Mysterious Logon Failures in Security Log

From: Bryan L (blinton.nospam_at_connellinsurance.nospam.com)
Date: 07/25/05 

Date: Mon, 25 Jul 2005 11:52:35 -0500

I'm running a SBS 2003 domain with about 30 users. I promoted another 2003
server std box to be a replica DC about a month ago. I've had the luxury of
time to work out the bugs and kinks getting this new DC to be error-free and
I'm almost done. The only persistent error I'm still getting is event 529
in my
security log; a sample is provided below:
__________________________

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/22/2005
Time: 4:28:07 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVERNAME-2
Description:
Logon Failure:
  Reason: Unknown user name or bad password
  User Name:
  Domain:
  Logon Type: 3
  Logon Process: Kerberos
  Authentication Package: Kerberos
  Workstation Name: -
  Caller User Name: -
  Caller Domain: -
  Caller Logon ID: -
  Caller Process ID: -
  Transited Services: -
  Source Network Address: 192.168.168.229
  Source Port: 0
__________________________

Services my network runs:
    Exchange 2003
    DFS/FRS
    WINS
    DNS
    DHCP

More information:

- All clients are running XP SP2.
- These errors always appear in multiples of 4.
- Sometimes only 4 or 8 of these appear at a time for a given source IP;
other times there are 20 or so, and now and then there are literally
thousands of them within the span of a few minutes, or even hundreds within
a handful of seconds.
- The most common source IP is a particular member server, but the source
IP varies to include clients as well, both desktops and laptops.
- I believe it's a configuration problem and not malicious, since even my
own workstation is sometimes the source IP.
- When coming from desktops the source port appears to always be 0, but
when coming from the particular server that is most commonly the source IP,
the port increments by 3 every two events. For example, recently a total
of 16 events were logged with this server as the source, all within the same
second, and the ports looked like this: 3850, 3850, 3853, 3853, 3856, 3856,
3859, 3859, 3862, 3862, 3865, 3865, 3868, 3868, 3871, 3871.
- These errors are being logged only on the new DC's security log; the logs
on my original SBS 2003 DC are clean.
- This server used to run 2000 Server with a static IP; it was wiped and
cleanly installed with Server 2003 SP1 and set to the same static IP as
before.
- This server has a different name than the 2000 Server installation did.
- A few days after the install, a gigabit NIC was installed in the server
and the onboard 10/100 NIC was disabled.
- DFS/FRS was in use for a short time on the 2000 Server, as a means to
migrate the shares it was hosting to a different location prior to the wipe
and reinstall. The 2000 Server was never a DC.
- I believe I made a mistake in managing my DFS: I disabled DFS referrals
to the old 2000 Server, but never actually removed all references to the
server from DFS altogether before taking the old server permanently offline.
I'm about to look for information that will help me clean this up; I've seen
it out there in my readings on DFS. The "new" Server 2003 installation is
not yet hosting its original shares again, but it has been set up as a DFS
root replica.

Any help appreciated; I'm not sure how to run this one down.

Thanks in advance,

Bryan

Relevant Pages