Re: Event ID 565
From: Kevin Koenig (Kevin@ucfakpsi.com)
Date: 06/26/02
- Next message: Intermedia.NET Support \(DS\): "Re: Local Policy Difference"
- Previous message: S. Pidgorny [MVP]: "Re: Can't find where to purchase this product"
- In reply to: Kal Tire: "Re: Event ID 565"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kevin Koenig" <Kevin@ucfakpsi.com> Date: Wed, 26 Jun 2002 06:53:54 -0700
I am having the same problem. The problem started when I
installed Certificate Authority. I have a 2000 DC and an
Exchagne 2000 box. I am going to play around a little bit
and see if I can figure out what is causing it. If
someone else finds the answer, please let me know.
Thanks,
Kevin Koenig
Kevin@ucfakpsi.com
Note, the exchange server seems to be running fine.
>-----Original Message-----
>I am having the same problem as well. My errorr messges
are being logged on
>the DC that is the PDC FSMO. The user is the computer
that is my Exchange
>2000 server. Here is one of the logged events:
>
>Event Type: Failure Audit
>Event Source: Security
>Event Category: Directory Service Access
>Event ID: 565
>Date: 24/05/2002
>Time: 8:39:57 AM
>User: XXXXXXX\GANDALF$ - this is the exchange server
>Computer: AVALON - DC that is PDC FSMO
>Description:
>Object Open:
> Object Server: DS
> Object Type: configuration
> Object Name: CN=Configuration,DC=XXXXXX,DC=com
> New Handle ID: -
> Operation ID: {0,4906109}
> Process ID: 292
> Primary User Name: AVALON$
> Primary Domain: XXXXX
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: GANDALF$
> Client Domain: XXXXX
> Client Logon ID: (0x0,0x4ADC71)
> Accesses Control Access
>
> Privileges -
>
> Properties:
>READ_CONTROL
>Create Child
>Delete Child
>List Contents
>Write Self
>Delete Tree
> Manage Replication Topology
>
>The process 292 is LSASS.exe
>
>
>
>"Tom Grassi" <tom@tgcsnet.com> wrote in message
>news:OYxibUgACHA.2172@tkmsftngp04...
>> Eric
>>
>> I am getting s similar event: It only happens at system
startup of a
>member
>> server that was a DC. I recently demoted it to a member
server.
>>
>> Here are my event 565 messages.
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Directory Service Access
>> Event ID: 565
>> Date: 5/22/2002
>> Time: 4:50:26 PM
>> User: HARMONY\TGCS-PHI1-NT$
>> Computer: TGCS-PHI4-NT
>> Description:
>> Object Open:
>> Object Server: DS
>> Object Type: computer
>> Object Name: CN=TGCS-PHI1-
NT,CN=Computers,DC=Harmony,DC=com
>> New Handle ID: -
>> Operation ID: {0,114446}
>> Process ID: 260
>> Primary User Name: TGCS-PHI4-NT$
>> Primary Domain: HARMONY
>> Primary Logon ID: (0x0,0x3E7)
>> Client User Name: TGCS-PHI1-NT$
>> Client Domain: HARMONY
>> Client Logon ID: (0x0,0x1BF02)
>> Accesses Write Property
>>
>> Privileges -
>>
>> Properties:
>> Create Child
>> Control Access
>> Public Information
>> servicePrincipalName
>>
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Directory Service Access
>> Event ID: 565
>> Date: 5/22/2002
>> Time: 4:50:26 PM
>> User: HARMONY\TGCS-PHI1-NT$
>> Computer: TGCS-PHI4-NT
>> Description:
>> Object Open:
>> Object Server: DS
>> Object Type: computer
>> Object Name: CN=TGCS-PHI1-
NT,CN=Computers,DC=Harmony,DC=com
>> New Handle ID: -
>> Operation ID: {0,114448}
>> Process ID: 260
>> Primary User Name: TGCS-PHI4-NT$
>> Primary Domain: HARMONY
>> Primary Logon ID: (0x0,0x3E7)
>> Client User Name: TGCS-PHI1-NT$
>> Client Domain: HARMONY
>> Client Logon ID: (0x0,0x1BF02)
>> Accesses Write Property
>>
>> Privileges -
>>
>> Properties:
>> Create Child
>> Control Access
>> Public Information
>> servicePrincipalName
>>
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Directory Service Access
>> Event ID: 565
>> Date: 5/22/2002
>> Time: 4:50:27 PM
>> User: HARMONY\TGCS-PHI1-NT$
>> Computer: TGCS-PHI4-NT
>> Description:
>> Object Open:
>> Object Server: DS
>> Object Type: computer
>> Object Name: CN=TGCS-PHI1-
NT,CN=Computers,DC=Harmony,DC=com
>> New Handle ID: -
>> Operation ID: {0,114532}
>> Process ID: 260
>> Primary User Name: TGCS-PHI4-NT$
>> Primary Domain: HARMONY
>> Primary Logon ID: (0x0,0x3E7)
>> Client User Name: TGCS-PHI1-NT$
>> Client Domain: HARMONY
>> Client Logon ID: (0x0,0x1BF58)
>> Accesses Write Property
>>
>> Privileges -
>>
>> Properties:
>> Create Child
>> Control Access
>> Public Information
>> servicePrincipalName
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Directory Service Access
>> Event ID: 565
>> Date: 5/22/2002
>> Time: 4:50:27 PM
>> User: HARMONY\TGCS-PHI1-NT$
>> Computer: TGCS-PHI4-NT
>> Description:
>> Object Open:
>> Object Server: DS
>> Object Type: computer
>> Object Name: CN=TGCS-PHI1-
NT,CN=Computers,DC=Harmony,DC=com
>> New Handle ID: -
>> Operation ID: {0,114534}
>> Process ID: 260
>> Primary User Name: TGCS-PHI4-NT$
>> Primary Domain: HARMONY
>> Primary Logon ID: (0x0,0x3E7)
>> Client User Name: TGCS-PHI1-NT$
>> Client Domain: HARMONY
>> Client Logon ID: (0x0,0x1BF58)
>> Accesses Write Property
>>
>> Privileges -
>>
>> Properties:
>> Create Child
>> Control Access
>> Public Information
>> servicePrincipalName
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Directory Service Access
>> Event ID: 565
>> Date: 5/22/2002
>> Time: 4:53:56 PM
>> User: HARMONY\TGCS-PHI5-NT$
>> Computer: TGCS-PHI4-NT
>> Description:
>> Object Open:
>> Object Server: DS
>> Object Type: rpcServer
>> Object Name:
CN=RpcServices,CN=System,DC=Harmony,DC=com
>> New Handle ID: -
>> Operation ID: {0,118855}
>> Process ID: 260
>> Primary User Name: TGCS-PHI4-NT$
>> Primary Domain: HARMONY
>> Primary Logon ID: (0x0,0x3E7)
>> Client User Name: TGCS-PHI5-NT$
>> Client Domain: HARMONY
>> Client Logon ID: (0x0,0x1D03E)
>> Accesses Create Child
>>
>> Privileges -
>>
>> Properties:
>>
>>
>> Any ideas or thoughts?
>>
>> Microsoft wants me to open another issue on this for
another $245. They
>are
>> the ones who told me to demote my dc and move it over
to my other domain.
>> What a joke. I can not find any q articles or tech
notes that explain any
>> security failures.
>>
>> Only on this newsgroup my we find someone who can
answer our problems.
>>
>> Thanks
>>
>> Tom
>>
>>
>>
>>
>> "Tom Finlay" <tom.finlay@rollcagetech.com> wrote in
message
>> news:66cf01c201d4$33f7af40$9be62ecf@tkmsftngxa03...
>> > Hey Erick,
>> >
>> > I spent numerous hours trying various things to find
out
>> > what object corresponds to this GUID and I cannot
seem to
>> > find any object that associated with this particular
GUID.
>> > I am beggining to think that this object does not
exist
>> > and that this is my reason for continually geting this
>> > error message. What do you think?
>> >
>> > >-----Original Message-----
>> > >Hey Tom,
>> > >
>> > >This is failure event 565, correct?
>> > >
>> > >What object corresponds to the following GUID:
{ae85ca08-
>> > d8b0-40ec-8f44-
>> > >396337cc0318} ?
>> > >
>> > >What process corresponds to PID 292?
>> > >
>> > >Thanks,
>> > >
>> > >Eric
>> > >
>> > >--
>> > >Eric Fitzgerald
>> > >Program Manager, Windows Auditing and Intrusion
Detection
>> > >Microsoft Corporation
>> > >
>> > >
>> > >"Tom Finlay" <tom.finlay@rollcagetech.com> wrote in
>> > message
>> > >news:51a301c2001f$7a5aea80$9ae62ecf@tkmsftngxa02...
>> > >>
>> > >> >-----Original Message-----
>> > >> >Please post the entire text of the event.
>> > >> >
>> > >> >--
>> > >> >Eric Fitzgerald
>> > >> >Program Manager, Windows Auditing and Intrusion
>> > Detection
>> > >> >Microsoft Corporation
>> > >> >
>> > >> >
>> > >> >"Tom Finlay" <tom.finlay@rollcagetech.com> wrote
in
>> > >> message
>> > >> >news:3bd001c1fc32$162396c0
$9be62ecf@tkmsftngxa03...
>> > >> >> Domain controller 01 generates a failure audit
in
>> > >> security
>> > >> >> log, event ID 565, Directory service access,
repeated
>> > >> >> failure every 30 minutes
>> > >> >>
>> > >> >> Primary User Name DC01
>> > >> >> Client User Name DC02
>> > >> >> Access Read Property
>> > >> >
>> > >> >
>> > >> >.Object Open:
>> > >> Object Server: DS
>> > >> Object Type: container
>> > >> Object Name: %{ae85ca08-d8b0-40ec-8f44-
>> > >> 396337cc0318}
>> > >> New Handle ID: -
>> > >> Operation ID: {0,164179407}
>> > >> Process ID: 292
>> > >> Primary User Name: XXXX-XXXX-DC01$
>> > >> Primary Domain: ROLLCAGETECH
>> > >> Primary Logon ID: (0x0,0x3E7)
>> > >> Client User Name: XXXX-XXXX-DC02$
>> > >> Client Domain: XXXXXXXXXXX
>> > >> Client Logon ID: (0x0,0x9B53C73)
>> > >> Accesses Read Property
>> > >>
>> > >> Privileges -
>> > >>
>> > >> Properties:
>> > >> READ_CONTROL
>> > >> WRITE_DAC
>> > >> SYNCHRONIZE
>> > >> Create Child
>> > >> List Contents
>> > >> Read Property
>> > >> Write Property
>> > >> %{00000000-0000-0000-0000-000000000000}
>> > >> SYNCHRONIZE
>> > >> List Contents
>> > >> Read Property
>> > >> Write Property
>> > >> uSNChanged
>> > >>
>> > >> >
>> > >
>> > >
>> > >.
>> > >
>>
>>
>
>
>.
>
- Next message: Intermedia.NET Support \(DS\): "Re: Local Policy Difference"
- Previous message: S. Pidgorny [MVP]: "Re: Can't find where to purchase this product"
- In reply to: Kal Tire: "Re: Event ID 565"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
