Repeated 529 errors in the Security Event Log

In cleaning up the event logs I noticed Failure Audits in the Security Event Log (Event 529) at regular intervals.  5 failed logon attempts in the same instance every 8 hours.  This is a Windows 2003 Server running Exchange Server 2003.  The IP address that is being reported is the 2000 DC running AD.  I am about to sniff the logon attempt at its next interval but I was hoping to avoid the waiting game.  Anyone familiar with system services or process that attempt to run every 8 hours by default or any other ideas?

     Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.28.242
       Source Port:      0


MarkWThompsonAsked:
Who is Participating?
 
Tim HolmanCommented:
This article is quite informative:

http://support.microsoft.com/?id=326985

Hop onto 192.168.28.242 and verify the event log - must be something in here telling you which process failed due to an incorrect logon?
0
 
The_IT_GarageCommented:
Sounds like the server at IP 192.168.28.242 might be running a service under a domain account and the password is invalid (it might have changed but the services on the server weren't updated). Check the running services on 192.168.28.242 and look at the "log on as" field.
0
 
MarkWThompsonAuthor Commented:
Thought the same thing but can't find anything
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
MarkWThompsonAuthor Commented:
everything on both servers is Local System or Network System.  Can't seem to find any leader information that will start the chain reaction.
0
 
Tim HolmanCommented:
Do you have native support enabled on the W2K machine?  Maybe you have some NTLM authentication trying to sneak in?
An Ethereal trace would help out here to help diagnose the source traffic.
0
 
MarkWThompsonAuthor Commented:
Yeah, I'm mad at Ehtereal right now.  I started the trace and the error produced itself 3 minutes after I closed it up.  I have to wait 16 more hours unless I want to xshoot at 3AM!!!Grrrr!  Yes it is set for Native support and yes I did find that it is most likely Kerberose however I will not be able to start the Kerberos Key Distribution Service on this server because it is not a DC for AD.  The DC attempting the contact is an AD DC but for replication purposed the contacted server is not.  Any more ideas.
0
 
The_IT_GarageCommented:
Do the 529 errors go back to the beginning of the log? Probably so, but it's be interesting to kow if things were finr before some round of patching/ Do you save the logs before deleteing them? (read: do you have old security logs?).

Any servies set to automatic on 192.168.28.242 that aren't running? Does 192.168.28.242 do anythng other than handle login requests? WSUS or Dell OpenManage or something similar?
0
 
MarkWThompsonAuthor Commented:
Ok I just has a brain fart!  I gave you wrong facts.  The AD DC is 2k and running in mixed mode (this is the 3034 error PC) because we have a 2003 server (the one with the 529 errors) running on the network also.  Now that I have that straight, the logs were cleared on 5/12 and they do go back to then.
0
 
Tim HolmanCommented:
Look in your scheduler tasks.  If not, probably some form of replication attempt.  Is the 2003 server running in mixed mode too?
0
 
MarkWThompsonAuthor Commented:
Thanks guys!  Just got another issue more important than this one.  Thanks for your help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.