Oodles of 529 Logon Failures every 2:00 AM
From: Lisa_at_work (anonymous_at_discussions.microsoft.com)
Date: 08/29/04
- Next message: Jud: "Re: Desktop Collapsing! What's Happening?"
- Previous message: Miha Pihler: "Re: Remote Shut Down Priviledges"
- In reply to: -: "Oodles of 529 Logon Failures every 2:00 AM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 29 Aug 2004 12:09:35 -0700
Hello, when this same thing was happening to us it was the
backup agent for Veritas which was trying to authenticate
a service account on all servers at once. It was a local
service admin account which authenticated to the domain by
creating an account with the same username / password in
AD. When the AD password expired this same thing happened.
We reset the AD password and set it to "never expire" and
that fixed it. Hope this helped.
Lisa
>-----Original Message-----
>Hello,
>
>My Windows 2000 domain is getting an error every night at
2AM because it
>can't lock out the Administrator account. Yes,
exactly; "why is it being
>told to lock out in the first place?" I don't think
we're under attack
>because it is every night at the same time and because I
have found some
>information which may shed some light on it.
>
>It seems that at 2:00 AM some process happens that all of
the local
>administrator accounts on the servers get a failed login
to their local
>machine. The domain registers these logon failures I
suppose because the
>machine itself is a member of the domain. The really
weird thing is that
>the "logon type" shows as type 3, network. How can a
local account have a
>network logon to its own machine?
>
>More wierdness, wherever the local admin account of the
server has been
>changed, _that_ name shows up with the failed 529. The
domain name is
>_always_ the name of the local server, the AD domain is
not referenced even
>once in all 200 of the 529's.
>
>Something... is causing these failed local admin logins
to happen every
>night at 2AM on servers. I think that's why the domain
admin account is
>receiving a call to get locked out is; because the domain
is confusing the
>local admin accounts with the domain admin account, and
thinking that _it_
>is the culprit.
>
>The first thing we're going to do is rename the domain
admin account (yes I
>know I should have done this a long time ago, but there
are services,
>scheduled tasks, etc. running under that name that I have
to track down and
>remediate before I change it).
>
>The next thing I will do is I will check with our server
team about nightly
>processes/tasks that may be occurring at 2AM, but I
wonder if there is
>something in the undulations of AD itself that is
triggering this, such as a
>master browser election.
>
>If anyone can shed any light or has experienced something
similar, I am open
>to any advice you could give.
>
>Thanks a bunch!!
>
>
>.
>
- Next message: Jud: "Re: Desktop Collapsing! What's Happening?"
- Previous message: Miha Pihler: "Re: Remote Shut Down Priviledges"
- In reply to: -: "Oodles of 529 Logon Failures every 2:00 AM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
