RE: sam errors

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

I have posted some of the errors that have been appearing in server status
reports below. They have various event ID #. I will look into the
administrator account in regard to third party applications as you suggested
and report back. These events are occuring two to three times a week so clean
boot is practical to me to test this.


1.

Event id 537

Logon Failure:
Reason: An error occurred during logon
User Name: DOMAIN-DC-01$
Domain: DOMAIN.LOCAL
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC00000DC
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 127.0.0.1
Source Port: 0


2.

Event ID: 529

Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: DOMAIN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DOMAIN-DC-01
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.100
Source Port: 0


3. Another Event id: 529

Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: DOMAIN
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: DOMAIN-DC-01
Caller User Name: Administrator
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x938F3)
Caller Process ID: 4132
Transited Services: -
Source Network Address: -
Source Port: -



""Brandy Nee [MSFT]"" wrote:

Hello David,

Thank you for posting back!

I am sorry for the delayed response due to the weekend. Please understand
that the newsgroups are staffed weekdays by Microsoft Support professionals
to answer your systems and applications questions. Your understanding is
greatly appreciated!

[NOTE]: Please read though ALL my reply FIRST and then perform the steps:

I cannot find your post "SAM Errors" in VAP Newsgroup, but I do have a
Public post whose Subject is "SAM Errors" in the Public Newsgroup
<microsoft.public.windows.server.sbs> posted by
jack@xxxxxxxxxxxxxxxxxxxxxxxxx on 24th May.

I have read through the Performance report, and the whole thread, I want to
confirm with you following information:

1. I am sorry but I still not clear what exact issue you are experiencing?

a. Event ID 529
OR
b. Event ID 532?

I only find Event ID 529 in the Performance Report. However, in
jack@xxxxxxxxxxxxxxxxxxxxxxxxx second reply (25th May), he said he found
Event ID 532. Where did he find the Event ID 532? In Performance Report,
SBS Event Viewer or client workstation Event Viewer?

2. You mentioned "As you can see from todays status report the logon error
(below) shows the workstation: as the domain controller. Ie. Workstation
Name: BLADON-DC-01

Actually, this is just a format of the Performance report. The security log
in the Performance Report is queried from the Security Event Log on any
domain computers. The "Workstation Name" in Performance Report as you have
seen can be the SBS Server, additional DCs, or any client workstations. So
no worry.

3. Please explain in detail "I used the term SAM errors but the term SAM
was not used in errors etc". What do "SAM errors" and "the term SAM was not
used in errors" mean? I did not find any SAM error in the Performance
report. There are only two Event IDs in the Performance report, one is 7515
exchange Event, and another one is 529.

4. I suggest that we focus on the Event ID 529 first.

1). This Event 529 points to administrator account. If you change the
Password of Admin account, and it is not synchronized to some application
you manually configured with admin account, this even will occur.

2). We have seen this event with some third-party application incorrect
function, such as: Serve4U, CVRdata purge and so on. To troubleshoot
third-party application, I suggest you to check if there are any of them
that did not function correctly or temporarily disable them all for test
purpose. You can schedule a down time to perform a clean boot to see how it
goes:

A Clean Boot will allow us to isolate any device drivers or programs that
are loading at startup that may be causing a conflict with other device
drivers or programs that are installed in your computer.

a. Click Start->Run, type "MSCONFIG" (without the quotation marks) and
click OK.

b. In the System Configuration Utility (MSConfig) window, click the
"Startup" tab.

c. Click to clear all the check marks from the list box under "Startup".

d. Click the Services tab, check the "Hide all Microsoft Services" box and
then click the "Disable All" button to disable the non-Microsoft services.

e. Click OK to close the MSConfig window. Click Yes when you are asked to
restart your computer in order to enable the changes.

f. After restarting, please check whether this issue still exists.

3) Scan virus on the workstations. Please use the anti-virus software to
perform full scan on the internal workstations. There is an online virus
scan link below: http://housecall.trendmicro.com.

4) Implement Strong password policies. Open 'Server Management console',
navigate to Users snap-in. In the right panel, click 'Configure Password
Policies'. Enable the password policies.

For more information:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx

5) Monitor the internal users to see if anyone is testing the admin
accounts.

More info:

Securing Your Windows Small Business Server 2003 Network
http://download.microsoft.com/download/1/f/1/1f15a874-f696-4992-b5ad-b1e7b25
8de1c/SecuringSBSnetwork.doc

6) Protect your Exchange Server:

Exchange Server 2003 Security Hardening Guide
http://www.microsoft.com/downloads/details.aspx?FamilyID=6A80711F-E5C9-4AEF-
9A44-504DB09B9065&displaylang=en

By the way, I strongly suggest that you reply back to our Newsgroup so the
other customers who visit our Newsgroup regularly can benefit from your SBS
experience.

Thanks a lot for your time and understanding and I am looking forward to
your reply!

Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
Thread-Topic: sam errors
thread-index: AcaAgqSDocuDqANgSOarpMSVfbbDoQ==
X-WBNR-Posting-Host: 203.59.101.87
From: =?Utf-8?B?amFjaw==?= <jack@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <3D19C2AA-6694-4688-A260-8A554E2B40E9@xxxxxxxxxxxxx>
<Hh9gq97fGHA.5184@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: sam errors
Date: Thu, 25 May 2006 22:10:02 -0700
Lines: 152
Message-ID: <4F6BA3DB-DEB8-42CC-836E-8BB0A0CA9894@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.sbs
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:271016
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.sbs

Hi Brandy-Nee
this is one of the logon errors. See additional info below.

error 532 9:42am

The workstation is showing as the server here.

Logon Failure:
Reason: The specified account's password has expired
User Name: renee
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: BLADON-DC-01
Caller User Name: BLADON-DC-01$
Caller Domain: BLADON
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2000
Transited Services: -
Source Network Address: -
Source Port: -


""Brandy Nee [MSFT]"" wrote:

1. Where do you find the "sam errors"? On the SBS Server or client
workstations?
STATUS REPORT LOGS

2. Does this issue occur on one specific user or certain?
IT HAS HAPPENED HERE:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: BLADON
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: BLADON-DC-01
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.100
Source Port: 0


3. If you ask the problematic client to log on another good computer,
will
this issue occur?
THIS ISSUE IS RANDOM AND I AM NOT ABLE TO REPRODUCE IT.

4. If you ask a good client to log on the problematic computer, will
this
issue occur?

5. On the problematic computer, run "eventvwr" (without quotation
marks),
check whether there are any errors. If yes, double click it, click the
Copy
button and paste the full content to the Newsgroup.
I HAVE PASTED THE ERRORS ABOVE.

[Note]: I need the exact full content of the error message for accurate
research.

6. When did the issue occur? Did you encounter this issue before? If no,
did you make any changes or install any updates/software on the
problematic
computer recently?
INSTALLED WSUS SERVER. CARRIED OUT SERVER AND EXCHANGE AND CLIENT UPDATES
THROUGH WSUS. VERITAS DRIVER UPDATES.

7. Just to double confirm, on the problematic computer, can domain
clients
log in domain, access domain resources, etc?
THE CLIENTS ARE USING A MAPPED FOLDER (Z DRIVE) TO ACCESS USER FOLDERS.
THIS
WAS HOW SOMEONE SET UP THIS SERVER. FOLDER REDIRECTION IS NOT IN USE.



.

Quantcast