lizardqueen007
asked on
event id 675 2000 server failure audit
Hello,
I have been getting this event in the security events approximately every 15 minutes since I joined the new webserver to the domain. The web server is running windows 2000 advanced. The PDC is running windows 2000 server. I originally named the web server after the old web server which it replaced, but since then I renamed it to try and rectify the problem. Let's say the old server was mary.domainnet.com and the new serveris bob.domainet.com. There is only one domain controller. I have tried nltest and got several errors. Please let me know any other information that you require to help solve this. I did a search and have seen that this event can be caused my a malicious user using the wrong password, but I am sure that is not the case. I have tried using nltest, but I am not sure how to interpret the output or even what to query or syntax. I did see something about failure regarding secure channel. Here is the results from event:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 6/18/2006
Time: 6:12:26 PM
User: NT AUTHORITY\SYSTEM
Computer: PDC1
Description:
Pre-authentication failed:
User Name: ELM$
User ID: Domainet\bob$
Service Name: krbtgt/Domainet.COM
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 72.222.10.222
I have been getting this event in the security events approximately every 15 minutes since I joined the new webserver to the domain. The web server is running windows 2000 advanced. The PDC is running windows 2000 server. I originally named the web server after the old web server which it replaced, but since then I renamed it to try and rectify the problem. Let's say the old server was mary.domainnet.com and the new serveris bob.domainet.com. There is only one domain controller. I have tried nltest and got several errors. Please let me know any other information that you require to help solve this. I did a search and have seen that this event can be caused my a malicious user using the wrong password, but I am sure that is not the case. I have tried using nltest, but I am not sure how to interpret the output or even what to query or syntax. I did see something about failure regarding secure channel. Here is the results from event:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 6/18/2006
Time: 6:12:26 PM
User: NT AUTHORITY\SYSTEM
Computer: PDC1
Description:
Pre-authentication failed:
User Name: ELM$
User ID: Domainet\bob$
Service Name: krbtgt/Domainet.COM
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 72.222.10.222
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is there an easy way to check the sid of the web server. I see that sysinternals has a utility to change the sid, but perhaps the way you described is easier.
ASKER
Also, I have only been signed into the webserver locally. Is this a problem?
ASKER
When I changed to a workgroup, I got the message to the effect: You have been diconnected from the domain, but we were unable to remove the account. Contact the administrator. I hate that, I'm supposed to be the administrator. Ok, I've contacted myself-now what??
ASKER
Nytechguy, when you say "2. Rename the server to the correct name", do you mean the old name or a name of my choosing?
ASKER
So far, so good NYtechguy, You may have solved the problem! 30 Minutes after rejoining domain and no errors. (fingers crossed)
Laura
Laura
lizardqueen-
There are actually multiple SIDs. One is generated during machine build, and another is generated during the process of joining a server to a domain. The second is what we are concerned with. My thought is that your old server and new server are using the same computer account (and therefore SID) and causing issues. The new server does not have the same sid - hence the error.
> Is there an easy way to check the sid of the web server. I see that sysinternals has a utility to change the sid, but perhaps the way you described is easier.
If you run this SYSINTERNALS tool (which works very well) you should be disjoined from the domain (in a workgroup). Once you change the SID join it to the domain. I don't know of a way to check the SID, but that should be necessary. I am sure it is possible however.
> Also, I have only been signed into the webserver locally. Is this a problem?
As long as the machine is a member of the domain it doesn't matter what you sign in as.
> When I changed to a workgroup, I got the message to the effect: You have been diconnected from the domain, but we were unable to remove the account.
> Contact the administrator. I hate that, I'm supposed to be the administrator. Ok, I've contacted myself-now what??
The computer account was not removed (which happens frequently) but this would be fixed by my suggestion to manually delete unnecessary computer accounts from AD/Users & Computers.
> Nytechguy, when you say "2. Rename the server to the correct name", do you mean the old name or a name of my choosing?
Yes, the name of your choosing.
--------------------------
If you experience any issues, I would suggest following all of my steps above but adding the following between STEPS 2 and 3:
2a. Run SYSINTERALS SID generator tool
Let me know if you need help!
Justin
ASKER
Thanks Nytechguy, your answer did the trick!
Thanks!
Glad to help
ASKER
I have already tried these things. Before I tried renaming the webserver I did reset the password, but maybe I didn't remove it from the domain first. Please elaborate on removing from domain, do I set it to a workgroup of a different name?