Event ID 26004 from DHCP MP

alex · January 19, 2021, 7:44am

Have a lot of 26004 events on SCOM server (all about DHCP).

I’ve added SCOM Action Account to “Event log readers” group on all dhcp servers (as per https://jurelab.wordpress.com/2015/02/18/failed-accessing-windows-event-log-on-management-server-warning-state-event-id-26004/) but it didn’t help. Maybe somebody knows how to resolve this issue.

The Windows Event Log Provider is still unable to open the DhcpAdminEvents event log on computer 'dhcp.domain.com. The Provider has been unable to open the DhcpAdminEvents event log for 3600 seconds.

Most recent error details: Access is denied.

One or more workflows were affected by this.

Workflow name: Microsoft.Windows.DHCPServer.2012.FailoverServerWatcher.UnitMonitor.LostCommunicationWithfailoverPartnerServer
Instance name: dhcp1.domain.com-dhcp2.domain.com
Instance ID: {someID}
Management group: MGGROUPname

jan-e · January 19, 2021, 7:45am

Hi,

please check if the log exits on theses Servers.

In my case these log doesn’t exits and i disabled all workflows which check this log

alex · January 19, 2021, 7:48am

The problem was solved after adding SCOM Action Acoount into “Event log readers” group on all dhcp servers and rebooting SCOM management servers.

doju · January 19, 2021, 7:46am

Hi All,

RE: The Windows Event Log Provider is still unable to open the DhcpAdminEvents event log on computer
The Provider has been unable to open the DhcpAdminEvents event log for 8640 seconds.
Most recent error details: Access is denied.

We are using OM1807 however Management Group Health / Management Group Infrastructure (Operations Database, OM Management Group and OM Management Servers”) still reporting ‘Access Denied’ despite:

Adding OMAction account to Event Log Readers on Domain and rebooting OM1807 Server

DhcpAdminEvents exists:
On OM1807 Server: wevtutil qe DhcpAdminEvents /r:DCServer1 /u:DOMAIN\OMAction

Returns:
<SNIP> Z’/><EventRecordID>10700</EventRecordID><Correlation/><Execution ProcessID=’73612′ ThreadID=’73284’/><Channel>DhcpAdminEvents</Channel>
Name=’OldState’>COMMUNICATION_INT</Data><Data Name=’NewState’>NORMAL</Data></EventData></Event>

Any assistance greatly appreciated!

jurelab · January 19, 2021, 7:46am

Hi All,

Please check Firewall Rule => Remote Event Log Management (RPC)

alex · January 19, 2021, 7:46am

It exist.

Jelly · January 19, 2021, 7:46am

Adding the SCOM MSA account is heavy-handed. The SCOM agent should have all the permissions it requires as it will likely be running as LocalSystem - Can you confirm this? (services > Microsoft Monitoring Agent)

alex · January 19, 2021, 7:46am

Yes, it’s running as LocalSystem. I think that I fixed the problem. Have recently rebooted all management servers (after added SCOM Action account in Log readers group on dhcp servers). After that all errors gone. I’ll check if errors still exists few hours later.