Hi everyone,



Recently I have performed a password change on the default domain
administrator account. Before the change was made last Friday I made sure
to find all services and scheduled tasks in our network that were using the
domain admin account and changed them to use their own service account.
After the change all system functionality has been restored. (I.E. Exchange,
Blackberry, our ERP system, everything is working) On top of that, the
domain admin account isn't getting locked out. That should mean that there
isn't anything with a stored password attempting to use the old password.
With all that said, however, I am still receiving security failures in the
event viewer on our primary DC. The failures are below. Any help
understanding these on these would be appreciated.



FYI - In doing research on the 4771 events I have found that the failure
code 0x18 usually means a bad password. What I don't understand is that the
two IP addresses listed with those events are our backup DCs.



------------------------------------------------------------

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 8:32:08 AM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
Kerberos pre-authentication failed.



Account Information:
Security ID: domain\Administrator
Account Name: Administrator



Service Information:
Service Name: krbtgt/domain



Network Information:
Client Address: ::ffff:10.0.1.254
Client Port: 4240



Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2



Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:



Certificate information is only provided if a certificate was used for
pre-authentication.



Pre-authentication types, ticket options and failure codes are defined in
RFC 4120.



If the ticket was malformed or damaged during transit and could not be
decrypted, then many fields in this event might not be present.

-------------------------------------------------------------

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 8:32:07 AM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
Kerberos pre-authentication failed.



Account Information:
Security ID: DOMAIN\Administrator
Account Name: Administrator



Service Information:
Service Name: krbtgt/DOMAIN



Network Information:
Client Address: ::ffff:10.0.1.254
Client Port: 4238



Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2



Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:



Certificate information is only provided if a certificate was used for
pre-authentication.



Pre-authentication types, ticket options and failure codes are defined in
RFC 4120.



If the ticket was malformed or damaged during transit and could not be
decrypted, then many fields in this event might not be present.

------------------------------------------------------------

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 8:32:01 AM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
Kerberos pre-authentication failed.



Account Information:
Security ID: DOMAIN\Administrator
Account Name: Administrator



Service Information:
Service Name: krbtgt/DOMAIN



Network Information:
Client Address: ::ffff:10.0.1.249
Client Port: 21106



Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2



Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:



Certificate information is only provided if a certificate was used for
pre-authentication.



Pre-authentication types, ticket options and failure codes are defined in
RFC 4120.



If the ticket was malformed or damaged during transit and could not be
decrypted, then many fields in this event might not be present.
------------------------------------------------------------

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 8:31:31 AM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
The domain controller attempted to validate the credentials for an account.



Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: EXCHANGESERVER
Error Code: 0xc000006a
-------------------------------------------------------------

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 8:28:49 AM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
The domain controller attempted to validate the credentials for an account.



Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: administrator
Source Workstation: ERPSERVER
Error Code: 0xc000006a
------------------------------------------------------------

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 8:28:49 AM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
The domain controller attempted to validate the credentials for an account.



Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: administrator
Source Workstation: SYTEUTIL
Error Code: 0xc000006a
------------------------------------------------------------

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 8:27:01 AM
Event ID: 4769
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
A Kerberos service ticket was requested.



Account Information:
Account Name: DC$@DOMAIN.COM
Account Domain: DOMAIN.COM
Logon GUID: {00000000-0000-0000-0000-000000000000}



Service Information:
Service Name: krbtgt/DOMAIN.COM
Service ID: NULL SID



Network Information:
Client Address: ::1
Client Port: 0



Additional Information:
Ticket Options: 0x60810010
Ticket Encryption Type: 0xffffffff
Failure Code: 0xe
Transited Services: -



This event is generated every time access is requested to a resource such as
a computer or a Windows service. The service name indicates the resource to
which access was requested.



This event can be correlated with Windows logon events by comparing the
Logon GUID fields in each event. The logon event occurs on the machine that
was accessed, which is often a different machine than the domain controller
which issued the service ticket.



Ticket options, encryption types, and failure codes are defined in RFC 4120.

If that is the case, shouldn't the domain account be locked out? We have a
lockout policy and if a service or app attempts to validate credentials that
may time unsuccessfully it should lock the account out.



"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d889b8cc24681c6128a8@msnews.microsoft.com...

Quote:

Hello Zachary, Seems that there are still some services/applications running that need the password change. See also: http://chicagotech.net/netforums/viewtopic.php?t=4853 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hi everyone, Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.

Ok, with that being the case, is there more detailed auditing i can turn on
to find out what service or app is attempting to make these authentications?
When i look in the services mmc i don't see any services using the
administrator account for validation and the only in house app being used is
our intranet site and that is clean.
"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d88a38cc246a772b26ea@msnews.microsoft.com...

Quote:

Hello Zachary, The domain administrator will automatically unlock, after being locked out as soon as the correct password is used. http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Default-domain-administrator-account-is-locked_21003F00_.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm If that is the case, shouldn't the domain account be locked out? We have a lockout policy and if a service or app attempts to validate credentials that may time unsuccessfully it should lock the account out. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d889b8cc24681c6128a8@msnews.microsoft.com... Hello Zachary, Seems that there are still some services/applications running that need the password change. See also: http://chicagotech.net/netforums/viewtopic.php?t=4853 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hi everyone, Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.

Hello Zachary,

Seems that there are still some services/applications running that need the
password change. See also:
http://chicagotech.net/netforums/viewtopic.php?t=4853

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

Hi everyone, Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.

Hello Zachary,

The domain administrator will automatically unlock, after being locked out
as soon as the correct password is used.
http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Default-domain-administrator-account-is-locked_21003F00_.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

If that is the case, shouldn't the domain account be locked out? We have a lockout policy and if a service or app attempts to validate credentials that may time unsuccessfully it should lock the account out. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d889b8cc24681c6128a8@msnews.microsoft.com... Hello Zachary, Seems that there are still some services/applications running that need the password change. See also: http://chicagotech.net/netforums/viewtopic.php?t=4853 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hi everyone, Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.

Hello Zachary,

So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed
in the event viewer entries?

Also listed "0xc000006a" is bad password.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

Ok, with that being the case, is there more detailed auditing i can turn on to find out what service or app is attempting to make these authentications? When i look in the services mmc i don't see any services using the administrator account for validation and the only in house app being used is our intranet site and that is clean. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a38cc246a772b26ea@msnews.microsoft.com... Hello Zachary, The domain administrator will automatically unlock, after being locked out as soon as the correct password is used. http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Default-d omain-administrator-account-is-locked_21003F00_.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm If that is the case, shouldn't the domain account be locked out? We have a lockout policy and if a service or app attempts to validate credentials that may time unsuccessfully it should lock the account out. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d889b8cc24681c6128a8@msnews.microsoft.com... Hello Zachary, Seems that there are still some services/applications running that need the password change. See also: http://chicagotech.net/netforums/viewtopic.php?t=4853 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hi everyone, Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.

I found this error. When i look at PID 4968 it is mad.exe which points to
the MSExchangeSA service. I looked in the services MMC and that service is
set to log on as Local System. Why would it be trying to use the domain
admin account?

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/26/2009
Time: 11:02:01 AM
User: NT AUTHORITY\SYSTEM
Computer: EXCHANGE
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: DOMAIN
Logon Type: 7
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: EXCHANGE
Caller User Name: EXCHANGE$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4968
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d88a98cc246d902e505f@msnews.microsoft.com...

Quote:

Hello Zachary, So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed in the event viewer entries? Also listed "0xc000006a" is bad password. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Ok, with that being the case, is there more detailed auditing i can turn on to find out what service or app is attempting to make these authentications? When i look in the services mmc i don't see any services using the administrator account for validation and the only in house app being used is our intranet site and that is clean. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a38cc246a772b26ea@msnews.microsoft.com... Hello Zachary, The domain administrator will automatically unlock, after being locked out as soon as the correct password is used. http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Default-d omain-administrator-account-is-locked_21003F00_.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm If that is the case, shouldn't the domain account be locked out? We have a lockout policy and if a service or app attempts to validate credentials that may time unsuccessfully it should lock the account out. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d889b8cc24681c6128a8@msnews.microsoft.com... Hello Zachary, Seems that there are still some services/applications running that need the password change. See also: http://chicagotech.net/netforums/viewtopic.php?t=4853 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hi everyone, Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.

Cross posting this to an exchange group.

"Zachary" <zdundore@agraind.com> wrote in message
news:ecI44ZlVKHA.2340@TK2MSFTNGP04.phx.gbl...

Quote:

I found this error. When i look at PID 4968 it is mad.exe which points to the MSExchangeSA service. I looked in the services MMC and that service is set to log on as Local System. Why would it be trying to use the domain admin account? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 11:02:01 AM User: NT AUTHORITY\SYSTEM Computer: EXCHANGE Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: DOMAIN Logon Type: 7 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: EXCHANGE Caller User Name: EXCHANGE$ Caller Domain: DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4968 Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a98cc246d902e505f@msnews.microsoft.com... Hello Zachary, So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed in the event viewer entries? Also listed "0xc000006a" is bad password. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Ok, with that being the case, is there more detailed auditing i can turn on to find out what service or app is attempting to make these authentications? When i look in the services mmc i don't see any services using the administrator account for validation and the only in house app being used is our intranet site and that is clean. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a38cc246a772b26ea@msnews.microsoft.com... Hello Zachary, The domain administrator will automatically unlock, after being locked out as soon as the correct password is used. http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Default-d omain-administrator-account-is-locked_21003F00_.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm If that is the case, shouldn't the domain account be locked out? We have a lockout policy and if a service or app attempts to validate credentials that may time unsuccessfully it should lock the account out. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d889b8cc24681c6128a8@msnews.microsoft.com... Hello Zachary, Seems that there are still some services/applications running that need the password change. See also: http://chicagotech.net/netforums/viewtopic.php?t=4853 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hi everyone, Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.

Additional references i have found. These describe my situation also but
they have no solution.
http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-locking-doma.aspx
http://antionline.com/archive/index.php/t-272867.html

"Zachary" <zdundore@agraind.com> wrote in message
news:eJ$1QqlVKHA.1372@TK2MSFTNGP02.phx.gbl...

Quote:

Cross posting this to an exchange group. "Zachary" <zdundore@agraind.com> wrote in message news:ecI44ZlVKHA.2340@TK2MSFTNGP04.phx.gbl... I found this error. When i look at PID 4968 it is mad.exe which points to the MSExchangeSA service. I looked in the services MMC and that service is set to log on as Local System. Why would it be trying to use the domain admin account? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 11:02:01 AM User: NT AUTHORITY\SYSTEM Computer: EXCHANGE Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: DOMAIN Logon Type: 7 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: EXCHANGE Caller User Name: EXCHANGE$ Caller Domain: DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4968 Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a98cc246d902e505f@msnews.microsoft.com... Hello Zachary, So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed in the event viewer entries? Also listed "0xc000006a" is bad password. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Ok, with that being the case, is there more detailed auditing i can turn on to find out what service or app is attempting to make these authentications? When i look in the services mmc i don't see any services using the administrator account for validation and the only in house app being used is our intranet site and that is clean. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a38cc246a772b26ea@msnews.microsoft.com... Hello Zachary, The domain administrator will automatically unlock, after being locked out as soon as the correct password is used. http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Default-d omain-administrator-account-is-locked_21003F00_.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm If that is the case, shouldn't the domain account be locked out? We have a lockout policy and if a service or app attempts to validate credentials that may time unsuccessfully it should lock the account out. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d889b8cc24681c6128a8@msnews.microsoft.com... Hello Zachary, Seems that there are still some services/applications running that need the password change. See also: http://chicagotech.net/netforums/viewtopic.php?t=4853 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hi everyone, Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.

Found one of the culprits. The Exchange service account for legacy access
was set to the domain admin. This is found in the system
manager>Administrative Groups and then right click your administrative group
and on the general tab you will see this setting. I am still recieving this
error yet from the exchange server: Any ideas?

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/26/2009
Time: 12:11:34 PM
User: NT AUTHORITY\SYSTEM
Computer: AGRAEXCH
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: AGRA
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: AGRAEXCH
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

"Zachary" <zdundore@agraind.com> wrote in message
news:OHVPB2lVKHA.1372@TK2MSFTNGP02.phx.gbl...

Quote:

Additional references i have found. These describe my situation also but they have no solution. http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-locking-doma.aspx http://antionline.com/archive/index.php/t-272867.html "Zachary" <zdundore@agraind.com> wrote in message news:eJ$1QqlVKHA.1372@TK2MSFTNGP02.phx.gbl... Cross posting this to an exchange group. "Zachary" <zdundore@agraind.com> wrote in message news:ecI44ZlVKHA.2340@TK2MSFTNGP04.phx.gbl... I found this error. When i look at PID 4968 it is mad.exe which points to the MSExchangeSA service. I looked in the services MMC and that service is set to log on as Local System. Why would it be trying to use the domain admin account? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 11:02:01 AM User: NT AUTHORITY\SYSTEM Computer: EXCHANGE Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: DOMAIN Logon Type: 7 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: EXCHANGE Caller User Name: EXCHANGE$ Caller Domain: DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4968 Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a98cc246d902e505f@msnews.microsoft.com... Hello Zachary, So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed in the event viewer entries? Also listed "0xc000006a" is bad password. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Ok, with that being the case, is there more detailed auditing i can turn on to find out what service or app is attempting to make these authentications? When i look in the services mmc i don't see any services using the administrator account for validation and the only in house app being used is our intranet site and that is clean. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a38cc246a772b26ea@msnews.microsoft.com... Hello Zachary, The domain administrator will automatically unlock, after being locked out as soon as the correct password is used. http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Default-d omain-administrator-account-is-locked_21003F00_.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm If that is the case, shouldn't the domain account be locked out? We have a lockout policy and if a service or app attempts to validate credentials that may time unsuccessfully it should lock the account out. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d889b8cc24681c6128a8@msnews.microsoft.com... Hello Zachary, Seems that there are still some services/applications running that need the password change. See also: http://chicagotech.net/netforums/viewtopic.php?t=4853 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hi everyone, Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.

Here is a status update. My exchange server is still throwing this error
and every time it does it coralates to the next error that show up on our
main DC.
-----------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/26/2009
Time: 3:36:37 PM
User: NT AUTHORITY\SYSTEM
Computer: AGRAEXCH
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: AGRA
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: AGRAEXCH
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
----------------------------------------------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 3:36:37 PM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: AGRADC2.agraind.com
Description:
The domain controller attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: AGRAEXCH
Error Code: 0xc000006a
---------------------------------------------------


Then the Syteutil server issues this error every 10 minutes and PID 4704 is
w3wp.exe. This error coralates to the second error from our DC.
---------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/26/2009
Time: 3:40:07 PM
User: NT AUTHORITY\SYSTEM
Computer: SYTEUTIL
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: agra
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SYTEUTIL
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 4704
Transited Services: -
Source Network Address: -
Source Port: -
----------------------------------------------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 3:40:07 PM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: AGRADC2.agraind.com
Description:
The domain controller attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: administrator
Source Workstation: SYTEUTIL
Error Code: 0xc000006a
----------------------------------------------------


Then there is this error every 5 minutes, the ip listed is our second DC
----------------------------------------------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 3:32:21 PM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: AGRADC2.agraind.com
Description:
Kerberos pre-authentication failed.

Account Information:
Security ID: AGRA\Administrator
Account Name: Administrator

Service Information:
Service Name: krbtgt/AGRA

Network Information:
Client Address: ::ffff:10.0.1.254
Client Port: 2010

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for
pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in
RFC 4120.

If the ticket was malformed or damaged during transit and could not be
decrypted, then many fields in this event might not be present.
---------------------------------------------------


Then there is this one that happens every 10 mins, the ip listed is our
third DC
---------------------------------------------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 3:30:06 PM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: AGRADC2.agraind.com
Description:
Kerberos pre-authentication failed.

Account Information:
Security ID: AGRA\Administrator
Account Name: Administrator

Service Information:
Service Name: krbtgt/agra

Network Information:
Client Address: ::ffff:10.0.1.249
Client Port: 30051

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for
pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in
RFC 4120.

If the ticket was malformed or damaged during transit and could not be
decrypted, then many fields in this event might not be present.
---------------------------------------------------


Then there are two of these ever 10 minutes on our Main DC
---------------------------------------------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 3:38:15 PM
Event ID: 4769
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Failure
User: N/A
Computer: AGRADC2.agraind.com
Description:
A Kerberos service ticket was requested.

Account Information:
Account Name: AGRADC2$@AGRAIND.COM
Account Domain: AGRAIND.COM
Logon GUID: {00000000-0000-0000-0000-000000000000}

Service Information:
Service Name: krbtgt/AGRAIND.COM
Service ID: NULL SID

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x60810010
Ticket Encryption Type: 0xffffffff
Failure Code: 0xe
Transited Services: -

This event is generated every time access is requested to a resource such as
a computer or a Windows service. The service name indicates the resource to
which access was requested.

This event can be correlated with Windows logon events by comparing the
Logon GUID fields in each event. The logon event occurs on the machine that
was accessed, which is often a different machine than the domain controller
which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.
---------------------------------------------------

Are all of these related to the two member servers having problems or is
this somthing deeper.

"Zachary" <zdundore@agraind.com> wrote in message
news:uLJxJAmVKHA.220@TK2MSFTNGP02.phx.gbl...

Quote:

Found one of the culprits. The Exchange service account for legacy access was set to the domain admin. This is found in the system manager>Administrative Groups and then right click your administrative group and on the general tab you will see this setting. I am still recieving this error yet from the exchange server: Any ideas? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 12:11:34 PM User: NT AUTHORITY\SYSTEM Computer: AGRAEXCH Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: AGRA Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: AGRAEXCH Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Zachary" <zdundore@agraind.com> wrote in message news:OHVPB2lVKHA.1372@TK2MSFTNGP02.phx.gbl... Additional references i have found. These describe my situation also but they have no solution. http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-locking-doma.aspx http://antionline.com/archive/index.php/t-272867.html "Zachary" <zdundore@agraind.com> wrote in message news:eJ$1QqlVKHA.1372@TK2MSFTNGP02.phx.gbl... Cross posting this to an exchange group. "Zachary" <zdundore@agraind.com> wrote in message news:ecI44ZlVKHA.2340@TK2MSFTNGP04.phx.gbl... I found this error. When i look at PID 4968 it is mad.exe which points to the MSExchangeSA service. I looked in the services MMC and that service is set to log on as Local System. Why would it be trying to use the domain admin account? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 11:02:01 AM User: NT AUTHORITY\SYSTEM Computer: EXCHANGE Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: DOMAIN Logon Type: 7 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: EXCHANGE Caller User Name: EXCHANGE$ Caller Domain: DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4968 Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a98cc246d902e505f@msnews.microsoft.com... Hello Zachary, So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed in the event viewer entries? Also listed "0xc000006a" is bad password. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Ok, with that being the case, is there more detailed auditing i can turn on to find out what service or app is attempting to make these authentications? When i look in the services mmc i don't see any services using the administrator account for validation and the only in house app being used is our intranet site and that is clean. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a38cc246a772b26ea@msnews.microsoft.com... Hello Zachary, The domain administrator will automatically unlock, after being locked out as soon as the correct password is used. http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Default-d omain-administrator-account-is-locked_21003F00_.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm If that is the case, shouldn't the domain account be locked out? We have a lockout policy and if a service or app attempts to validate credentials that may time unsuccessfully it should lock the account out. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d889b8cc24681c6128a8@msnews.microsoft.com... Hello Zachary, Seems that there are still some services/applications running that need the password change. See also: http://chicagotech.net/netforums/viewtopic.php?t=4853 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hi everyone, Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.

Hello Zachary,

Sorry for being late.

According to the ip addresses listed you use IPv6 and IPv4 together on some
machines?

Are the time settings/time zones the same on all machines?

Are any of the machines restored after a crash?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

Here is a status update. My exchange server is still throwing this error and every time it does it coralates to the next error that show up on our main DC. ----------------------------------------------------- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 3:36:37 PM User: NT AUTHORITY\SYSTEM Computer: AGRAEXCH Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: AGRA Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: AGRAEXCH Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: - ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:36:37 PM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: AGRAEXCH Error Code: 0xc000006a --------------------------------------------------- Then the Syteutil server issues this error every 10 minutes and PID 4704 is w3wp.exe. This error coralates to the second error from our DC. --------------------------------------------------- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 3:40:07 PM User: NT AUTHORITY\SYSTEM Computer: SYTEUTIL Description: Logon Failure: Reason: Unknown user name or bad password User Name: administrator Domain: agra Logon Type: 3 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: SYTEUTIL Caller User Name: NETWORK SERVICE Caller Domain: NT AUTHORITY Caller Logon ID: (0x0,0x3E4) Caller Process ID: 4704 Transited Services: - Source Network Address: - Source Port: - ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:40:07 PM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ---------------------------------------------------- Then there is this error every 5 minutes, the ip listed is our second DC ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:32:21 PM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: Kerberos pre-authentication failed. Account Information: Security ID: AGRA\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/AGRA Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 2010 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. --------------------------------------------------- Then there is this one that happens every 10 mins, the ip listed is our third DC --------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:30:06 PM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: Kerberos pre-authentication failed. Account Information: Security ID: AGRA\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/agra Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 30051 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. --------------------------------------------------- Then there are two of these ever 10 minutes on our Main DC --------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:38:15 PM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: A Kerberos service ticket was requested. Account Information: Account Name: AGRADC2$@AGRAIND.COM Account Domain: AGRAIND.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/AGRAIND.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. --------------------------------------------------- Are all of these related to the two member servers having problems or is this somthing deeper. "Zachary" <zdundore@agraind.com> wrote in message news:uLJxJAmVKHA.220@TK2MSFTNGP02.phx.gbl... Found one of the culprits. The Exchange service account for legacy access was set to the domain admin. This is found in the system manager>Administrative Groups and then right click your administrative group and on the general tab you will see this setting. I am still recieving this error yet from the exchange server: Any ideas? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 12:11:34 PM User: NT AUTHORITY\SYSTEM Computer: AGRAEXCH Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: AGRA Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: AGRAEXCH Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Zachary" <zdundore@agraind.com> wrote in message news:OHVPB2lVKHA.1372@TK2MSFTNGP02.phx.gbl... Additional references i have found. These describe my situation also but they have no solution. http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-loc king-doma.aspx http://antionline.com/archive/index.php/t-272867.html "Zachary" <zdundore@agraind.com> wrote in message news:eJ$1QqlVKHA.1372@TK2MSFTNGP02.phx.gbl... Cross posting this to an exchange group. "Zachary" <zdundore@agraind.com> wrote in message news:ecI44ZlVKHA.2340@TK2MSFTNGP04.phx.gbl... I found this error. When i look at PID 4968 it is mad.exe which points to the MSExchangeSA service. I looked in the services MMC and that service is set to log on as Local System. Why would it be trying to use the domain admin account? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 11:02:01 AM User: NT AUTHORITY\SYSTEM Computer: EXCHANGE Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: DOMAIN Logon Type: 7 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: EXCHANGE Caller User Name: EXCHANGE$ Caller Domain: DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4968 Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a98cc246d902e505f@msnews.microsoft.com... Hello Zachary, So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed in the event viewer entries? Also listed "0xc000006a" is bad password. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Ok, with that being the case, is there more detailed auditing i can turn on to find out what service or app is attempting to make these authentications? When i look in the services mmc i don't see any services using the administrator account for validation and the only in house app being used is our intranet site and that is clean. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a38cc246a772b26ea@msnews.microsoft.com... Hello Zachary, The domain administrator will automatically unlock, after being locked out as soon as the correct password is used. http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Def ault-d omain-administrator-account-is-locked_21003F00_.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm If that is the case, shouldn't the domain account be locked out? We have a lockout policy and if a service or app attempts to validate credentials that may time unsuccessfully it should lock the account out. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d889b8cc24681c6128a8@msnews.microsoft.com... Hello Zachary, Seems that there are still some services/applications running that need the password change. See also: http://chicagotech.net/netforums/viewtopic.php?t=4853 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hi everyone, Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ - Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ------------------------------------------------------------ - Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.

According to the IP addresses listed you use IPv6 and IPv4 together on some
machines?

Explain to me where you see that please. On the only windows 2008 server we
have IPv6 is disabled on the NIC. All other servers are either windows
server 2000 or 2003 and aren't capable of IPv6.


Are the time settings/time zones the same on all machines?
Yes and all server are configured to sync to the PDC via NTP.


Are any of the machines restored after a crash?
No. None of the machines have been restored from a crash.



"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d8c5b8cc26de44ef06e4@msnews.microsoft.com...

Quote:

Hello Zachary, Sorry for being late. According to the ip addresses listed you use IPv6 and IPv4 together on some machines? Are the time settings/time zones the same on all machines? Are any of the machines restored after a crash? Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Here is a status update. My exchange server is still throwing this error and every time it does it coralates to the next error that show up on our main DC. ----------------------------------------------------- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 3:36:37 PM User: NT AUTHORITY\SYSTEM Computer: AGRAEXCH Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: AGRA Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: AGRAEXCH Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: - ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:36:37 PM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: AGRAEXCH Error Code: 0xc000006a --------------------------------------------------- Then the Syteutil server issues this error every 10 minutes and PID 4704 is w3wp.exe. This error coralates to the second error from our DC. --------------------------------------------------- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 3:40:07 PM User: NT AUTHORITY\SYSTEM Computer: SYTEUTIL Description: Logon Failure: Reason: Unknown user name or bad password User Name: administrator Domain: agra Logon Type: 3 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: SYTEUTIL Caller User Name: NETWORK SERVICE Caller Domain: NT AUTHORITY Caller Logon ID: (0x0,0x3E4) Caller Process ID: 4704 Transited Services: - Source Network Address: - Source Port: - ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:40:07 PM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ---------------------------------------------------- Then there is this error every 5 minutes, the ip listed is our second DC ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:32:21 PM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: Kerberos pre-authentication failed. Account Information: Security ID: AGRA\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/AGRA Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 2010 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. --------------------------------------------------- Then there is this one that happens every 10 mins, the ip listed is our third DC --------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:30:06 PM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: Kerberos pre-authentication failed. Account Information: Security ID: AGRA\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/agra Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 30051 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. --------------------------------------------------- Then there are two of these ever 10 minutes on our Main DC --------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:38:15 PM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: A Kerberos service ticket was requested. Account Information: Account Name: AGRADC2$@AGRAIND.COM Account Domain: AGRAIND.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/AGRAIND.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. --------------------------------------------------- Are all of these related to the two member servers having problems or is this somthing deeper. "Zachary" <zdundore@agraind.com> wrote in message news:uLJxJAmVKHA.220@TK2MSFTNGP02.phx.gbl... Found one of the culprits. The Exchange service account for legacy access was set to the domain admin. This is found in the system manager>Administrative Groups and then right click your administrative group and on the general tab you will see this setting. I am still recieving this error yet from the exchange server: Any ideas? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 12:11:34 PM User: NT AUTHORITY\SYSTEM Computer: AGRAEXCH Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: AGRA Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: AGRAEXCH Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Zachary" <zdundore@agraind.com> wrote in message news:OHVPB2lVKHA.1372@TK2MSFTNGP02.phx.gbl... Additional references i have found. These describe my situation also but they have no solution. http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-loc king-doma.aspx http://antionline.com/archive/index.php/t-272867.html "Zachary" <zdundore@agraind.com> wrote in message news:eJ$1QqlVKHA.1372@TK2MSFTNGP02.phx.gbl... Cross posting this to an exchange group. "Zachary" <zdundore@agraind.com> wrote in message news:ecI44ZlVKHA.2340@TK2MSFTNGP04.phx.gbl... I found this error. When i look at PID 4968 it is mad.exe which points to the MSExchangeSA service. I looked in the services MMC and that service is set to log on as Local System. Why would it be trying to use the domain admin account? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 11:02:01 AM User: NT AUTHORITY\SYSTEM Computer: EXCHANGE Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: DOMAIN Logon Type: 7 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: EXCHANGE Caller User Name: EXCHANGE$ Caller Domain: DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4968 Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a98cc246d902e505f@msnews.microsoft.com... Hello Zachary, So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed in the event viewer entries? Also listed "0xc000006a" is bad password. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Ok, with that being the case, is there more detailed auditing i can turn on to find out what service or app is attempting to make these authentications? When i look in the services mmc i don't see any services using the administrator account for validation and the only in house app being used is our intranet site and that is clean. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a38cc246a772b26ea@msnews.microsoft.com... Hello Zachary, The domain administrator will automatically unlock, after being locked out as soon as the correct password is used. http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Def ault-d omain-administrator-account-is-locked_21003F00_.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm If that is the case, shouldn't the domain account be locked out? We have a lockout policy and if a service or app attempts to validate credentials that may time unsuccessfully it should lock the account out. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d889b8cc24681c6128a8@msnews.microsoft.com... Hello Zachary, Seems that there are still some services/applications running that need the password change. See also: http://chicagotech.net/netforums/viewtopic.php?t=4853 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hi everyone, Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ - Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ------------------------------------------------------------ - Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.

Hello Zachary,

Here is the 'client address' listed with both if i am not wrong:
-------------------------------------
Computer: AGRADC2.agraind.com
Description:
Kerberos pre-authentication failed.

Account Information:
Security ID: AGRA\Administrator
Account Name: Administrator

Service Information:
Service Name: krbtgt/AGRA

Network Information:
Client Address: ::ffff:10.0.1.254
-------------------------------------

See for disabling IPv6:
http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

According to the IP addresses listed you use IPv6 and IPv4 together on some machines? Explain to me where you see that please. On the only windows 2008 server we have IPv6 is disabled on the NIC. All other servers are either windows server 2000 or 2003 and aren't capable of IPv6. Are the time settings/time zones the same on all machines? Yes and all server are configured to sync to the PDC via NTP. Are any of the machines restored after a crash? No. None of the machines have been restored from a crash. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d8c5b8cc26de44ef06e4@msnews.microsoft.com... Hello Zachary, Sorry for being late. According to the ip addresses listed you use IPv6 and IPv4 together on some machines? Are the time settings/time zones the same on all machines? Are any of the machines restored after a crash? Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Here is a status update. My exchange server is still throwing this error and every time it does it coralates to the next error that show up on our main DC. ----------------------------------------------------- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 3:36:37 PM User: NT AUTHORITY\SYSTEM Computer: AGRAEXCH Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: AGRA Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: AGRAEXCH Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: - ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:36:37 PM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: AGRAEXCH Error Code: 0xc000006a --------------------------------------------------- Then the Syteutil server issues this error every 10 minutes and PID 4704 is w3wp.exe. This error coralates to the second error from our DC. --------------------------------------------------- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 3:40:07 PM User: NT AUTHORITY\SYSTEM Computer: SYTEUTIL Description: Logon Failure: Reason: Unknown user name or bad password User Name: administrator Domain: agra Logon Type: 3 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: SYTEUTIL Caller User Name: NETWORK SERVICE Caller Domain: NT AUTHORITY Caller Logon ID: (0x0,0x3E4) Caller Process ID: 4704 Transited Services: - Source Network Address: - Source Port: - ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:40:07 PM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ---------------------------------------------------- Then there is this error every 5 minutes, the ip listed is our second DC ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:32:21 PM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: Kerberos pre-authentication failed. Account Information: Security ID: AGRA\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/AGRA Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 2010 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. --------------------------------------------------- Then there is this one that happens every 10 mins, the ip listed is our third DC --------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:30:06 PM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: Kerberos pre-authentication failed. Account Information: Security ID: AGRA\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/agra Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 30051 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. --------------------------------------------------- Then there are two of these ever 10 minutes on our Main DC --------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:38:15 PM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: A Kerberos service ticket was requested. Account Information: Account Name: AGRADC2$@AGRAIND.COM Account Domain: AGRAIND.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/AGRAIND.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. --------------------------------------------------- Are all of these related to the two member servers having problems or is this somthing deeper. "Zachary" <zdundore@agraind.com> wrote in message news:uLJxJAmVKHA.220@TK2MSFTNGP02.phx.gbl... Found one of the culprits. The Exchange service account for legacy access was set to the domain admin. This is found in the system manager>Administrative Groups and then right click your administrative group and on the general tab you will see this setting. I am still recieving this error yet from the exchange server: Any ideas? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 12:11:34 PM User: NT AUTHORITY\SYSTEM Computer: AGRAEXCH Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: AGRA Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: AGRAEXCH Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Zachary" <zdundore@agraind.com> wrote in message news:OHVPB2lVKHA.1372@TK2MSFTNGP02.phx.gbl... Additional references i have found. These describe my situation also but they have no solution. http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-l oc king-doma.aspx http://antionline.com/archive/index.php/t-272867.html "Zachary" <zdundore@agraind.com> wrote in message news:eJ$1QqlVKHA.1372@TK2MSFTNGP02.phx.gbl... Cross posting this to an exchange group. "Zachary" <zdundore@agraind.com> wrote in message news:ecI44ZlVKHA.2340@TK2MSFTNGP04.phx.gbl... I found this error. When i look at PID 4968 it is mad.exe which points to the MSExchangeSA service. I looked in the services MMC and that service is set to log on as Local System. Why would it be trying to use the domain admin account? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 11:02:01 AM User: NT AUTHORITY\SYSTEM Computer: EXCHANGE Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: DOMAIN Logon Type: 7 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: EXCHANGE Caller User Name: EXCHANGE$ Caller Domain: DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4968 Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a98cc246d902e505f@msnews.microsoft.com... Hello Zachary, So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed in the event viewer entries? Also listed "0xc000006a" is bad password. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Ok, with that being the case, is there more detailed auditing i can turn on to find out what service or app is attempting to make these authentications? When i look in the services mmc i don't see any services using the administrator account for validation and the only in house app being used is our intranet site and that is clean. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a38cc246a772b26ea@msnews.microsoft.com... Hello Zachary, The domain administrator will automatically unlock, after being locked out as soon as the correct password is used. http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-D ef ault-d omain-administrator-account-is-locked_21003F00_.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm If that is the case, shouldn't the domain account be locked out? We have a lockout policy and if a service or app attempts to validate credentials that may time unsuccessfully it should lock the account out. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d889b8cc24681c6128a8@msnews.microsoft.com... Hello Zachary, Seems that there are still some services/applications running that need the password change. See also: http://chicagotech.net/netforums/viewtopic.php?t=4853 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hi everyone, Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ---------------------------------------------------------- -- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ---------------------------------------------------------- -- - Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ---------------------------------------------------------- -- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ---------------------------------------------------------- -- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ---------------------------------------------------------- -- - Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ---------------------------------------------------------- -- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ---------------------------------------------------------- -- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.

i have performed the steps on the link you provided. I already had one of
the three steps done. Does this need a reboot to take effect? If that is
the case, updates are scheduled to run tomorrow at 3 AM so that should force
a reboot. I will see if that clears this up then.

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d8cd78cc270e8271d19b@msnews.microsoft.com...

Quote:

Hello Zachary, Here is the 'client address' listed with both if i am not wrong: ------------------------------------- Computer: AGRADC2.agraind.com Description: Kerberos pre-authentication failed. Account Information: Security ID: AGRA\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/AGRA Network Information: Client Address: ::ffff:10.0.1.254 ------------------------------------- See for disabling IPv6: http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm According to the IP addresses listed you use IPv6 and IPv4 together on some machines? Explain to me where you see that please. On the only windows 2008 server we have IPv6 is disabled on the NIC. All other servers are either windows server 2000 or 2003 and aren't capable of IPv6. Are the time settings/time zones the same on all machines? Yes and all server are configured to sync to the PDC via NTP. Are any of the machines restored after a crash? No. None of the machines have been restored from a crash. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d8c5b8cc26de44ef06e4@msnews.microsoft.com... Hello Zachary, Sorry for being late. According to the ip addresses listed you use IPv6 and IPv4 together on some machines? Are the time settings/time zones the same on all machines? Are any of the machines restored after a crash? Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Here is a status update. My exchange server is still throwing this error and every time it does it coralates to the next error that show up on our main DC. ----------------------------------------------------- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 3:36:37 PM User: NT AUTHORITY\SYSTEM Computer: AGRAEXCH Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: AGRA Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: AGRAEXCH Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: - ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:36:37 PM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: AGRAEXCH Error Code: 0xc000006a --------------------------------------------------- Then the Syteutil server issues this error every 10 minutes and PID 4704 is w3wp.exe. This error coralates to the second error from our DC. --------------------------------------------------- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 3:40:07 PM User: NT AUTHORITY\SYSTEM Computer: SYTEUTIL Description: Logon Failure: Reason: Unknown user name or bad password User Name: administrator Domain: agra Logon Type: 3 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: SYTEUTIL Caller User Name: NETWORK SERVICE Caller Domain: NT AUTHORITY Caller Logon ID: (0x0,0x3E4) Caller Process ID: 4704 Transited Services: - Source Network Address: - Source Port: - ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:40:07 PM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ---------------------------------------------------- Then there is this error every 5 minutes, the ip listed is our second DC ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:32:21 PM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: Kerberos pre-authentication failed. Account Information: Security ID: AGRA\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/AGRA Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 2010 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. --------------------------------------------------- Then there is this one that happens every 10 mins, the ip listed is our third DC --------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:30:06 PM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: Kerberos pre-authentication failed. Account Information: Security ID: AGRA\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/agra Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 30051 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. --------------------------------------------------- Then there are two of these ever 10 minutes on our Main DC --------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:38:15 PM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: A Kerberos service ticket was requested. Account Information: Account Name: AGRADC2$@AGRAIND.COM Account Domain: AGRAIND.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/AGRAIND.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. --------------------------------------------------- Are all of these related to the two member servers having problems or is this somthing deeper. "Zachary" <zdundore@agraind.com> wrote in message news:uLJxJAmVKHA.220@TK2MSFTNGP02.phx.gbl... Found one of the culprits. The Exchange service account for legacy access was set to the domain admin. This is found in the system manager>Administrative Groups and then right click your administrative group and on the general tab you will see this setting. I am still recieving this error yet from the exchange server: Any ideas? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 12:11:34 PM User: NT AUTHORITY\SYSTEM Computer: AGRAEXCH Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: AGRA Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: AGRAEXCH Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Zachary" <zdundore@agraind.com> wrote in message news:OHVPB2lVKHA.1372@TK2MSFTNGP02.phx.gbl... Additional references i have found. These describe my situation also but they have no solution. http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-l oc king-doma.aspx http://antionline.com/archive/index.php/t-272867.html "Zachary" <zdundore@agraind.com> wrote in message news:eJ$1QqlVKHA.1372@TK2MSFTNGP02.phx.gbl... Cross posting this to an exchange group. "Zachary" <zdundore@agraind.com> wrote in message news:ecI44ZlVKHA.2340@TK2MSFTNGP04.phx.gbl... I found this error. When i look at PID 4968 it is mad.exe which points to the MSExchangeSA service. I looked in the services MMC and that service is set to log on as Local System. Why would it be trying to use the domain admin account? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 11:02:01 AM User: NT AUTHORITY\SYSTEM Computer: EXCHANGE Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: DOMAIN Logon Type: 7 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: EXCHANGE Caller User Name: EXCHANGE$ Caller Domain: DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4968 Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a98cc246d902e505f@msnews.microsoft.com... Hello Zachary, So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed in the event viewer entries? Also listed "0xc000006a" is bad password. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Ok, with that being the case, is there more detailed auditing i can turn on to find out what service or app is attempting to make these authentications? When i look in the services mmc i don't see any services using the administrator account for validation and the only in house app being used is our intranet site and that is clean. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d88a38cc246a772b26ea@msnews.microsoft.com... Hello Zachary, The domain administrator will automatically unlock, after being locked out as soon as the correct password is used. http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-D ef ault-d omain-administrator-account-is-locked_21003F00_.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm If that is the case, shouldn't the domain account be locked out? We have a lockout policy and if a service or app attempts to validate credentials that may time unsuccessfully it should lock the account out. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d889b8cc24681c6128a8@msnews.microsoft.com... Hello Zachary, Seems that there are still some services/applications running that need the password change. See also: http://chicagotech.net/netforums/viewtopic.php?t=4853 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hi everyone, Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ---------------------------------------------------------- -- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ---------------------------------------------------------- -- - Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ---------------------------------------------------------- -- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ---------------------------------------------------------- -- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ---------------------------------------------------------- -- - Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ---------------------------------------------------------- -- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ---------------------------------------------------------- -- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.