Re: ATTN : Microsoft - Security Event 529....Second Request for help....

Hi,

Thanks for your update. I am glad to know that things are getting fine now.
I appreciate your time and effort to try my suggestions and get this
resolved.

When a computer joins a domain, a computer account is created. After that,
when the system starts, it uses the computer account password to create a
secure channel with domain controller within the domain. This secure
channel is used to perform operations such as NTLM passthrough
authentication, LSA SID\Name Lookup, and so on. The computer account
password is stored along with the computer account on the DCs, and is
replicated between DCs. The password is also in LSA secret $MACHINE.ACC of
the workstation. Each workstation owns such secret data.

Upon starting, Netlogon attempts to find a domain controller (DC) for the
domain in which its machine account exists. After locating the appropriate
DC, the machine account password from the workstation is authenticated
against the password on the DC. After the machine account is verified, the
workstation establishes a secure channel with that DC. For Microsoft
Windows 2003/Windows 2000 or Microsoft Windows XP, the default computer
account password change period is every 30 days.

For some reasons the password synchronization between the computer (the SBS
DC also is computer in AD) with AD does not perform successfully. It is may
be blocked by some third party application, the DC computer does not run
for a long time, or other processes. It may happen accidentally and we can
not find out root cause now. If there is no other issue on the SBS server
box, we can monitor the server for some time to keep the server in the
stable status.

Hope above information helps. please let me know if you need further
assistance on the issue. I am glad to help.

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: Art Vandalay <noone@xxxxxxxxxxx>
Subject: Re: ATTN : Microsoft - Security Event 529....Second Request for
help....
Date: Tue, 18 Apr 2006 07:46:13 -0400
Message-ID: <2ak942lrdd89ciq9q3224k7km24im2aunp@xxxxxxx>
References: <p8mU8uGXGHA.880@xxxxxxxxxxxxxxxxxxxxx>
<ulol325n28crb3aj1o2npsmjpemnd02qn6@xxxxxxx>
<O1#NhMUXGHA.4900@xxxxxxxxxxxxxxxxxxxxx>
<qtco32tfs8d98otsk6vp849j4dd6a8c6ep@xxxxxxx>
<uwmmE4iXGHA.932@xxxxxxxxxxxxxxxxxxxxx>
<q6jq32h4ddpr2mlcagq5d2fucj1534ch46@xxxxxxx>
<nLwEwBsXGHA.888@xxxxxxxxxxxxxxxxxxxxx>
<v7as325npghrbsjcbvcq6j6o0f3uae9ag4@xxxxxxx>
<EUln6vuXGHA.2428@xxxxxxxxxxxxxxxxxxxxx>
<71ds32tng57k93n64eip5vsicetok30f4c@xxxxxxx>
<vTjAMHvXGHA.4900@xxxxxxxxxxxxxxxxxxxxx>
X-Newsreader: Forte Agent 3.1/32.783
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: c-68-82-122-237.hsd1.pa.comcast.net 68.82.122.237
Lines: 1
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:261174
X-Tomcat-NG: microsoft.public.windows.server.sbs


That appears to have done the trick.... Thanks so much for all your
help!! Any idea how this could have happened?

On Thu, 13 Apr 2006 12:00:01 GMT, v-yanniw@xxxxxxxxxxxxxxxxxxxx
("Jenny wu [MSFT]") wrote:

Please book a off-business time to perform the test in order to do not
affect your business.

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support

--------------------
From: Art Vandalay <noone@xxxxxxxxxxx>
Subject: Re: ATTN : Microsoft - Security Event 529....Second Request for
help....
Date: Thu, 13 Apr 2006 07:21:53 -0400
Message-ID: <71ds32tng57k93n64eip5vsicetok30f4c@xxxxxxx>
References: <3chb325af7dc66bhus0vfmnap1nb259onf@xxxxxxx>
<p8mU8uGXGHA.880@xxxxxxxxxxxxxxxxxxxxx>
<ulol325n28crb3aj1o2npsmjpemnd02qn6@xxxxxxx>
<O1#NhMUXGHA.4900@xxxxxxxxxxxxxxxxxxxxx>
<qtco32tfs8d98otsk6vp849j4dd6a8c6ep@xxxxxxx>
<uwmmE4iXGHA.932@xxxxxxxxxxxxxxxxxxxxx>
<q6jq32h4ddpr2mlcagq5d2fucj1534ch46@xxxxxxx>
<nLwEwBsXGHA.888@xxxxxxxxxxxxxxxxxxxxx>
<v7as325npghrbsjcbvcq6j6o0f3uae9ag4@xxxxxxx>
<EUln6vuXGHA.2428@xxxxxxxxxxxxxxxxxxxxx>
X-Newsreader: Forte Agent 3.1/32.783
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: c-68-82-122-237.hsd1.pa.comcast.net 68.82.122.237
Lines: 1
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:260133
X-Tomcat-NG: microsoft.public.windows.server.sbs


Will do... You have a nice day too and a Happy Easter!!

On Thu, 13 Apr 2006 11:18:19 GMT, v-yanniw@xxxxxxxxxxxxxxxxxxxx
("Jenny wu [MSFT]") wrote:

Yes, you are right. Please follow the steps to perform and let me know
the
result.

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support

--------------------
From: Art Vandalay <noone@xxxxxxxxxxx>
Subject: Re: ATTN : Microsoft - Security Event 529....Second Request
for
help....
Date: Thu, 13 Apr 2006 06:39:53 -0400
Message-ID: <v7as325npghrbsjcbvcq6j6o0f3uae9ag4@xxxxxxx>
References: <3chb325af7dc66bhus0vfmnap1nb259onf@xxxxxxx>
<p8mU8uGXGHA.880@xxxxxxxxxxxxxxxxxxxxx>
<ulol325n28crb3aj1o2npsmjpemnd02qn6@xxxxxxx>
<O1#NhMUXGHA.4900@xxxxxxxxxxxxxxxxxxxxx>
<qtco32tfs8d98otsk6vp849j4dd6a8c6ep@xxxxxxx>
<uwmmE4iXGHA.932@xxxxxxxxxxxxxxxxxxxxx>
<q6jq32h4ddpr2mlcagq5d2fucj1534ch46@xxxxxxx>
<nLwEwBsXGHA.888@xxxxxxxxxxxxxxxxxxxxx>
X-Newsreader: Forte Agent 3.1/32.783
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: c-68-82-122-237.hsd1.pa.comcast.net 68.82.122.237
Lines: 1
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:260126
X-Tomcat-NG: microsoft.public.windows.server.sbs


Hi Jenny,

Just so I have this completely straight, these are the steps to
perform?

1. Perform complete system backup.
2. Stop the Kerberos Key Distribution Center service and set to
Manual.
3. Restart the server to clear ticket cache.
4. Run netdom resetpwd /s:server1 /ud:sysiii\administrator /pd:* and
restart the server.
5. Restart Kerberos Key Distribution Center service and set backup to
Automatic.

Thanks again for all your help!

On Thu, 13 Apr 2006 06:06:40 GMT, v-yanniw@xxxxxxxxxxxxxxxxxxxx
("Jenny wu [MSFT]") wrote:

Hi,

Thanks for your update.

Yes, we need temporary disable the Kerberos Key Distribution Center
service
and remove the ticket cache before we run the netdom utility. These
steps
can make sure there is no side effects to client workstations during
you
reset machine account password.

After you reset the machine account password, you can restart the
service
again.

Important: please note that before performing the reset password
process,
please make sure that you have a full backup of your system to avoid
any
unexpected thing happen you can restore them back. For more info
about
backup and restore, please refer to:

Backing Up and Restoring Windows Small Business Server 2003
http://go.microsoft.com/fwlink/?LinkId=49916

Please try to test and let me know the result. I appreciate your time!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have
issues
regarding other Microsoft products, you'd better post in the
corresponding
newsgroups so that they can be resolved in an efficient and timely
manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you
check
the
"Notify me of replies" box to receive e-mail notifications when there
are
any updates in your thread. When responding to posts via your
newsreader,
please "Reply to Group" so that others may learn and benefit from
your
issue.

Microsoft engineers can only focus on one issue per thread. Although
we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly.
Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.


--------------------
From: Art Vandalay <noone@xxxxxxxxxxx>
Subject: Re: ATTN : Microsoft - Security Event 529....Second Request
for
help....
Date: Wed, 12 Apr 2006 14:58:25 -0400
Message-ID: <q6jq32h4ddpr2mlcagq5d2fucj1534ch46@xxxxxxx>
References: <3chb325af7dc66bhus0vfmnap1nb259onf@xxxxxxx>
<p8mU8uGXGHA.880@xxxxxxxxxxxxxxxxxxxxx>
<ulol325n28crb3aj1o2npsmjpemnd02qn6@xxxxxxx>
<O1#NhMUXGHA.4900@xxxxxxxxxxxxxxxxxxxxx>
<qtco32tfs8d98otsk6vp849j4dd6a8c6ep@xxxxxxx>
<uwmmE4iXGHA.932@xxxxxxxxxxxxxxxxxxxxx>
X-Newsreader: Forte Agent 3.1/32.783
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: c-68-82-122-237.hsd1.pa.comcast.net 68.82.122.237
Lines: 1
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.sbs:259945
X-Tomcat-NG: microsoft.public.windows.server.sbs


I'll try this Jenny. I did have one question.... Since this is the
only domain controller, do I still disable the Kerberos Key
Distribution Center service and remove the ticket cache before
running
the netdom utility?

On Wed, 12 Apr 2006 12:38:33 GMT, v-yanniw@xxxxxxxxxxxxxxxxxxxx
("Jenny wu [MSFT]") wrote:

Hi,

Thanks for your information.

Yes, you can the command "nltest /dbflag:0x0" to disable debug
logging
when
you need not collect the netlogon log on the server box.

From the netlogon.log, we find the following error message:

04/11 18:49:06 [LOGON] SYSIII: SamLogon: Network logon of
SYSIII\SERVER1$
from SERVER1 Returns 0xC000006A
04/11 18:49:06 [LOGON] SYSIII: SamLogon: Network logon of
SYSIII\SERVER1$
from SERVER1 Returns 0xC000006A

The error code 0xC000006A (STATUS_WRONG_PASSWORD) means: When
trying
to
update a password, this return status indicates that the value
provided
as
the current password is not correct.

I would like to suggest that you reset the machine password by
using
"NETDOM RESETPWD" with the required parameters. Please refer to the
following article to get detail steps.

325850 How to use Netdom.exe to reset machine account passwords of
a
Windows Server 2003 domain controller
http://support.microsoft.com/default.aspx?scid=kb;EN-US;325850

Then please test the issue again to see if it helps.

More information:

315585 Troubleshooting account lockout problems in Windows Server
2003,
in
http://support.microsoft.com/?id=315585

I appreciate your time!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have
issues
regarding other Microsoft products, you'd better post in the
corresponding
newsgroups so that they can be resolved in an efficient and timely
manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you
check
the
"Notify me of replies" box to receive e-mail notifications when
there
are
any updates in your thread. When responding to posts via your
newsreader,
please "Reply to Group" so that others may learn and benefit from
your
issue.

Microsoft engineers can only focus on one issue per thread.
Although
we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean.
In
doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly.
Please
check http://support.microsoft.com for regional support phone
numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.

--------------------
From: Art Vandalay <noone@xxxxxxxxxxx>
Subject: Re: ATTN : Microsoft - Security Event 529....Second
Request
for
help....
Date: Tue, 11 Apr 2006 19:06:51 -0400
Message-ID: <qtco32tfs8d98otsk6vp849j4dd6a8c6ep@xxxxxxx>
References: <3chb325af7dc66bhus0vfmnap1nb259onf@xxxxxxx>
<p8mU8uGXGHA.880@xxxxxxxxxxxxxxxxxxxxx>
<ulol325n28crb3aj1o2npsmjpemnd02qn6@xxxxxxx>
<O1#NhMUXGHA.4900@xxxxxxxxxxxxxxxxxxxxx>
X-Newsreader: Forte Agent 3.1/32.783
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: c-68-82-122-237.hsd1.pa.comcast.net
68.82.122.237
Lines: 1
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.sbs:259708
X-Tomcat-NG: microsoft.public.windows.server.sbs

Hi Jenny,

All services are using the Local System Account and stop and start
without any issues. I have e-mailed you the netlogon.log and all
the
event logs. Thanks again for all your help with this.... Please
let
me know if there is anything else you need.

Also, should I run a "nltest /dbflag:0x0" in a few days to disable
debug logging on the netlogon service?

On Tue, 11 Apr 2006 08:37:05 GMT, v-yanniw@xxxxxxxxxxxxxxxxxxxx
("Jenny wu [MSFT]") wrote:

Hi,

Thanks for your update.

For current situation, let us try the following suggestions to
see
if
it
helps.

1. Please double check the services: IIS Admin Service, Microsoft
Exchange
Routing Engine, Microsoft Exchange Information Store, Microsoft
Exchange
System Attendant service' logon on account is "Local System
Account",
Startup type as "Automatic". You can refer to the following steps:

Open Services Management console (services.msc), locate the
service
and
double click it to open its Properties page. Set it Startup type
as
"Automatic". Click Log on tab, please ensure check the box of
"Local
System
Account".

Then please try to manually re-Start the service, what is the
result?

2. If the issue persists, please logon to the SBS Server, go to
command
prompt, type "nltest /dbflag:0x2080ffff" (without the quotation
marks),
then monitor the security log. When the new event is recorded,
please
mail
me the C:\Windows\debug\netlogon.log file for analyze.

3. Also please help me collect the application, system and
security
log
file for analyze.

To save a text copy of Application /System/Security log:

A. Open Event Viewer: Start -> All Programs -> Administrative
Tools
->
Event Viewer.
B. Right-click on Application/System log and select "Save Log
File
As?".
Please save the log to .evt file and email them to me. My working
mailbox
is: v-yanniw@xxxxxxxxxxxxx

I appreciate your time!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have
issues
regarding other Microsoft products, you'd better post in the
corresponding
newsgroups so that they can be resolved in an efficient and
timely
manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you
check
the
"Notify me of replies" box to receive e-mail notifications when
there
are
any updates in your thread. When responding to posts via your
newsreader,
please "Reply to Group" so that others may learn and benefit from
your
issue.

Microsoft engineers can only focus on one issue per thread.
Although
we
provide other information for your reference, we recommend you
post
different incidents in different threads to keep the thread
clean.
In
doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS
directly.
Please
check http://support.microsoft.com for regional support phone
numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers
no
rights.

--------------------
From: Art Vandalay <noone@xxxxxxxxxxx>
Subject: Re: ATTN : Microsoft - Security Event 529....Second
Request
for
help....
Date: Mon, 10 Apr 2006 19:12:23 -0400
Message-ID: <ulol325n28crb3aj1o2npsmjpemnd02qn6@xxxxxxx>
References: <3chb325af7dc66bhus0vfmnap1nb259onf@xxxxxxx>
<p8mU8uGXGHA.880@xxxxxxxxxxxxxxxxxxxxx>
X-Newsreader: Forte Agent 3.1/32.783
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: c-68-82-122-237.hsd1.pa.comcast.net
68.82.122.237
Lines: 1
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.sbs:259445
X-Tomcat-NG: microsoft.public.windows.server.sbs


Thanks for the reply Jenny... According to the events, the logon
failure is from the local machine account (SERVER1$). It is
always
the local machine account that exhibits the failures. Events are
logged every couple of minutes. I'm sure it is not a hacking
attempt
or virus, since the events occur even if the server is physically
disconnected from the network. This is also a brand new server
SBS2003 installation... If the server is rebooted, the process
PIDs
that produce the logon failure change, but always point back to
the
same three processes : store.exe, wmiprvse.exe, and inetinfo.exe.

It really seems like something is out of sync with the local
machine
account password....

On Mon, 10 Apr 2006 06:55:12 GMT, v-yanniw@xxxxxxxxxxxxxxxxxxxx
("Jenny wu [MSFT]") wrote:

Hi Art,

Thank you for posting here!

I am sorry for the delayed response due to weekend. Please
understand
that
the newsgroups are staffed weekdays by Microsoft Support
professionals
to
answer your systems and applications questions. Your
understanding
is
greatly appreciated!

From your description, I understand the issue to be: you
received
security
event 529 and 552 in the Security log.

Security Event ID 529 is a failure audit for logon/logoff. The
security
events are controlled by the audit policies. The policies of
"logon
events"
generate the events on domain controllers for domain account
activity.
The
log type 3 is a Network event means "A user or computer logged
on
to
this
computer from the network".

This kind of issue may be caused by Application logon such as
while
Outlook
is connecting to Exchange Server, or this is an automated
dictionary
attack
on weak passwords. The hacker is trying variable
username/password
(here
it
is webmaster) combinations to access the network. The attack
can
be
initiated from internal network or external network.

Technically speaking, this is a normal behavior as you cannot
prevent
a
hacker from attacking your server. You can ignore the events as
the
attack
was unsuccessful. However, since it indicated the hacker
attacking,
I
would
like to give the following action plan to improve the network
security:

1. Scan virus on the workstations. Please use the anti-virus
software
to
perform full scan on the internal workstations. There is an
online
virus
scan link below:

http://housecall.trendmicro.com/

2. Implement Strong password policies. Open ''Server Management
console'',
navigate to Users snap-in. In the right panel, click
''Configure
Password
Policies''. Enable the password policies.

For more information:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/t
ec
hn
ol
og
ie
s/
security/bpactlck.mspx

3. Have you got a bricks level backup or an anti virus scan
running
about
those times? If it's a possible check the backup to see if the
bricks
part
failed and what account and password it's using.

4. Disable the Guest account.

5. The following document also helps you to more securely
configure
your
SBS 2003 network. Completing the tasks in this document helps
you
protect
the availability, integrity, and confidentiality of your
network.

Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?familyid=f62b272
2-
26
7c
-4
64
2-
b287-c31115ef10a4&displaylang=en

More information:

Kerberos Event ID: 529 is logged when you use a local user
account
to
verify security access or group membership on a Windows Server
2003-based
Kerberos client
http://support.microsoft.com/default.aspx?scid=kb;en-us;150530

Hope above information helps! I appreciate your time and
efforts
to
the
issue and I am looking forward to your reply!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you
have
issues
regarding other Microsoft products, you'd better post in the
corresponding
newsgroups so that they can be resolved in an efficient and
timely
manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.as
px

When opening a new thread via the web interface, we recommend
you
check
the
"Notify me of replies" box to receive e-mail notifications when
there
are
any updates in your thread. When responding to posts via your
newsreader,
please "Reply to Group" so that others may learn and benefit
from
your
issue.

Microsoft engineers can only focus on one issue per thread.
Although
we
provide other information for your reference, we recommend you
post
different incidents in different threads to keep the thread
clean.
In
doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS
directly.
Please
check http://support.microsoft.com for regional support phone
numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and
confers
no
rights.

--------------------
From: Art Vandalay <noone@xxxxxxxxxxx>
Subject: ATTN : Microsoft - Security Event 529....Second
Request
for
help....
Date: Thu, 06 Apr 2006 21:54:42 -0400
Message-ID: <3chb325af7dc66bhus0vfmnap1nb259onf@xxxxxxx>
X-Newsreader: Forte Agent 3.1/32.783
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: c-68-82-122-237.hsd1.pa.comcast.net
68.82.122.237
Lines: 1
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.sbs:258695
X-Tomcat-NG: microsoft.public.windows.server.sbs


Freshly genned SBS 2003 Server producing the following events
in
the
security log:

4/2/2006 8:18:56 PM Security Failure Audit
Logon/Logoff 529 NT AUTHORITY\SYSTEM SERVER1 "Logon
Failure:
Reason: Unknown user name or bad password
User Name: SERVER1$
Domain: SYSIII
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:56 PM Security Success Audit
Logon/Logoff 552 NT AUTHORITY\SYSTEM SERVER1 "Logon attempt
using explicit credentials:
Logged on user:
User Name:
Domain:
Logon ID: (0x0,0xA7E4)
Logon GUID: -
User whose credentials were used:
Target User Name: SERVER1$
Target Domain:
Target Logon GUID: -

Target Server Name: server1.sysiii.local
Target Server Info: server1.sysiii.local
Caller Process ID: 324
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:55 PM Security Failure Audit
Logon/Logoff 529 NT AUTHORITY\SYSTEM SERVER1 "Logon
Failure:
Reason: Unknown user name or bad password
User Name: SERVER1$
Domain: SYSIII
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:55 PM Security Success Audit
Logon/Logoff 552 NT AUTHORITY\SYSTEM SERVER1 "Logon attempt
using explicit credentials:
Logged on user:
User Name:
Domain:
Logon ID: (0x0,0xA7E4)
Logon GUID: -
User whose credentials were used:
Target User Name: SERVER1$
Target Domain:
Target Logon GUID: -

Target Server Name: server1.sysiii.local
Target Server Info: server1.sysiii.local
Caller Process ID: 4296
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:08 PM Security Failure Audit
Logon/Logoff 529 NT AUTHORITY\SYSTEM SERVER1 "Logon
Failure:
Reason: Unknown user name or bad password
User Name: SERVER1$
Domain: SYSIII
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:08 PM Security Success Audit
Logon/Logoff 552 NT AUTHORITY\SYSTEM SERVER1 "Logon attempt
using explicit credentials:
Logged on user:
User Name:
Domain:
Logon ID: (0x0,0xA7E4)
Logon GUID: -
User whose credentials were used:
Target User Name: SERVER1$
Target Domain:
Target Logon GUID: -

Target Server Name: server1.sysiii.local
Target Server Info: server1.sysiii.local
Caller Process ID: 4496
Source Network Address: -
Source Port: -
"

According to Task Manager : PID 4496 is wmiprvse.exe, PID 4296
is
store.exe, and PID 324 is inetinfo.exe. Something is out of
sync
somewhere, but where??

Please help..........








.

Relevant Pages

  • Re: Logoff / Slow Bootups / Outlook attachements / Outlook Not res
    ... are going to be using two of the problematic machines. ... When you logon the problematic user account on the good user's computer, ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange Password
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... |> course of logging on to the Exchange server. ... if the local account uses the same ...
    (microsoft.public.windows.server.sbs)
  • Re: sbs roaming profile not loading on local client
    ... Log on the server as an administrator. ... Repeat step 3 to step 5 to change the owner to the newly created account. ... supported in the private newsgroup and you may post to the public newsgroup ... Microsoft Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: ISA Server Management console fails to load
    ... account but renamed it for security reasons. ... suggested and was able to rename the Administrator folder. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Problem with multiple access to one exchange email account
    ... please configure a testing account and test if ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... By multiple access I mean the same ...
    (microsoft.public.windows.server.sbs)
Loading