System Log – 36886 – No suitable default server credential exists on this system

I have a DC that has been getting theses errors every 25 minutes for some time now. They show up in DCDiag, which is why i was so concerned in the first place. These errors would indicate installing a CA is the way to go. That is th stupidest idea I have ever heard. You don’t install a component like a CA just to fix an error you don’t understand.

The long and short? The Loglogic application caused these and I don’t really know why. But packet sniffs bear it out.

Starting test: SystemLog
A warning event occurred. EventID: 0x00009016
Time Generated: 03/22/2020 06:51:59
Event String:
No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

With password being changed, I was afraid this was something that would impede logins. But, testing showed logins ok. After digging more, I found that this specific error also shows in event viewer.

More research showed that the error can indicate the lack of a Certification Authority in the AD. This is not the case here. PPS has never had a CA and never have gotten these errors in the recent past. In EV, it shows as a 36886 SChannel error.

This google shows what you get when you look for this error

Extensive research did not show any other possibilities so wireshark was employed to determine what the issue is. Analysis showed that the server causing the issue is the Logic Monitor server, PPSMON01, a server which curiously will not back up. I did captures on PPSAD01, and PPSAD03. They show this RST event at the exact time the error occurs in EV on that server.

Since this is a physical Dell server, and older as well, I have updated the BIOS, Firmware, Chipset and other hardware components from Dell’s support downloads. Four updates total.

This did not fix the issue.

So now I know that the machine is MON01 but I don’t know what about it is doing that. All of the updates (especially BIOS and NIC firmware) did not have an expected result. To be sure, I went to MON01 ( and stopped the service right before the event was expected to happen, about 25 minutes apart. It did not happen when the Loglogic services were stopped, so, something about Loglogic is causing this.

Find which servers are sending SMTP Traffic

I have a big project migrating email from an on-premise server to Office 365. The Exchange environment has been around for almost 2 decades and many applications route email throught Exchange.

I needed a way to find who is sending. So, I used LogParser 2.2 (Microsoft) to analyze the SMTP logs.

Take the code below, after installing LogParser, and run it in the directory where the SMTP logs are located. In my case, you can see it below.

The program will simply read all of the logs in the area where it is run from. You wind up with the results below. Perfect!

*** If you copy and paste this code, make sure that the single and double quotes are correct as WP seems to make them different than the normal ASCII text***

“C:\Program Files (x86)\Log Parser 2.2\logparser.exe” “SELECT EXTRACT_PREFIX(remote-endpoint,0,’:’) as IP,REVERSEDNS(EXTRACT_PREFIX(remote-endpoint,0,’:’)) as Name,Count(*) as Hits from *.log WHERE data LIKE ‘%EHLO%’ GROUP BY IP ORDER BY Hits DESC” -i:CSV -nSkipLines:4 -rtp:-1 – This one has the query above.

Using Log Parser and Protocol Logs to Analyze Send Connector Usage