Re: Daily Server Report (Critical Errors, Event ID: 537)



Brandy

I) It happens on a Workstation
II) A specific computer.
III) Yes, all working well to the best of my knowledge.

I will carry our items 1 to 3 next Monday (February 27th) and report back.

Regards
Barry


""Brandy Nee [MSFT]"" <v-branee@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:jbiOkNqMGHA.3504@xxxxxxxxxxxxxxxxxxxxxxxx
Hello Barry,

Thank you for posting to the SBS Newsgroup.

I understand that you find there are plenty of Event IDs 537 with a
substatus code of 0xC00002EE on your machine. If I have misunderstood your
concern, please let me know.

The status code 0xC00002EE translates to STATUS_FINISHED_CONTEST_DELETED.
It means that a security context was deleted before the context was
completed. Also, Logon type of 3 is a network logon, this is considered a
logon failure. I need to gather some detailed information, please see:

I) Does this issue happen on client workstation or server?
II) Does this issue happen on some specific computers or all of them?
III) Does your server and all clients' workstation work well now? Can you
access the Internet, receive/send emails, etc? Is there any performance
issue in your Network?

Based on my experience, there are various factors can cause this issue,
please see:

1. I suggest you that perform a scanning for virus and spyware/adware on
your computers. You can download spybot to scan for spyware/adware:

http://www.safer-networking.org/en/download/index.html

2. There are maybe some hackers from the internet trying to guess your
users' passwords. So I suggest you that configure your network more
securely. You can refer to the following document to secure your Network:

This document helps you to more securely configure your Microsoft Windows
Small Business Server 2003 network. Completing the tasks in this document
helps you protect the availability, integrity, and confidentiality of your
network.

Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/technet/prodtechnol/sbs/2003/maintain/sbsecnet.mspx

3. Third party software. Some third party software installed on the client
workstations may try to log on or log off server by using incorrect
account
because it does not support the Kerberos authentication. I suggest that
you
perform a clean boot on the machine which gives our Event ID 537 to see
whether the issue occur:

a. Click Start->Run, type "MSCONFIG" (without the quotation marks) and
click OK.

b. In the System Configuration Utility (MSConfig) window, click the
"Startup" tab.

c. Click to clear all the check marks from the list box under "Startup".

d. Click the Services tab, check the "Hide all Microsoft Services" box and
then click the "Disable All" button to disable the non-Microsoft services.

e. Click OK to close the MSConfig window. Click Yes when you are asked to
restart your computer in order to enable the changes.

f. After restarting, please check whether this issue still exists.

For your reference:

817310 Cannot Log On to a Heavily Loaded Exchange Server 2003 Computer by
Using Outlook Mobile Access
http://support.microsoft.com/?id=817310

Audit logon events
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/e104c96f-e243-41c5-aaea-d046555a079d.mspx

Auditing User Authentication
http://support.microsoft.com/?id=174073

Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx

Please take your time to read through my suggestions. If you have any
updates, please feel free to let me know. I am looking forward to hearing
from you!

Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.



--------------------
From: "Barry McConomy" <smile@xxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.sbs
Subject: Daily Server Report (Critical Errors, Event ID: 537)
Date: Wed, 15 Feb 2006 08:16:07 -0500
Organization: Posted via Supernews, http://www.supernews.com
Message-ID: <11v6a9im8vf3l76@xxxxxxxxxxxxxxxxxx>
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Complaints-To: abuse@xxxxxxxxxxxxx
Lines: 34
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!nntp.giganews.com!transit3.readnews.com!
news-out.readnews.com!sn-xt-sjc-02!sn-xt-sjc-06!sn-post-01!supernews.com!cor
p.supernews.com!not-for-mail
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:244652
X-Tomcat-NG: microsoft.public.windows.server.sbs

Hi

Daily Server Report

I have recently started to get a lot of "Critical Errors in Security Log"
(5,448), see below.

Can anybody advise/help?

Regards
Barry

Source: Security
Event ID: 537
Logon Failure:
Reason: An error occurred during logon
User Name: ***
Domain: ***
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC00002EE
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port:







.



Relevant Pages

  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.general)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.dns)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.networking)
  • Re: Logon Server Unavailable
    ... The server is not configured for transactions" ... "Access Denied" Message When Opening from or Saving to a Network Folder ... Logon unsuccessful: The user name you typed is the same as the user name you ... "An error occurred while renewing interface local area connection" While ...
    (microsoft.public.windows.server.general)
  • Re: Logon Server Unavailable
    ... The server is not configured for transactions" ... "Access Denied" Message When Opening from or Saving to a Network Folder ... Logon unsuccessful: The user name you typed is the same as the user name you ... "An error occurred while renewing interface local area connection" While ...
    (microsoft.public.windows.server.dns)