Re: Mysterious Logon Failures in Security Log

• Previous message: Keith: "Local caching of passwords"
• In reply to: Bryan L: "Mysterious Logon Failures in Security Log"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 29 Jul 2005 15:40:51 -0500

Thanks for all posts and help on this. I have not resolved this issue, but
this week has been very busy and I have not had time to work on it. I hope
to have more time next week, and will post more then.

Thanks again,

Bryan

"Bryan L" <blinton.nospam@connellinsurance.nospam.com> wrote in message
news:uUrMDlTkFHA.2156@TK2MSFTNGP14.phx.gbl...
> I'm running a SBS 2003 domain with about 30 users. I promoted another
> 2003
> server std box to be a replica DC about a month ago. I've had the luxury
> of
> time to work out the bugs and kinks getting this new DC to be error-free
> and
> I'm almost done. The only persistent error I'm still getting is event 529
> in my
> security log; a sample is provided below:
> __________________________
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 7/22/2005
> Time: 4:28:07 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVERNAME-2
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name:
> Domain:
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name: -
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 192.168.168.229
> Source Port: 0
> __________________________
>
> Services my network runs:
> Exchange 2003
> DFS/FRS
> WINS
> DNS
> DHCP
>
> More information:
>
> - All clients are running XP SP2.
> - These errors always appear in multiples of 4.
> - Sometimes only 4 or 8 of these appear at a time for a given source IP;
> other times there are 20 or so, and now and then there are literally
> thousands of them within the span of a few minutes, or even hundreds
> within
> a handful of seconds.
> - The most common source IP is a particular member server, but the source
> IP varies to include clients as well, both desktops and laptops.
> - I believe it's a configuration problem and not malicious, since even my
> own workstation is sometimes the source IP.
> - When coming from desktops the source port appears to always be 0, but
> when coming from the particular server that is most commonly the source
> IP,
> the port increments by 3 every two events. For example, recently a total
> of 16 events were logged with this server as the source, all within the
> same
> second, and the ports looked like this: 3850, 3850, 3853, 3853, 3856,
> 3856,
> 3859, 3859, 3862, 3862, 3865, 3865, 3868, 3868, 3871, 3871.
> - These errors are being logged only on the new DC's security log; the
> logs
> on my original SBS 2003 DC are clean.
> - This server used to run 2000 Server with a static IP; it was wiped and
> cleanly installed with Server 2003 SP1 and set to the same static IP as
> before.
> - This server has a different name than the 2000 Server installation
> did.
> - A few days after the install, a gigabit NIC was installed in the
> server
> and the onboard 10/100 NIC was disabled.
> - DFS/FRS was in use for a short time on the 2000 Server, as a means to
> migrate the shares it was hosting to a different location prior to the
> wipe
> and reinstall. The 2000 Server was never a DC.
> - I believe I made a mistake in managing my DFS: I disabled DFS referrals
> to the old 2000 Server, but never actually removed all references to the
> server from DFS altogether before taking the old server permanently
> offline.
> I'm about to look for information that will help me clean this up; I've
> seen
> it out there in my readings on DFS. The "new" Server 2003 installation is
> not yet hosting its original shares again, but it has been set up as a DFS
> root replica.
>
> Any help appreciated; I'm not sure how to run this one down.
>
> Thanks in advance,
>
> Bryan
>

• Previous message: Keith: "Local caching of passwords"
• In reply to: Bryan L: "Mysterious Logon Failures in Security Log"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: WINS Cannot read from the UDP socket ... I am having the same problem about WINS but win Windows 2000 Server SP4. ... I have tried the recomended steps on the posts without success. ... Microsoft CSS Online Newsgroup Support ... WINS Cannot read from the UDP socket ... (microsoft.public.windows.server.sbs) RE: Security Error on WebSync ... That means merge agent on the subscriber? ... Also, if possible, pleas try to install another instance on the server to ... When responding to posts, please "Reply to Group" via your newsreader so ... (microsoft.public.sqlserver.replication) Re: How to find the greatest of two numbers without using the comparison operators? ... Anyone runnng a server has the right to control what goes over it. ... then it is wrong to censor posts to those ... It is the right of the Blog owner to monitor posts. ... in an UNMODERATED PUBLIC forum you do NOT have a God ... (comp.lang.cobol) Re: Time for a new rec.heraldry? ... you from seeing the sporge posts. ... an NNTP server through your ISP or some other source (I use Giganews ... As to Google securing against this sort of thing, ... (rec.heraldry) Re: [PHP] Spam Post Defense / ID spam form posts ... A socket is a lower level "object" that the web server is using to communicate. ... I was wondering if I could spawn multiple threads and on multiple servers to write back to that attacker socket. ... That is pointless since most spam comments come from compromised machines, so you'd only succeed in pissing essentially innocent users. ... refuse to accept posts containing bbcode-style markup and links you will get rid of 70-80% of bogus posts. ... (php.general)