Clicky

Dear Support

About once every second I get the following error on one of our four domain controllers.
This is a DC at a site office and the others have the same entry but with the details for this DC. I have checked all services, and scheduled tasks on this computer and none of them are using the administrator account.

Event Type:        Failure Audit
Event Source:    Security
Event Category:                Account Logon
Event ID:              675
Date:                     26/10/2011
Time:                     16:49:22
User:                     NT AUTHORITY\SYSTEM
Computer:          **********
Description:
Pre-authentication failed:
               User Name:        Administrator
               User ID:                                DOMAIN\Administrator
               Service Name:   krbtgt/DOMAIN.LOCAL
               Pre-Authentication Type:             0x2
               Failure Code:     0x18
               Client Address: 127.0.0.1

TIA

asked 10/26/2011 12:26

macomsupport's gravatar image

macomsupport ♦♦


12 Answers:
Run the following script on your DC, It will output all the services and what accounts are being used by them
 
1:
2:
3:
4:
5:
6:
Set objService = GetObject("winmgmts:") 
Set objCol = objService.ExecQuery("SELECT * FROM Win32_Service") 
 For Each obj In objCol
       S = S & obj.DisplayName & " ( " & obj.StartName & " )" & vbCrLf
 Next 
WScript.Echo S
link

answered

Neilsr's gravatar image

Neilsr

Hmmm quick question... Have recently upgraded ANYTHING in your infrastructure?
link

answered 2011-10-26 at 08:43:19

Neilsr's gravatar image

Neilsr

And is the time correct on ALL your servers? Another common cause.
link

answered 2011-10-26 at 08:49:41

Neilsr's gravatar image

Neilsr

Hello

I ran the script and the all say localsystem or networkservice. I did recently have a time sync issue. But I have fixed that by setting a new npt soure, and all servers have the same time as the PDC now.
link

answered 2011-10-26 at 08:52:35

macomsupport's gravatar image

macomsupport

Have you run a DCDIAG on ALL of your DC's? All ERROR FREE?
link

answered 2011-10-26 at 09:04:33

Neilsr's gravatar image

Neilsr

Yes I have
link

answered 2011-10-26 at 09:27:51

macomsupport's gravatar image

macomsupport

Hello

I just noticed that on the PDC the 675 error always has the following two errors preceding it


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            27/10/2011
Time:            10:26:28
User:            NT AUTHORITY\SYSTEM
Computer:      PDC
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      administrator@DOMAIN
 Source Workstation:      PDC
 Error Code:      0xC0000064


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

and this error:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            27/10/2011
Time:            10:26:28
User:            NT AUTHORITY\SYSTEM
Computer:      NP-LDNDC01
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      Administrator
 Source Workstation:      PDC
 Error Code:      0xC000006A

Thanks in advanced.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


link

answered 2011-10-26 at 09:46:42

macomsupport's gravatar image

macomsupport

Hello

I just noticed that on the PDC the 675 error always has the following two errors preceding it


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            27/10/2011
Time:            10:26:28
User:            NT AUTHORITY\SYSTEM
Computer:      PDC
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      administrator@DOMAIN
 Source Workstation:      PROBLEM_DC
 Error Code:      0xC0000064


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

and this error:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            27/10/2011
Time:            10:26:28
User:            NT AUTHORITY\SYSTEM
Computer:     PDC
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      Administrator
 Source Workstation:     PROBLEM_DC
 Error Code:      0xC000006A

Thanks in advanced.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
link

answered 2011-10-27 at 02:35:52

macomsupport's gravatar image

macomsupport

It is possible that your accounts are out of sync from when you had your time sync problem.  I would go for demoting your problem DC, taking it off the domain, deleting the computer account, joining the domain and the dcpromo it back to a DC.
link

answered 2011-10-27 at 02:38:27

Neilsr's gravatar image

Neilsr

It might sound a lot but will be quicker in the long run than spending the next 4 days trying to troubleshoot.
link

answered 2011-10-27 at 02:43:20

Neilsr's gravatar image

Neilsr

I rebooted the server and this error has stoppped.

thanks you for your help
link

answered 2011-10-27 at 02:43:58

macomsupport's gravatar image

macomsupport

rebooting the server fixed the issus

link

answered 2011-11-04 at 03:55:56

macomsupport's gravatar image

macomsupport

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×1

Asked: 10/26/2011 12:26

Seen: 184 times

Last updated: 11/08/2011 05:16