Re: Event 643 in Security log every 5 minutes
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 07/10/04
- Next message: andrea: "popup blocker"
- Previous message: Steven L Umbach: "Re: How to disable the use of adminpak.msi?"
- In reply to: Steven T: "Event 643 in Security log every 5 minutes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 10 Jul 2004 18:55:13 GMT
By default, Group/security policy is refreshed every five minutes on a domain
controller. Possibly that computer is having a problem with a change in password
policy being applied. I would first run netdiag on it and then dcdiag on it to see if
it reports any failed tests/errors/fatal warnings that would indicate a problem with
replication, sysvol, dns, etc. In addition run gpotool to see if it reports any
errors in policy synch between the domain controllers. Those tools are on the
install disk in the support tools folder where you need to run setup to install the
set. --- Steve
"Steven T" <guess_what@hkem.com> wrote in message
news:%238OWAkiZEHA.1764@TK2MSFTNGP10.phx.gbl...
> Here's what happened.
> In the AD, there are 2 domain controllers, both are running W2K Server w/SP4
> In the event log of the First DC(which holds all the FSMO roles), event id
> 643 appeared
> every 5 minutes for the whole day. It act as a File server as well as a
> print server. It is located in a closed network and no one using
> the network should have a user right more than an ordinary domain user.
> The holder of the adminitrator account(The companies' Vice President) have
> no
> physical access to the network. No tasks were scheduled to run every 5
> minutes.
> And the strange thing is, the events does not appear in the other domain
> controller.
> Can anyone suggest a possiblity of what's happening??
> I searched through TechNet and could find no clue of this...
> Thank you.
>
> Below is an extract of the event log:
> 7/8/2004 12:01:09 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
> Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
> (0x0,0x3E7) -
> 7/8/2004 12:06:26 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
> Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
> (0x0,0x3E7) -
> 7/8/2004 12:11:34 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
> Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
> (0x0,0x3E7) -
> 7/8/2004 12:16:41 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
> Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
> (0x0,0x3E7) -
> 7/8/2004 12:21:48 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
> Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
> (0x0,0x3E7) -
> 7/8/2004 12:26:55 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
> Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
> (0x0,0x3E7) -
>
>
- Next message: andrea: "popup blocker"
- Previous message: Steven L Umbach: "Re: How to disable the use of adminpak.msi?"
- In reply to: Steven T: "Event 643 in Security log every 5 minutes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
