attva
asked on
Event ID 566 related to DNS/Tombstone on Windows 2003
We have a product that retrieves the security event logs from the Windows 2003 Domain Controllers. On two of our 40+ domain controllers, intermittently, the data collection generates millions of Event 566s per day when trying to access, apparently, tombstone objects from domain services. The collect is done remotely, no software installed on the domain controller, so whatever is happening seems to be caused by the standard log retrieval procedure calls. The product support group says they're just trying to access the security event log, no need to access the domain services objects, but for some reason we see all these events.
Has anyone else seen this, and does anyone know of a way to figure out what's happening on these two DCs differently from the other DCs? Of course the two busiest domain controllers are the ones affected. The others see zero event 566s for the userid in question.
We tried changing the id/permission of the userid doing the collect, but the events just change from "failure audit" to "success audit", still the same amount of activity and overhead is generated.
Here's a sample of one of the events, modified slightly, when it's a failure audit record....
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: container
Object Name: %{3b5a3cb9-8b99-4666-bd07- 1a8356c2c8 af}
Handle ID: -
Primary User Name: XXXCHAENT1B$
Primary Domain: XXX
Primary Logon ID: (0x0,0x3E7)
Client User Name: insight
Client Domain: XXX
Client Logon ID: (0x2,0x2F08AAE5)
Accesses: Read Property
Properties:
---
Public Information
objectGUID
container
Additional Info:
Additional Info2:
Access Mask: 0x10
When it's a success, things change to show the RDN. Here are a few samples...
OBJECT ACCESS : . / *
OBJECT ACCESS : . / CN=Deleted,Objects,DC=main ,DC=xxx,DC =com
Has anyone else seen this, and does anyone know of a way to figure out what's happening on these two DCs differently from the other DCs? Of course the two busiest domain controllers are the ones affected. The others see zero event 566s for the userid in question.
We tried changing the id/permission of the userid doing the collect, but the events just change from "failure audit" to "success audit", still the same amount of activity and overhead is generated.
Here's a sample of one of the events, modified slightly, when it's a failure audit record....
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: container
Object Name: %{3b5a3cb9-8b99-4666-bd07-
Handle ID: -
Primary User Name: XXXCHAENT1B$
Primary Domain: XXX
Primary Logon ID: (0x0,0x3E7)
Client User Name: insight
Client Domain: XXX
Client Logon ID: (0x2,0x2F08AAE5)
Accesses: Read Property
Properties:
---
Public Information
objectGUID
container
Additional Info:
Additional Info2:
Access Mask: 0x10
When it's a success, things change to show the RDN. Here are a few samples...
OBJECT ACCESS : . / *
OBJECT ACCESS : . / CN=Deleted,Objects,DC=main
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the feedback
ASKER
Then we figured out, after a hint from another AD user, that every time the event viewer (or a 3rd party log collection tool) opened an event 566 that had a reference to Object Access of Deleted Objects container there were 2 new events being generated, also referencing an Object Access of the Deleted Objects container. View those two events, and you create four events.
We had been looking at the audit settings at the level we thought was appropriate for the domain controllers, but after assist from MS they discovered we had some other audit settings configured so that we were basically auditing EVERYONE that did EVERYTHING.
The consequence: one event that referenced a deleted object doubled at every view/collect, growing exponentially to the point that the 3rd party log collection tool was generating tens of thousands, nay hundreds of thousands of new events whenever it attempted to read the logs. This continued until we stopped collecting or it brought the server to its knees. Needless to say, we're in the process of re-evaluating and changing our audit settings.
Thanks for your input.