Re: Security Log Help

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/28/05 

Date: Wed, 27 Apr 2005 19:10:58 -0500

If netdiag and dcdiag results look good then it probably is not related to
dns configuration for the domain controller. The link below is a good read
on dns best practices.

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382

If you have downlevel clients in the domain such as NT4.0 or Windows 98 you
may see failed account logon events for kerberos but I don't know why you
would have not seen that before if that is the case. I see user juser,
Client address: 10.0.0.127, and SERVER2 failed referenced in the
logon/account logon failures. The error codes indicate bad password. You
might want to check to see what is going on with those objects. One thing to
try is running netdiag on Client address: 10.0.0.127, and SERVER2 to see
what is reported and check with juser to see if there are any logon
problems. I don't know if you are seeing failures for just certain users or
most everyone. --- Steve

"Johnse" <Johnse@discussions.microsoft.com> wrote in message
news:42FD7605-6D26-49ED-8E16-3D848F81AAC8@microsoft.com...
>I ran netdiag & dcdiag & no errors reported. IP addresses for DNS are all
> correct. Should the pdc point only to itself for DNS? Old server is out
> of
> DNS & new servers are listed. I'll set other DNS servers to point to pdc
> first & let you know if it fixes. Any other ideas if this doesn't fix the
> problem?
>
> "Steven L Umbach" wrote:
>
>> Try running the support tools netdiag and then dcdiag on your domain
>> controller to see if it reports any pertinent problems that may help in a
>> solution and verify that your domain controllers have the correct IP
>> addresses for preferred dns servers in their tcp/ip properties and that
>> the
>> "old" domain controller IP address is not listed. Generally the pdc fsmo
>> should point to itself as it's preferred dns server and other domain
>> controllers for the domain should point to the pdc fsmo first and then
>> themselves. The old domain controller's IP should also be removed from
>> DHCP
>> scopes and verified that the correct domain controllers IP addresses are
>> listed.--- Steve
>>
>>
>> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
>> news:135F66D0-80B0-4070-B564-E2F334716710@microsoft.com...
>> > As soon as I retired my previous PDC I started getting errors in my
>> > security
>> > eventy log & I don't know why. Help!
>> > I followed KB255690 for transferring FSMO roles, KB295419 for
>> > transferring
>> > the Global Catalog. My other event logs are clean. It's just the
>> > security
>> > log that gets all the errors.
>> >
>> > Event ID: 537
>> > Source: Security
>> > Type: Failure
>> > User: NT AUTHORITY\SYSTEM
>> > Category: Logon/Logoff
>> > Reason: An unexpected error occurred during logon
>> > Username:
>> > Domain:
>> > Logon Type: 3
>> > Logon Process: Kerbos
>> > Authentication Package: Kerbos
>> > Workstation Name: -
>> >
>> > Event ID: 675
>> > Source: Security
>> > Type: Failure
>> > User: NT AUTHORITY\SYSTEM
>> > Category: Logon/Logoff
>> > Reason: An unexpected error occurred during logon
>> > Username:
>> > Domain:
>> > Logon Type: 3
>> > Logon Process: Kerbos
>> > Authentication Package: Kerbos
>> > Workstation Name: -
>> >
>> > Event ID: 675
>> > Source: Security
>> > Type: Failure
>> > User: NT AUTHORITY\SYSTEM
>> > Category: Account Logon
>> > Description: Pre-authentication failed
>> > Username: juser
>> > User ID: DOMAIN\juser
>> > Service Name: krbtgt/DOMAIN
>> > Pre-Authentication Type: 0x2
>> > Failure Code: 0x18
>> > Client address: 10.0.0.127
>> >
>> >
>> > Event ID: 681
>> > Source: Security
>> > Type: Failure
>> > User: NT AUTHORITY\SYSTEM
>> > Category: Account Logon
>> > Description: The logon to account: supervisor by
>> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: SERVER2 failed.
>> > The
>> > error code was: 3221225578
>> >
>> >
>> >
>> >
>>
>>
>>

Relevant Pages

  • Re: Please wait while the domain list is created
    ... Delayed logons are often a dns issue in that the computer is having a ... that W2K/XP Pro domain computers point ONLY to domain controllers running ... netdiag and dcdiag should be helpful to you. ... policy that can cause very long logon times and/or logon failures. ...
    (microsoft.public.windows.server.networking)
  • Re: Failure Audits
    ... I see I forgot to provide the dns link. ... domain controllers as their preferred dns servers. ... Netdiag and dcdiag are two extremely helpful tools for checking and ... >> appropriate operating system in the support tools folder. ...
    (microsoft.public.windows.server.networking)
  • Re: Problems with giving the Domain Users group access to folders
    ... You certainly don't want to have computers with the same sid. ... Any fatal error is not good with netdiag. ... First thing to check is dns ... configuration in that domain controllers should point to the first domain controller ...
    (microsoft.public.win2000.security)
  • Missing DCs from _sites container.
    ... We've noticed that our Windows 2000 Domain Controllers are mysteriously ... All other DC information in DNS is OK, only the above container is missing ... If we run a netdiag /l /fix on each individual missing servers, ...
    (microsoft.public.windows.server.dns)
  • Re: After enabling GPO, client pc needs synchronization
    ... correct DNS configuration. ... Server 2003 domain controllers dynamically register information about ... As far as Group Policy troubleshooting you can use rsop.msc on the client ...
    (microsoft.public.windowsxp.security_admin)