Discussion:
Frequent event 529 in Securit
(too old to reply)
Bryan L
2005-07-25 14:41:03 UTC
Permalink
I'm running a SBS 2003 domain with about 30 users. I promoted another 2003
server std box to be a replica DC about a month ago. I've had the luxury of
time to work out the bugs and kinks getting this new DC to be error-free and
I'm almost done. The only persistent error I'm still getting is the
above-mentioned ID 529; a sample is provided below:
__________________________

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/22/2005
Time: 4:28:07 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVERNAME-2
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.168.229
Source Port: 0
__________________________

Services my network runs:
Exchange 2003
DFS/FRS
WINS
DNS
DHCP

More information:

- All clients are running XP SP2.
- These errors always appear in multiples of 4.
- Sometimes only 4 or 8 of these appear at a time for a given source IP;
other times there are 20 or so, and now and then there are literally
thousands of them within the span of a few minutes, or even hundreds within
a handful of seconds.
- The most common source IP is a particular member server, but the source
IP varies to include clients as well, both desktops and laptops.
- I believe it's a configuration problem and not malicious, since even my
own workstation is sometimes the source IP.
- When coming from desktops the source port appears to always be 0, but
when coming from the particular server that is most commonly the source IP,
the port increments by 3 every two events. For example, recently a total
of 16 events were logged with this server as the source, all within the same
second, and the ports looked like this: 3850, 3850, 3853, 3853, 3856, 3856,
3859, 3859, 3862, 3862, 3865, 3865, 3868, 3868, 3871, 3871.
- These errors are being logged only on the new DC's security log; the logs
on my original SBS 2003 DC are clean.
- This server used to run 2000 Server with a static IP; it was wiped and
cleanly installed with Server 2003 SP1 and set to the same static IP as
before.
- This server has a different name than the 2000 Server installation did.
- A few days after the install, a gigabit NIC was installed in the server
and the onboard 10/100 NIC was disabled.
- DFS/FRS was in use for a short time on the 2000 Server, as a means to
migrate the shares it was hosting to a different location prior to the wipe
and reinstall. The 2000 Server was never a DC.
- I believe I made a mistake in managing my DFS: I disabled DFS referrals
to the old 2000 Server, but never actually removed all references to the
server from DFS altogether before taking the old server permanently offline.
I'm about to look for information that will help me clean this up; I've seen
it out there in my readings on DFS. The "new" Server 2003 installation is
not yet hosting its original shares again, but it has been set up as a DFS
root replica.

Any help appreciated; I'm not sure how to run this one down.

Thanks in advance,

Bryan
Charles Yang [MSFT]
2005-07-26 03:15:10 UTC
Permalink
Hi Bryan,

Welcome to SBS newsgroup.

Issue description:

I understand that you encountered some problem in a DC in SBS domain.

Analyzing:

This issue seems not occur on SBS server itself but occur on a member
server of Windows 2003 server, from your description it seems you also run
DFS on SBS 2003 domain, as I know the DFS could not be used in SBS 2003
domain, as SBS 2003 did not support trust with other domain. You might have
to disable the DFS services on SBS domain. For event 529,

Suggestions:

As you referred, this error only occurs on your member server, so please
refer to following section to check my suggestions:

This kind of issue may be caused by Application logon such as while Outlook
is connecting to Exchange Server, or this is an automated dictionary attack
on weak passwords. The hacker is trying variable username/password (here it
is webmaster) combinations to access the network. The attack can be
initiated from internal network or external network.

Generally, in the event log, there is an attribute displayed as Logon type.
In most instances, the logon type is 3, which means Network logon. There
may be another attributes: Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 is the default authentication
package; advapi means ''API call to LogonUser''.

If it is the case, it is most likely that the hacker is attempting to logon
some services on your member server. Please tell us if you host any
services on this member server.

I appreciate you taking time to perform tests, if you have any further
concerns, please let me know. I will be here waiting for your updates.



Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
Bryan L
2005-07-26 13:50:26 UTC
Permalink
Post by Charles Yang [MSFT]
This issue seems not occur on SBS server itself but occur on a member
server of Windows 2003 server
The server is actually a domain controller. After installing Server 2003
SP1 cleanly on the server, I promoted it to DC. AD replication seems to be
working properly between the SBS 2003 and this new DC.
Post by Charles Yang [MSFT]
from your description it seems you also run
DFS on SBS 2003 domain. <snip> You might have
to disable the DFS services on SBS domain.
Why? I've never read anything to suggest DFS does not work normally in a
SBS 2003 domain. The only problem with disabling DFS is that we're using
it. DFS paths are used throughout my network configuration, in GPOs and on
my client workstations. Yes, we're running a single domain, since as you
said this is a SBS 2003 domain.
Post by Charles Yang [MSFT]
This kind of issue may be caused by Application logon such as while Outlook
is connecting to Exchange Server, or this is an automated dictionary attack
on weak passwords. <snip>
I'm certain it's not a dictionary attack or the result of spyware or adware.
I have up-to-date enterprise antivirus software on all machines on my
network, centrally managed and configured, and which includes an
anti-spyware module. The patterns of the events logged are not consistent
with a dictionary attack, whether executed manually or automaticaly by
malware. I have fewer than 30 users on my network, their workstations were
all imaged with an identical image and are quite locked-down, and I know my
users very well; none of them are hacker material.

This server is not running Exchange; Exchange is running on my SBS 2003.
Is it still possible these errors could be related to Outlook's logon to
Exchange, even though Exchange is not running on this box?
Post by Charles Yang [MSFT]
If it is the case, it is most likely that the hacker is attempting to logon
some services on your member server. Please tell us if you host any
services on this member server.
This DC is running WINS, AD-integrated DNS, and hosting a DFS root target.

Thanks for the reply,

Bryan
Charles Yang [MSFT]
2005-07-27 00:47:20 UTC
Permalink
Hi Bryan,

Thanks for updates.

From your description, this issue might occur in connection with Exchange
server and outlook clients. Please understand that it might be a little
difficult to troubleshoot such network issue. We might need to catch the
network transport package for troubleshooting. Please first refer to my
suggestions below:

Do you encountered any problem in connection with Exchange and outlook
clients, it seems you did not encountered any problem in SBS 2003 PDC. Can
I assume that you deploy the DC in a branch office or in the same office.

Also is there any other related warning or error event in SBS 2003 PDC or
Windows 2003 DC. Also did you install outlook on this Windows 2003 DC?

Thanks for your understanding. I will be here to be any of assistance.



Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
Bryan L
2005-07-29 20:41:00 UTC
Permalink
Thanks for all posts and help on this. I have not resolved this issue, but
this week has been very busy and I have not had time to work on it. I hope
to have more time next week, and will post more then.

Thanks again,

Bryan
Post by Bryan L
I'm running a SBS 2003 domain with about 30 users. I promoted another
2003 server std box to be a replica DC about a month ago. I've had the
luxury of time to work out the bugs and kinks getting this new DC to be
error-free and I'm almost done. The only persistent error I'm still
__________________________
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/22/2005
Time: 4:28:07 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVERNAME-2
Reason: Unknown user name or bad password
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.168.229
Source Port: 0
__________________________
Exchange 2003
DFS/FRS
WINS
DNS
DHCP
- All clients are running XP SP2.
- These errors always appear in multiples of 4.
- Sometimes only 4 or 8 of these appear at a time for a given source IP;
other times there are 20 or so, and now and then there are literally
thousands of them within the span of a few minutes, or even hundreds
within a handful of seconds.
- The most common source IP is a particular member server, but the source
IP varies to include clients as well, both desktops and laptops.
- I believe it's a configuration problem and not malicious, since even my
own workstation is sometimes the source IP.
- When coming from desktops the source port appears to always be 0, but
when coming from the particular server that is most commonly the source
IP, the port increments by 3 every two events. For example, recently a
total of 16 events were logged with this server as the source, all within
the same second, and the ports looked like this: 3850, 3850, 3853, 3853,
3856, 3856, 3859, 3859, 3862, 3862, 3865, 3865, 3868, 3868, 3871, 3871.
- These errors are being logged only on the new DC's security log; the
logs on my original SBS 2003 DC are clean.
- This server used to run 2000 Server with a static IP; it was wiped and
cleanly installed with Server 2003 SP1 and set to the same static IP as
before.
- This server has a different name than the 2000 Server installation did.
- A few days after the install, a gigabit NIC was installed in the
server and the onboard 10/100 NIC was disabled.
- DFS/FRS was in use for a short time on the 2000 Server, as a means to
migrate the shares it was hosting to a different location prior to the
wipe and reinstall. The 2000 Server was never a DC.
- I believe I made a mistake in managing my DFS: I disabled DFS referrals
to the old 2000 Server, but never actually removed all references to the
server from DFS altogether before taking the old server permanently
offline. I'm about to look for information that will help me clean this
up; I've seen it out there in my readings on DFS. The "new" Server 2003
installation is not yet hosting its original shares again, but it has been
set up as a DFS root replica.
Any help appreciated; I'm not sure how to run this one down.
Thanks in advance,
Bryan
Charles Yang [MSFT]
2005-08-01 00:24:26 UTC
Permalink
Hi Bryan,

Thanks for updates.

I will reply you when you have time to reply, take care with your job.
Thanks for your effort:

--------------------
| From: "Bryan L" <***@connellinsurance.nospam.com>
| References: <#y#***@TK2MSFTNGP12.phx.gbl>
| Subject: Re: Frequent event 529 in Securit
| Date: Fri, 29 Jul 2005 15:41:00 -0500
| Lines: 97
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-RFC2646: Format=Flowed; Response
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| Message-ID: <#***@TK2MSFTNGP10.phx.gbl>
| Newsgroups:
microsoft.public.windows.server.networking,microsoft.public.windows.server.s
bs
| NNTP-Posting-Host: connellinsurance.com 66.76.216.32
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:139958
microsoft.public.windows.server.networking:18106
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Thanks for all posts and help on this. I have not resolved this issue,
but
| this week has been very busy and I have not had time to work on it. I
hope
| to have more time next week, and will post more then.
|
| Thanks again,
|
| Bryan
|
|
| "Bryan L" <***@connellinsurance.nospam.com> wrote in message
| news:%23y%***@TK2MSFTNGP12.phx.gbl...
| > I'm running a SBS 2003 domain with about 30 users. I promoted another
| > 2003 server std box to be a replica DC about a month ago. I've had the
| > luxury of time to work out the bugs and kinks getting this new DC to be
| > error-free and I'm almost done. The only persistent error I'm still
| > getting is the above-mentioned ID 529; a sample is provided below:
| > __________________________
| >
| > Event Type: Failure Audit
| > Event Source: Security
| > Event Category: Logon/Logoff
| > Event ID: 529
| > Date: 7/22/2005
| > Time: 4:28:07 PM
| > User: NT AUTHORITY\SYSTEM
| > Computer: SERVERNAME-2
| > Description:
| > Logon Failure:
| > Reason: Unknown user name or bad password
| > User Name:
| > Domain:
| > Logon Type: 3
| > Logon Process: Kerberos
| > Authentication Package: Kerberos
| > Workstation Name: -
| > Caller User Name: -
| > Caller Domain: -
| > Caller Logon ID: -
| > Caller Process ID: -
| > Transited Services: -
| > Source Network Address: 192.168.168.229
| > Source Port: 0
| > __________________________
| >
| > Services my network runs:
| > Exchange 2003
| > DFS/FRS
| > WINS
| > DNS
| > DHCP
| >
| > More information:
| >
| > - All clients are running XP SP2.
| > - These errors always appear in multiples of 4.
| > - Sometimes only 4 or 8 of these appear at a time for a given source
IP;
| > other times there are 20 or so, and now and then there are literally
| > thousands of them within the span of a few minutes, or even hundreds
| > within a handful of seconds.
| > - The most common source IP is a particular member server, but the
source
| > IP varies to include clients as well, both desktops and laptops.
| > - I believe it's a configuration problem and not malicious, since even
my
| > own workstation is sometimes the source IP.
| > - When coming from desktops the source port appears to always be 0,
but
| > when coming from the particular server that is most commonly the source
| > IP, the port increments by 3 every two events. For example, recently
a
| > total of 16 events were logged with this server as the source, all
within
| > the same second, and the ports looked like this: 3850, 3850, 3853,
3853,
| > 3856, 3856, 3859, 3859, 3862, 3862, 3865, 3865, 3868, 3868, 3871, 3871.
| > - These errors are being logged only on the new DC's security log; the
| > logs on my original SBS 2003 DC are clean.
| > - This server used to run 2000 Server with a static IP; it was wiped
and
| > cleanly installed with Server 2003 SP1 and set to the same static IP as
| > before.
| > - This server has a different name than the 2000 Server installation
| > did.
| > - A few days after the install, a gigabit NIC was installed in the
| > server and the onboard 10/100 NIC was disabled.
| > - DFS/FRS was in use for a short time on the 2000 Server, as a means
to
| > migrate the shares it was hosting to a different location prior to the
| > wipe and reinstall. The 2000 Server was never a DC.
| > - I believe I made a mistake in managing my DFS: I disabled DFS
referrals
| > to the old 2000 Server, but never actually removed all references to
the
| > server from DFS altogether before taking the old server permanently
| > offline. I'm about to look for information that will help me clean this
| > up; I've seen it out there in my readings on DFS. The "new" Server
2003
| > installation is not yet hosting its original shares again, but it has
been
| > set up as a DFS root replica.
| >
| > Any help appreciated; I'm not sure how to run this one down.
| >
| > Thanks in advance,
| >
| > Bryan
| >
|
|
|



Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
Bryan L
2005-08-02 18:24:12 UTC
Permalink
Charles and group,

The problem has been solved.

If you will remember, this machine was running 2000 Server. I did a format
and clean install of Server 2003 Std and chose a different computer name,
but the same static IP address.

Before I formatted the machine, I created a full image of the system to a
network drive, in case I needed to revert back to the old installation for
any reason. For this reason, I did not immediately delete the computer
account associated with the old installation of 2000 Server; I kept the
account in Active Directory until I felt sure I would not need to revert
back to the old 2000 Server install.

Yesterday morning, I deleted the old computer account from the SBS using the
Manage Server Computers snap-in in the Server Management console. The
constant Logon/Logoff Failure events in the Security Log of the "new" Server
2003 installation stopped immediately. Since yesterday morning, the server
has not logged a single entry in the Security log.

Thanks again for all the time and effort put in by many people in the group.
You got me pointed in the right direction.

Bryan
Post by Charles Yang [MSFT]
Hi Bryan,
Thanks for updates.
I will reply you when you have time to reply, take care with your job.
--------------------
| Subject: Re: Frequent event 529 in Securit
| Date: Fri, 29 Jul 2005 15:41:00 -0500
| Lines: 97
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-RFC2646: Format=Flowed; Response
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
microsoft.public.windows.server.networking,microsoft.public.windows.server.s
bs
| NNTP-Posting-Host: connellinsurance.com 66.76.216.32
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:139958
microsoft.public.windows.server.networking:18106
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Thanks for all posts and help on this. I have not resolved this issue,
but
| this week has been very busy and I have not had time to work on it. I
hope
| to have more time next week, and will post more then.
|
| Thanks again,
|
| Bryan
|
|
| > I'm running a SBS 2003 domain with about 30 users. I promoted another
| > 2003 server std box to be a replica DC about a month ago. I've had the
| > luxury of time to work out the bugs and kinks getting this new DC to be
| > error-free and I'm almost done. The only persistent error I'm still
| > __________________________
| >
| > Event Type: Failure Audit
| > Event Source: Security
| > Event Category: Logon/Logoff
| > Event ID: 529
| > Date: 7/22/2005
| > Time: 4:28:07 PM
| > User: NT AUTHORITY\SYSTEM
| > Computer: SERVERNAME-2
| > Reason: Unknown user name or bad password
| > Logon Type: 3
| > Logon Process: Kerberos
| > Authentication Package: Kerberos
| > Workstation Name: -
| > Caller User Name: -
| > Caller Domain: -
| > Caller Logon ID: -
| > Caller Process ID: -
| > Transited Services: -
| > Source Network Address: 192.168.168.229
| > Source Port: 0
| > __________________________
| >
| > Exchange 2003
| > DFS/FRS
| > WINS
| > DNS
| > DHCP
| >
| >
| > - All clients are running XP SP2.
| > - These errors always appear in multiples of 4.
| > - Sometimes only 4 or 8 of these appear at a time for a given source
IP;
| > other times there are 20 or so, and now and then there are literally
| > thousands of them within the span of a few minutes, or even hundreds
| > within a handful of seconds.
| > - The most common source IP is a particular member server, but the
source
| > IP varies to include clients as well, both desktops and laptops.
| > - I believe it's a configuration problem and not malicious, since even
my
| > own workstation is sometimes the source IP.
| > - When coming from desktops the source port appears to always be 0,
but
| > when coming from the particular server that is most commonly the source
| > IP, the port increments by 3 every two events. For example, recently
a
| > total of 16 events were logged with this server as the source, all
within
| > the same second, and the ports looked like this: 3850, 3850, 3853,
3853,
| > 3856, 3856, 3859, 3859, 3862, 3862, 3865, 3865, 3868, 3868, 3871, 3871.
| > - These errors are being logged only on the new DC's security log; the
| > logs on my original SBS 2003 DC are clean.
| > - This server used to run 2000 Server with a static IP; it was wiped
and
| > cleanly installed with Server 2003 SP1 and set to the same static IP as
| > before.
| > - This server has a different name than the 2000 Server installation
| > did.
| > - A few days after the install, a gigabit NIC was installed in the
| > server and the onboard 10/100 NIC was disabled.
| > - DFS/FRS was in use for a short time on the 2000 Server, as a means
to
| > migrate the shares it was hosting to a different location prior to the
| > wipe and reinstall. The 2000 Server was never a DC.
| > - I believe I made a mistake in managing my DFS: I disabled DFS
referrals
| > to the old 2000 Server, but never actually removed all references to
the
| > server from DFS altogether before taking the old server permanently
| > offline. I'm about to look for information that will help me clean this
| > up; I've seen it out there in my readings on DFS. The "new" Server
2003
| > installation is not yet hosting its original shares again, but it has
been
| > set up as a DFS root replica.
| >
| > Any help appreciated; I'm not sure how to run this one down.
| >
| > Thanks in advance,
| >
| > Bryan
| >
|
|
|
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Charles Yang [MSFT]
2005-08-03 00:31:28 UTC
Permalink
Hi Bryan,

Thanks for letting us know that the solutions point you to the right
direction. Thanks for your effort in this issue:

Hope we can meet again in future.

Have a nice day!

--------------------
| From: "Bryan L" <***@connellinsurance.nospam.com>
| References: <#y#***@TK2MSFTNGP12.phx.gbl>
<#***@TK2MSFTNGP10.phx.gbl>
<***@TK2MSFTNGXA01.phx.gbl>
| Subject: Re: Frequent event 529 in Securit
| Date: Tue, 2 Aug 2005 13:24:12 -0500
| Lines: 228
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| Message-ID: <***@TK2MSFTNGP09.phx.gbl>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: connellinsurance.com 66.76.216.32
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:140822
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Charles and group,
|
| The problem has been solved.
|
| If you will remember, this machine was running 2000 Server. I did a
format
| and clean install of Server 2003 Std and chose a different computer name,
| but the same static IP address.
|
| Before I formatted the machine, I created a full image of the system to a
| network drive, in case I needed to revert back to the old installation
for
| any reason. For this reason, I did not immediately delete the computer
| account associated with the old installation of 2000 Server; I kept the
| account in Active Directory until I felt sure I would not need to revert
| back to the old 2000 Server install.
|
| Yesterday morning, I deleted the old computer account from the SBS using
the
| Manage Server Computers snap-in in the Server Management console. The
| constant Logon/Logoff Failure events in the Security Log of the "new"
Server
| 2003 installation stopped immediately. Since yesterday morning, the
server
| has not logged a single entry in the Security log.
|
| Thanks again for all the time and effort put in by many people in the
group.
| You got me pointed in the right direction.
|
| Bryan
|
|
| ""Charles Yang [MSFT]"" <v-***@online.microsoft.com> wrote in message
| news:***@TK2MSFTNGXA01.phx.gbl...
| > Hi Bryan,
| >
| > Thanks for updates.
| >
| > I will reply you when you have time to reply, take care with your job.
| > Thanks for your effort:
| >
| > --------------------
| > | From: "Bryan L" <***@connellinsurance.nospam.com>
| > | References: <#y#***@TK2MSFTNGP12.phx.gbl>
| > | Subject: Re: Frequent event 529 in Securit
| > | Date: Fri, 29 Jul 2005 15:41:00 -0500
| > | Lines: 97
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| > | X-RFC2646: Format=Flowed; Response
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| > | Message-ID: <#***@TK2MSFTNGP10.phx.gbl>
| > | Newsgroups:
| >
microsoft.public.windows.server.networking,microsoft.public.windows.server.s
| > bs
| > | NNTP-Posting-Host: connellinsurance.com 66.76.216.32
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:139958
| > microsoft.public.windows.server.networking:18106
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Thanks for all posts and help on this. I have not resolved this
issue,
| > but
| > | this week has been very busy and I have not had time to work on it.
I
| > hope
| > | to have more time next week, and will post more then.
| > |
| > | Thanks again,
| > |
| > | Bryan
| > |
| > |
| > | "Bryan L" <***@connellinsurance.nospam.com> wrote in
message
| > | news:%23y%***@TK2MSFTNGP12.phx.gbl...
| > | > I'm running a SBS 2003 domain with about 30 users. I promoted
another
| > | > 2003 server std box to be a replica DC about a month ago. I've had
| > the
| > | > luxury of time to work out the bugs and kinks getting this new DC
to
| > be
| > | > error-free and I'm almost done. The only persistent error I'm still
| > | > getting is the above-mentioned ID 529; a sample is provided below:
| > | > __________________________
| > | >
| > | > Event Type: Failure Audit
| > | > Event Source: Security
| > | > Event Category: Logon/Logoff
| > | > Event ID: 529
| > | > Date: 7/22/2005
| > | > Time: 4:28:07 PM
| > | > User: NT AUTHORITY\SYSTEM
| > | > Computer: SERVERNAME-2
| > | > Description:
| > | > Logon Failure:
| > | > Reason: Unknown user name or bad password
| > | > User Name:
| > | > Domain:
| > | > Logon Type: 3
| > | > Logon Process: Kerberos
| > | > Authentication Package: Kerberos
| > | > Workstation Name: -
| > | > Caller User Name: -
| > | > Caller Domain: -
| > | > Caller Logon ID: -
| > | > Caller Process ID: -
| > | > Transited Services: -
| > | > Source Network Address: 192.168.168.229
| > | > Source Port: 0
| > | > __________________________
| > | >
| > | > Services my network runs:
| > | > Exchange 2003
| > | > DFS/FRS
| > | > WINS
| > | > DNS
| > | > DHCP
| > | >
| > | > More information:
| > | >
| > | > - All clients are running XP SP2.
| > | > - These errors always appear in multiples of 4.
| > | > - Sometimes only 4 or 8 of these appear at a time for a given
source
| > IP;
| > | > other times there are 20 or so, and now and then there are literally
| > | > thousands of them within the span of a few minutes, or even hundreds
| > | > within a handful of seconds.
| > | > - The most common source IP is a particular member server, but the
| > source
| > | > IP varies to include clients as well, both desktops and laptops.
| > | > - I believe it's a configuration problem and not malicious, since
| > even
| > my
| > | > own workstation is sometimes the source IP.
| > | > - When coming from desktops the source port appears to always be 0,
| > but
| > | > when coming from the particular server that is most commonly the
| > source
| > | > IP, the port increments by 3 every two events. For example,
recently
| > a
| > | > total of 16 events were logged with this server as the source, all
| > within
| > | > the same second, and the ports looked like this: 3850, 3850, 3853,
| > 3853,
| > | > 3856, 3856, 3859, 3859, 3862, 3862, 3865, 3865, 3868, 3868, 3871,
| > 3871.
| > | > - These errors are being logged only on the new DC's security log;
| > the
| > | > logs on my original SBS 2003 DC are clean.
| > | > - This server used to run 2000 Server with a static IP; it was
wiped
| > and
| > | > cleanly installed with Server 2003 SP1 and set to the same static
IP
| > as
| > | > before.
| > | > - This server has a different name than the 2000 Server
installation
| > | > did.
| > | > - A few days after the install, a gigabit NIC was installed in the
| > | > server and the onboard 10/100 NIC was disabled.
| > | > - DFS/FRS was in use for a short time on the 2000 Server, as a
means
| > to
| > | > migrate the shares it was hosting to a different location prior to
the
| > | > wipe and reinstall. The 2000 Server was never a DC.
| > | > - I believe I made a mistake in managing my DFS: I disabled DFS
| > referrals
| > | > to the old 2000 Server, but never actually removed all references to
| > the
| > | > server from DFS altogether before taking the old server permanently
| > | > offline. I'm about to look for information that will help me clean
| > this
| > | > up; I've seen it out there in my readings on DFS. The "new" Server
| > 2003
| > | > installation is not yet hosting its original shares again, but it
has
| > been
| > | > set up as a DFS root replica.
| > | >
| > | > Any help appreciated; I'm not sure how to run this one down.
| > | >
| > | > Thanks in advance,
| > | >
| > | > Bryan
| > | >
| > |
| > |
| > |
| >
| >
| >
| > Best regards,
| >
| > Charles Yang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
|
|
|



Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
Loading...