url<exportedcert.cer> and press ENTER.

    Exportedcert.cer is the file name of the certificate that was exported in the previous step.

  8. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP, and confirm that the revocation data is retrieved from the Online Responder and not from a CRL distribution point.

Related Management Information

AD CS Online Responder Service

Active Directory Certificate Services

Related:

The time service has detected that the system time needs to be changed by %1 seconds. The time service will not change the system time by more than %2 seconds. Verify that your time and time zone are correct, and that the time source %3 is working properly.

Details
Product: Windows Operating System
Event ID: 34
Source: w32time
Version: 5.2
Symbolic Name: MSG_TIME_CHANGE_TOO_BIG
Message: The time service has detected that the system time needs to be
changed by %1 seconds. The time service will not change the system
time by more than %2 seconds. Verify that your time and time zone
are correct, and that the time source %3 is working properly.
   
Explanation

The Windows Time Service protects the local computer’s time by permitting a certain amount of difference in time between the computer and the time source. The specified time difference between the source and the computer is greater than the amount allowed by the time service.

   
User Action

Verify that the computer’s time and time zone are configured correctly.

If the computer’s time is significantly different from the actual time, you can manually configure it. To manually configure the time, in Control Panel, open Date and Time. After you manually configure the time, the time source will then be able to accurately maintain the computer’s time. Alternatively, run the W32tm.exe tool w32tm/resync command line option to synchronize the time.

Related:

An error occurred while trying to determine the number of mouse buttons.

Details
Product: Windows Operating System
Event ID: 34
Source: i8042prt
Version: 5.0
Component: System Event Log
Symbolic Name: I8042_ERROR_DURING_BUTTONS_DETECT
Message: An error occurred while trying to determine the number of mouse buttons.
   
Explanation

This event record indicates that this mouse might be damaged, or the connections to it might be loose. It is also possible that the mouse port itself might be damaged.

   
User Action

Check the connections. If you still get this message, try using a different mouse. If that does not correct the problem, try substituting a serial mouse.

Related: