|
Posted by Bryan L on July 29, 2005, 3:40 pm
Please log in for more thread options
Thanks for all posts and help on this. I have not resolved this issue, but
this week has been very busy and I have not had time to work on it. I hope
to have more time next week, and will post more then.
Thanks again,
Bryan
> I'm running a SBS 2003 domain with about 30 users. I promoted another
> 2003
> server std box to be a replica DC about a month ago. I've had the luxury
> of
> time to work out the bugs and kinks getting this new DC to be error-free
> and
> I'm almost done. The only persistent error I'm still getting is event 529
> in my
> security log; a sample is provided below:
> __________________________
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 7/22/2005
> Time: 4:28:07 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVERNAME-2
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name:
> Domain:
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name: -
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 192.168.168.229
> Source Port: 0
> __________________________
>
> Services my network runs:
> Exchange 2003
> DFS/FRS
> WINS
> DNS
> DHCP
>
> More information:
>
> - All clients are running XP SP2.
> - These errors always appear in multiples of 4.
> - Sometimes only 4 or 8 of these appear at a time for a given source IP;
> other times there are 20 or so, and now and then there are literally
> thousands of them within the span of a few minutes, or even hundreds
> within
> a handful of seconds.
> - The most common source IP is a particular member server, but the source
> IP varies to include clients as well, both desktops and laptops.
> - I believe it's a configuration problem and not malicious, since even my
> own workstation is sometimes the source IP.
> - When coming from desktops the source port appears to always be 0, but
> when coming from the particular server that is most commonly the source
> IP,
> the port increments by 3 every two events. For example, recently a total
> of 16 events were logged with this server as the source, all within the
> same
> second, and the ports looked like this: 3850, 3850, 3853, 3853, 3856,
> 3856,
> 3859, 3859, 3862, 3862, 3865, 3865, 3868, 3868, 3871, 3871.
> - These errors are being logged only on the new DC's security log; the
> logs
> on my original SBS 2003 DC are clean.
> - This server used to run 2000 Server with a static IP; it was wiped and
> cleanly installed with Server 2003 SP1 and set to the same static IP as
> before.
> - This server has a different name than the 2000 Server installation
> did.
> - A few days after the install, a gigabit NIC was installed in the
> server
> and the onboard 10/100 NIC was disabled.
> - DFS/FRS was in use for a short time on the 2000 Server, as a means to
> migrate the shares it was hosting to a different location prior to the
> wipe
> and reinstall. The 2000 Server was never a DC.
> - I believe I made a mistake in managing my DFS: I disabled DFS referrals
> to the old 2000 Server, but never actually removed all references to the
> server from DFS altogether before taking the old server permanently
> offline.
> I'm about to look for information that will help me clean this up; I've
> seen
> it out there in my readings on DFS. The "new" Server 2003 installation is
> not yet hosting its original shares again, but it has been set up as a DFS
> root replica.
>
> Any help appreciated; I'm not sure how to run this one down.
>
> Thanks in advance,
>
> Bryan
>
| 
XML Sitemap