Re: ATTN : Microsoft - Security Event 529....Second Request for help....
- From: Art Vandalay <noone@xxxxxxxxxxx>
- Date: Wed, 12 Apr 2006 14:58:25 -0400
I'll try this Jenny. I did have one question.... Since this is the
only domain controller, do I still disable the Kerberos Key
Distribution Center service and remove the ticket cache before running
the netdom utility?
On Wed, 12 Apr 2006 12:38:33 GMT, v-yanniw@xxxxxxxxxxxxxxxxxxxx
("Jenny wu [MSFT]") wrote:
Hi,.
Thanks for your information.
Yes, you can the command "nltest /dbflag:0x0" to disable debug logging when
you need not collect the netlogon log on the server box.
From the netlogon.log, we find the following error message:
04/11 18:49:06 [LOGON] SYSIII: SamLogon: Network logon of SYSIII\SERVER1$
from SERVER1 Returns 0xC000006A
04/11 18:49:06 [LOGON] SYSIII: SamLogon: Network logon of SYSIII\SERVER1$
from SERVER1 Returns 0xC000006A
The error code 0xC000006A (STATUS_WRONG_PASSWORD) means: When trying to
update a password, this return status indicates that the value provided as
the current password is not correct.
I would like to suggest that you reset the machine password by using
"NETDOM RESETPWD" with the required parameters. Please refer to the
following article to get detail steps.
325850 How to use Netdom.exe to reset machine account passwords of a
Windows Server 2003 domain controller
http://support.microsoft.com/default.aspx?scid=kb;EN-US;325850
Then please test the issue again to see if it helps.
More information:
315585 Troubleshooting account lockout problems in Windows Server 2003, in
http://support.microsoft.com/?id=315585
I appreciate your time!
Have a nice day!
Sincerely,
Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: Art Vandalay <noone@xxxxxxxxxxx>help....
Subject: Re: ATTN : Microsoft - Security Event 529....Second Request for
Date: Tue, 11 Apr 2006 19:06:51 -0400<p8mU8uGXGHA.880@xxxxxxxxxxxxxxxxxxxxx>
Message-ID: <qtco32tfs8d98otsk6vp849j4dd6a8c6ep@xxxxxxx>
References: <3chb325af7dc66bhus0vfmnap1nb259onf@xxxxxxx>
<ulol325n28crb3aj1o2npsmjpemnd02qn6@xxxxxxx>
<O1#NhMUXGHA.4900@xxxxxxxxxxxxxxxxxxxxx>
X-Newsreader: Forte Agent 3.1/32.783Exchange
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: c-68-82-122-237.hsd1.pa.comcast.net 68.82.122.237
Lines: 1
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:259708
X-Tomcat-NG: microsoft.public.windows.server.sbs
Hi Jenny,
All services are using the Local System Account and stop and start
without any issues. I have e-mailed you the netlogon.log and all the
event logs. Thanks again for all your help with this.... Please let
me know if there is anything else you need.
Also, should I run a "nltest /dbflag:0x0" in a few days to disable
debug logging on the netlogon service?
On Tue, 11 Apr 2006 08:37:05 GMT, v-yanniw@xxxxxxxxxxxxxxxxxxxx
("Jenny wu [MSFT]") wrote:
Hi,
Thanks for your update.
For current situation, let us try the following suggestions to see if it
helps.
1. Please double check the services: IIS Admin Service, Microsoft
SystemRouting Engine, Microsoft Exchange Information Store, Microsoft Exchange
System Attendant service' logon on account is "Local System Account",
Startup type as "Automatic". You can refer to the following steps:
Open Services Management console (services.msc), locate the service and
double click it to open its Properties page. Set it Startup type as
"Automatic". Click Log on tab, please ensure check the box of "Local
Account".
Then please try to manually re-Start the service, what is the result?
2. If the issue persists, please logon to the SBS Server, go to command
prompt, type "nltest /dbflag:0x2080ffff" (without the quotation marks),
then monitor the security log. When the new event is recorded, please
correspondingme the C:\Windows\debug\netlogon.log file for analyze.
3. Also please help me collect the application, system and security log
file for analyze.
To save a text copy of Application /System/Security log:
A. Open Event Viewer: Start -> All Programs -> Administrative Tools ->
Event Viewer.
B. Right-click on Application/System log and select "Save Log File As?".
Please save the log to .evt file and email them to me. My working mailbox
is: v-yanniw@xxxxxxxxxxxxx
I appreciate your time!
Have a nice day!
Sincerely,
Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the
manner.newsgroups so that they can be resolved in an efficient and timely
theYou can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check
doing"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
rights.so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no
to
--------------------
From: Art Vandalay <noone@xxxxxxxxxxx>help....
Subject: Re: ATTN : Microsoft - Security Event 529....Second Request for
Date: Mon, 10 Apr 2006 19:12:23 -0400<p8mU8uGXGHA.880@xxxxxxxxxxxxxxxxxxxxx>
Message-ID: <ulol325n28crb3aj1o2npsmjpemnd02qn6@xxxxxxx>
References: <3chb325af7dc66bhus0vfmnap1nb259onf@xxxxxxx>
X-Newsreader: Forte Agent 3.1/32.783that
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: c-68-82-122-237.hsd1.pa.comcast.net 68.82.122.237
Lines: 1
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:259445
X-Tomcat-NG: microsoft.public.windows.server.sbs
Thanks for the reply Jenny... According to the events, the logon
failure is from the local machine account (SERVER1$). It is always
the local machine account that exhibits the failures. Events are
logged every couple of minutes. I'm sure it is not a hacking attempt
or virus, since the events occur even if the server is physically
disconnected from the network. This is also a brand new server
SBS2003 installation... If the server is rebooted, the process PIDs
that produce the logon failure change, but always point back to the
same three processes : store.exe, wmiprvse.exe, and inetinfo.exe.
It really seems like something is out of sync with the local machine
account password....
On Mon, 10 Apr 2006 06:55:12 GMT, v-yanniw@xxxxxxxxxxxxxxxxxxxx
("Jenny wu [MSFT]") wrote:
Hi Art,
Thank you for posting here!
I am sorry for the delayed response due to weekend. Please understand
the newsgroups are staffed weekdays by Microsoft Support professionals
thissecurityanswer your systems and applications questions. Your understanding is
greatly appreciated!
From your description, I understand the issue to be: you received
events"event 529 and 552 in the Security log.
Security Event ID 529 is a failure audit for logon/logoff. The security
events are controlled by the audit policies. The policies of "logon
Thegenerate the events on domain controllers for domain account activity.
log type 3 is a Network event means "A user or computer logged on to
(hereOutlookcomputer from the network".
This kind of issue may be caused by Application logon such as while
attackis connecting to Exchange Server, or this is an automated dictionary
on weak passwords. The hacker is trying variable username/password
toit
attackis webmaster) combinations to access the network. The attack can be
initiated from internal network or external network.
Technically speaking, this is a normal behavior as you cannot prevent a
hacker from attacking your server. You can ignore the events as the
wouldwas unsuccessful. However, since it indicated the hacker attacking, I
like to give the following action plan to improve the network security:
1. Scan virus on the workstations. Please use the anti-virus software
virusperform full scan on the internal workstations. There is an online
Passwordconsole'',scan link below:
http://housecall.trendmicro.com/
2. Implement Strong password policies. Open ''Server Management
navigate to Users snap-in. In the right panel, click ''Configure
iePolicies''. Enable the password policies.
For more information:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
abouts/
security/bpactlck.mspx
3. Have you got a bricks level backup or an anti virus scan running
yourpartthose times? If it's a possible check the backup to see if the bricks
failed and what account and password it's using.
4. Disable the Guest account.
5. The following document also helps you to more securely configure
protectSBS 2003 network. Completing the tasks in this document helps you
64the availability, integrity, and confidentiality of your network.
Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?familyid=f62b2722-267c-4
2003-based2-
b287-c31115ef10a4&displaylang=en
More information:
Kerberos Event ID: 529 is logged when you use a local user account to
verify security access or group membership on a Windows Server
arecorrespondingKerberos client
http://support.microsoft.com/default.aspx?scid=kb;en-us;150530
Hope above information helps! I appreciate your time and efforts to the
issue and I am looking forward to your reply!
Have a nice day!
Sincerely,
Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the
manner.newsgroups so that they can be resolved in an efficient and timely
theYou can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check
"Notify me of replies" box to receive e-mail notifications when there
newsreader,any updates in your thread. When responding to posts via your
Pleasedoingplease "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly.
rights.check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no
--------------------
From: Art Vandalay <noone@xxxxxxxxxxx>help....
Subject: ATTN : Microsoft - Security Event 529....Second Request for
Date: Thu, 06 Apr 2006 21:54:42 -0400
Message-ID: <3chb325af7dc66bhus0vfmnap1nb259onf@xxxxxxx>
X-Newsreader: Forte Agent 3.1/32.783
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: c-68-82-122-237.hsd1.pa.comcast.net 68.82.122.237
Lines: 1
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:258695
X-Tomcat-NG: microsoft.public.windows.server.sbs
Freshly genned SBS 2003 Server producing the following events in the
security log:
4/2/2006 8:18:56 PM Security Failure Audit
Logon/Logoff 529 NT AUTHORITY\SYSTEM SERVER1 "Logon
Failure:
Reason: Unknown user name or bad password
User Name: SERVER1$
Domain: SYSIII
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:56 PM Security Success Audit
Logon/Logoff 552 NT AUTHORITY\SYSTEM SERVER1 "Logon attempt
using explicit credentials:
Logged on user:
User Name:
Domain:
Logon ID: (0x0,0xA7E4)
Logon GUID: -
User whose credentials were used:
Target User Name: SERVER1$
Target Domain:
Target Logon GUID: -
Target Server Name: server1.sysiii.local
Target Server Info: server1.sysiii.local
Caller Process ID: 324
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:55 PM Security Failure Audit
Logon/Logoff 529 NT AUTHORITY\SYSTEM SERVER1 "Logon
Failure:
Reason: Unknown user name or bad password
User Name: SERVER1$
Domain: SYSIII
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:55 PM Security Success Audit
Logon/Logoff 552 NT AUTHORITY\SYSTEM SERVER1 "Logon attempt
using explicit credentials:
Logged on user:
User Name:
Domain:
Logon ID: (0x0,0xA7E4)
Logon GUID: -
User whose credentials were used:
Target User Name: SERVER1$
Target Domain:
Target Logon GUID: -
Target Server Name: server1.sysiii.local
Target Server Info: server1.sysiii.local
Caller Process ID: 4296
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:08 PM Security Failure Audit
Logon/Logoff 529 NT AUTHORITY\SYSTEM SERVER1 "Logon
Failure:
Reason: Unknown user name or bad password
User Name: SERVER1$
Domain: SYSIII
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:08 PM Security Success Audit
Logon/Logoff 552 NT AUTHORITY\SYSTEM SERVER1 "Logon attempt
using explicit credentials:
Logged on user:
User Name:
Domain:
Logon ID: (0x0,0xA7E4)
Logon GUID: -
User whose credentials were used:
Target User Name: SERVER1$
Target Domain:
Target Logon GUID: -
Target Server Name: server1.sysiii.local
Target Server Info: server1.sysiii.local
Caller Process ID: 4496
Source Network Address: -
Source Port: -
"
According to Task Manager : PID 4496 is wmiprvse.exe, PID 4296 is
store.exe, and PID 324 is inetinfo.exe. Something is out of sync
somewhere, but where??
Please help..........
- Follow-Ups:
- Re: ATTN : Microsoft - Security Event 529....Second Request for help....
- From: "Jenny wu [MSFT]"
- Re: ATTN : Microsoft - Security Event 529....Second Request for help....
- References:
- ATTN : Microsoft - Security Event 529....Second Request for help....
- From: Art Vandalay
- RE: ATTN : Microsoft - Security Event 529....Second Request for help....
- From: "Jenny wu [MSFT]"
- Re: ATTN : Microsoft - Security Event 529....Second Request for help....
- From: Art Vandalay
- Re: ATTN : Microsoft - Security Event 529....Second Request for help....
- From: "Jenny wu [MSFT]"
- Re: ATTN : Microsoft - Security Event 529....Second Request for help....
- From: Art Vandalay
- Re: ATTN : Microsoft - Security Event 529....Second Request for help....
- From: "Jenny wu [MSFT]"
- ATTN : Microsoft - Security Event 529....Second Request for help....
- Prev by Date: Re: Connecting Laptop with XP Home Ed to LAN
- Next by Date: Re: MS backup replacement front end
- Previous by thread: Re: ATTN : Microsoft - Security Event 529....Second Request for help....
- Next by thread: Re: ATTN : Microsoft - Security Event 529....Second Request for help....
- Index(es):
Relevant Pages
|
