RE: Help .. Small Business Server Error may be DNS ?
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
- Date: Wed, 21 Dec 2005 03:58:59 GMT
Hi Iain,
Thank you for posting in SBS newsgroup.
>From the description, I understand the issue to be: you have received event
529 and LSASRV 40960 and 40961 on your SBS. If I have misunderstood your
concerns, please do not hesitate to let me know.
{Note: the reply may be too long and I am appreciated your time to follow
it}
Regarding the event LSASRV 40960 and 40961appear on SBS, as I know, this
issue can occur when you restart the SBS 2003 server. A service, for
example, the Windows Time service (W32Time), tries to authenticate before
Directory Services has started. You can just safely ignore the event as it
will not cause any adverse effects to the server. For more information, see:
823712 Event IDs 40960 and 40961 in the System Event Log When You Restart
http://support.microsoft.com/?id=823712
824217 LSASRV Event IDs 40960 and 40961 When You Promote a Server to a
Domain
http://support.microsoft.com/?id=824217
I would suggest you reboot the server again and see if the event does not
appear. type the following commands:
1. Net Stop NETLOGON
2. IPCONFIG /FLUSHDNS
3. IPCONFIG /REGISTERDNS
4. Net Start Netlogon
The issue could also be a similar to the problem described in the following
KB article:
826819 The Server Stops Responding and an Access Violation Occurs in
Lsass.exe
http://support.microsoft.com/?id=826819
Regarding event 529, based on my experience, it can occur if you enabled
the "Audit logon event" policy on the SBS server and a failure logon
attempt is performed from the internal or external computers. A type 3
logon type means this was generated from the user trying to access a
resource from the network with a bad password or an account that was locked
out.
We may try the following to see if the problem can be solved:
1. Go to Active Directory Users and Computers and expand server name and
then click users.
2. Double click IUSR and then on Account tab make sure the password never
expires and user cannot change password is selected and the account is not
disabled.
3. Open IIS ADMIN and go to the Default web site and get properties.
4. Go to directory security\Edit.
5. In the Password Field type in a strong password and write it down and
hit apply\ok.
If you get inheritance override click Select all.......only do this if the
IUSR account is the account chosen for these web sites... (this is the
default setting).
6. Then go to Active Directory Users and Computers and reset the password
for the IUSR account (or delete the account).
7. Then run iisreset from the command prompt. It will restart IIS.
If it does not work, we can try to reset the anonymous account password as
following:
1. Click "Start", point to "Programs", point to "Administrative Tools", and
then click "Active Directory Users and Computers".
2. Under the full domain name click "Users".
3. Right-click "IUSR_ComputerName", and then click "Reset Password".
4. Type the password in the "New password" box and in the "Confirm
password" box, and then click "OK".
5. Right-click "IWAM_ComputerName", and then click "Reset Password".
6. Type the password in the "New password" box and in the "Confirm
password" box, and then click "OK".
7. Quit Active Directory Users and Computers console.
8. Click "Start", and then click "Run".
9. In the "Open" box, type "cmd" (without the quotation marks) and then
click "OK".
10. Type the following command and press ENTER:
cd \inetpub\adminscripts
11. To reset the password for the IUSR_ComputerName account, type the
following command (where <password> is the password that you set in step
4), and then press ENTER:
cscript.exe adsutil.vbs set w3svc/anonymoususerpass <password>
12. To reset the password for the IWAM_<omputerName account, type the
following command (where <password> is the password that you set in step
6), and then press ENTER:
cscript.exe adsutil.vbs set w3svc/wamuserpass <password>
13. After this, type iisreset and press ENTER.
If the problem still persists, this may also be an automated dictionary
attack on weak passwords. The hacker is trying variable username/password
combinations to access the network. The attack can be initiated from
internal network or external network. As the event is missing much
information such as "Caller User Name" and "Caller Process ID", it is most
likely caused by spyware resides on your LAN workstations.
Personally, I think if the SBS computer is connected to the internet, many
hacker activities may cause Event ID 529 etc. I recommend you to read the
following white paper and make sure your server is secure.
Threats and Countermeasures: Security Settings in Windows Server 2003 and
Windows XP
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-
9346-F93A4081EEA8&displaylang=en
Sometimes, third party application/services and virus/Spyware may also
cause such issue; however, it will be difficult to isolate the root cause
if this is the point.
Technically speaking, if 529 and 534 appears at the same time, it may
indicate that an attacker tries and fails to guess a username and password
combination for a local account. However, since there's only 529 event
logged (please confirm whether there's any 534 events), it may also occur
when a user forgets their password, or starts browsing the network through
My Network Places.
In a large scale environment it can be difficult to interpret these events
effectively. As a rule, you should investigate these patterns if they occur
repeatedly or coincide with other unusual factors. For example, a number of
529 events followed by a 528 event in the middle of the night could
indicate a successful password attack. You should also monitor your client
computers to make sure they do not use any unknown software. Up-to-date
Anti-virus software should be a must for all the clients.
In addition, you may also want to restrict downloads of certain kind of
files from the Internet on the client computers (If you have ISA installed):
1. Create protocol rule and only apply to HTTP, HTTPS. (Maybe too restrict
if the users want to use some software such as IM)
2. Create a Site and Content Rules to Allow All Content.
3. Create a Site and Content Rule to Deny the following HTTP Content:
- Application
- Compressed Files
- Macro Documents
In addition, I provided some more Info for your reference:
1. I suggest you change the "nolmhash" value to "0" in the following
registry key on the SBS 2003 server:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Reboot the server for this change to take effect and check if the event
does not appear.
If the event still appears, go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Parameters
and set "enablesecuritysignature" and "requiresecuritysignature" to "0".
Reboot the server and check if everything is OK.
This occurs because the user accounts in the domain no longer had
LanManager (LM) hashes stored because of the NoLMHash security setting.
This is why existing users worked fine, but new users and users for whom we
changed the password, failed to logon. By removing this security setting
and resetting the password of the user accounts (to recreate a new LMHash
value for their password), the issue may be resolved.
2. This behavior may also happen when the machine password is not properly
sync. In order to reset the machine account password of a domain controller
use:
NETDOM RESETPWD /Server:ServerName /UsedD:Administrator /PasswordD:*
The syntax of this command is:
NETDOM RESETPWD /Server:domain-controller /UserD:user /PasswordD:[password
| *]
NETDOM RESETPWD Resets the machine account password for the domain
controller on which this command is run. Currently there is no support for
resetting the machine password of a remote machine or a member server. All
parameters must be specified.
/Server Name of a specific domain controller that should have its
machine account password reset.
/UserD User account used to make the connection with the domain
controller specified by the /Server argument.
/PasswordD Password of the user account specified with /UserD. A * means
to prompt for the password
After completing the command, reboot the server.
3. Scan virus on the workstations. Please use the anti-virus software to
perform full scan on the internal workstations. There is an online virus
scan link below:
http://housecall.trendmicro.com
4. Implement Strong password policies. Open 'Server Management console',
navigate to Users snap-in. In the right panel, click 'Configure Password
Policies'. Enable the password policies.
For more information:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx
5. Monitor the internal users to see if anyone is testing the admin
accounts.
6. Scan and remove all spyware and adware on the server and workstations.
For more information and removal tools, see:
http://www.microsoft.com/athome/security/spyware/default.mspx
More information:
Securing Your Windows Small Business Server 2003 Network
http://download.microsoft.com/download/1/f/1/1f15a874-f696-4992-b5ad-b1e7b25
8de1c/SecuringSBSnetwork.doc
Auditing User Authentication
http://support.microsoft.com/default.aspx?scid=kb;en-us;174073
Security Event Descriptions
http://support.microsoft.com/default.aspx?scid=kb;en-us;174074
Logoff event messages are not logged in the security log when you use the
Audit Logon Events feature in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;318253
NOTE: This response contains a reference to a third party World Wide Web
site. Microsoft is providing this information as a convenience to you.
Microsoft does not control these sites and has not tested any software or
information found on these sites; therefore, Microsoft cannot make any
representations regarding the quality, safety, or suitability of any
software or information found there. There are inherent dangers in the use
of any software found on the Internet, and Microsoft cautions you to make
sure that you completely understand the risk before retrieving any software
from the Internet.
I am appreciated your time and look forward to hearing from you.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Help .. Small Business Server Error may be DNS ?
|| From: "=?Utf-8?B?b3BoZWxhaXN5cw==?="
<ophelaisys@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: Help .. Small Business Server Error may be DNS ?
| Date: Tue, 20 Dec 2005 02:18:03 -0800
| | Newsgroups: microsoft.public.windows.server.sbs
| |
| Hi Everyone & Merry Christmas..
|
| Can anyone help me put this problem to bed before
| I start the holiday season.
|
| I have a 2k3 SBS standard server ( server1 ) and 10 clients.
| DHCP . DNS . AD. Exchange. all seem cool.... BUt
|
| In the error logs the domain server is failing kerberous authentication..
|
| here is a copy of the security error
|
| Event Type: Failure Audit
| Event Source: Security
| Event Category: Logon/Logoff
| Event ID: 529
| Date: 20/12/2005
| Time: 09:57:40
| User: NT AUTHORITY\SYSTEM
| Computer: SERVER1
| Description:
| Logon Failure:
| Reason: Unknown user name or bad password
| User Name: SERVER1$
| Domain: xxxxxxxxx
| Logon Type: 3
| Logon Process: NtLmSsp
| Authentication Package: NTLM
| Workstation Name: SERVER1
| Caller User Name: -
| Caller Domain: -
| Caller Logon ID: -
| Caller Process ID: -
| Transited Services: -
| Source Network Address: -
| Source Port: -
|
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
|
| this happens every 20 mins................ There is also a double entry
in
| the system log that points to the above error....
|
| see attached .....
|
| Event Type: Warning
| Event Source: LSASRV
| Event Category: SPNEGO (Negotiator)
| Event ID: 40960
| Date: 20/12/2005
| Time: 09:58:58
| User: N/A
| Computer: SERVER1
| Description:
| The Security System detected an authentication error for the server
| DNS/server1.xxxxxxxx.local. The failure code from authentication
protocol
| Kerberos was
| "The attempted logon is invalid. This is either due to a bad username or
| authentication information.
| (0xc000006d)".
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
| Data:
| 0000: 6d 00 00 c0 m..Ã?
|
| AND THE SECOND ENTRY ....................................
|
|
| Event Type: Warning
| Event Source: LSASRV
| Event Category: SPNEGO (Negotiator)
| Event ID: 40961
| Date: 20/12/2005
| Time: 09:58:58
| User: N/A
| Computer: SERVER1
| Description:
| The Security System could not establish a secured connection with the
server
| DNS/server1.xxxxxx.local. No
|
| authentication protocol was available.
|
| For more information, see Help and Support Center at
|
| http://go.microsoft.com/fwlink/events.asp.
| Data:
| 0000: 6d 00 00 c0 m..Ã?
|
|
| I have been on all the tech sites following the Event ID's and have not
| resolved it.. I may be missing the fix because I have been looking so
long...
|
| Is this a dns error ? there are no event ids in the dns logs ..
|
| Any help as to the log on error would be great as the event logs are
filling
| fast.
|
| Iain.
|
.
- Follow-Ups:
- RE: Help .. Small Business Server Error may be DNS ?
- From: Iain Marshall
- RE: Help .. Small Business Server Error may be DNS ?
- References:
- Help .. Small Business Server Error may be DNS ?
- From: ophelaisys
- Help .. Small Business Server Error may be DNS ?
- Prev by Date: Re: companyweb is running but won't show web page
- Next by Date: RE: OWA Attachments
- Previous by thread: Help .. Small Business Server Error may be DNS ?
- Next by thread: RE: Help .. Small Business Server Error may be DNS ?
- Index(es):
Relevant Pages
|
