Re: Oodles of 529 Logon Failures every 2:00 AM
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 08/28/04
- Next message: Steve Hull: "Re: Help needed setting up roaming administrator"
- Previous message: Steven L Umbach: "Re: W2K TCP/IP Filtering"
- In reply to: -: "Oodles of 529 Logon Failures every 2:00 AM"
- Next in thread: Lisa_at_work: "Oodles of 529 Logon Failures every 2:00 AM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 28 Aug 2004 13:57:23 -0500
I think your best bet would be to try and track down what is happeneing at 2:00AM.
See if the failed type 3 logons are originating from the same computer and then see
what is happening on that computer checking Scheduled Tasks and AT tasks by entering
AT on the command line and also enabling auditing of process tracking on it. It would
have nothing to do with the browser elections. I beleive if the domain name and the
server name are the same in the failed logon that means that the failed logon was
against a local computer account rather than domain account. For domain account
failed logons it may help to refer to the link below and use netlogon logging to find
the computer or computers causing these failed logons. It also has a lot of good info
on tracking down failed logons and common reasons why they happen. I would also
suggest that you try http://www.eventid.net for Event ID 529 to see if you find
anyhting helpful there. --- Steve
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
http://eventid.net/display.asp?eventid=529&eventno=1&source=Security&phase=1 ---
Eventid.net for ID 529.
"-" <-@-.com> wrote in message news:eJybcSIjEHA.3664@TK2MSFTNGP12.phx.gbl...
> Hello,
>
> My Windows 2000 domain is getting an error every night at 2AM because it
> can't lock out the Administrator account. Yes, exactly; "why is it being
> told to lock out in the first place?" I don't think we're under attack
> because it is every night at the same time and because I have found some
> information which may shed some light on it.
>
> It seems that at 2:00 AM some process happens that all of the local
> administrator accounts on the servers get a failed login to their local
> machine. The domain registers these logon failures I suppose because the
> machine itself is a member of the domain. The really weird thing is that
> the "logon type" shows as type 3, network. How can a local account have a
> network logon to its own machine?
>
> More wierdness, wherever the local admin account of the server has been
> changed, _that_ name shows up with the failed 529. The domain name is
> _always_ the name of the local server, the AD domain is not referenced even
> once in all 200 of the 529's.
>
> Something... is causing these failed local admin logins to happen every
> night at 2AM on servers. I think that's why the domain admin account is
> receiving a call to get locked out is; because the domain is confusing the
> local admin accounts with the domain admin account, and thinking that _it_
> is the culprit.
>
> The first thing we're going to do is rename the domain admin account (yes I
> know I should have done this a long time ago, but there are services,
> scheduled tasks, etc. running under that name that I have to track down and
> remediate before I change it).
>
> The next thing I will do is I will check with our server team about nightly
> processes/tasks that may be occurring at 2AM, but I wonder if there is
> something in the undulations of AD itself that is triggering this, such as a
> master browser election.
>
> If anyone can shed any light or has experienced something similar, I am open
> to any advice you could give.
>
> Thanks a bunch!!
>
>
- Next message: Steve Hull: "Re: Help needed setting up roaming administrator"
- Previous message: Steven L Umbach: "Re: W2K TCP/IP Filtering"
- In reply to: -: "Oodles of 529 Logon Failures every 2:00 AM"
- Next in thread: Lisa_at_work: "Oodles of 529 Logon Failures every 2:00 AM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
