After investigating the issue the Event ID 1011 and 1012 showed these results ?
The main reason was that we added a second Domain controller to the Domain where an SBS server was running.
As you probably know, you have a service called SBCore or “SBS Core Services”.
Which executes the following Process: \WINDOWS\system32\sbscrexe.exe
If you kill it, it just restarts – and if you try and stop it you are told Access Denied.
Tools you’ll need is : Process Explorer
1. If you fire up Process Explorer, you can select the process and Suspend it, now we can start to disable the thing.
2. Run regedit and expand the nodes until you reach the following hive / key:
Right click this, hit permissions and give the “Administrators” group on the local machine full access.
(don’t forget to replace permissions on child nodes).
F5 in regedit and you’ll see all of the values and data under this key.
Select the “Start” DWORD and change it from 2 to 4
This basically sets the service to the “Disabled” state.
3. Next, adjust the permissions on the file C:\WINDOWS\system32\sbscrexe.exe.
So that EVERYONE account is denied any sort of access to this file.
Then go back to Process Explorer, and kill the sbscrexe.exe process, if it doesn’t restart.
If that doesn’t work use this method.
taskkill /fi "Service
s eq SBcore" /F
Result should look like this …