AzagThothe
asked on
Failure Audit Security Event ID: 675 Pre-Authentication Failed krbtgt/[domain]
A few users have had some difficulties logging into the network this morning. I check the event log and noticed a few instances of the following. This event was followed by Event ID: 529 by the users having trouble. I was able to get the users logged into after stopping and starting the Kerberos service, but I would like to find the cause of the problem. Anyone have any ideas? Thanks in advance for any help.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
User: SYSTEM
Computer: SERVER(PDC)
Pre-authentication failed:
User Name: Administrator
User ID: [domain]\administrator
Service Name: krbtgt/[domain]
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
User: SYSTEM
Computer: SERVER(PDC)
Pre-authentication failed:
User Name: Administrator
User ID: [domain]\administrator
Service Name: krbtgt/[domain]
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1
ASKER
I may have found the problem. We have a backup DC that is running in another building. I noticed yesterday that it was turned off. It seems to have been either off or not replication for several months, meaning that it was tombstoned and AD replications have not been occuring. I just recently started this position and I am still trying to get a feel for the network. Some of the users were more then likely trying to authenticate with the backup dc with new passwords.
I am now running into another issue with "repadmin".
I determined that the backup dc that I turned on yesterday is the cause of some 2042 directory service event ids, using repadmin /showrepl. I am getting an invalid arguments error when I try to use the repadmin /removelingeringobjects command. I do not want to force a replication through the registry before lingering objects are deleted. Can anyone give me any tips here?
I am now running into another issue with "repadmin".
I determined that the backup dc that I turned on yesterday is the cause of some 2042 directory service event ids, using repadmin /showrepl. I am getting an invalid arguments error when I try to use the repadmin /removelingeringobjects command. I do not want to force a replication through the registry before lingering objects are deleted. Can anyone give me any tips here?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://eventid.net/display.asp?eventid=675&eventno=62&source=Security&phase=1
Good luck
Ian