event id 675 2000 server failure audit

Hello,
I have been getting this event in the security events approximately every 15 minutes since I joined the new webserver to the domain.  The web server is running windows 2000 advanced. The PDC is running windows 2000 server.   I originally named the web server after the old web server which it replaced, but since then I renamed it to try and rectify the problem.  Let's say the old server was mary.domainnet.com and the new serveris bob.domainet.com.  There is only one domain controller.  I have tried nltest and got several errors.  Please let me know any other information that you require to help solve this.  I did a search and have seen that this event can be caused my a malicious user using the wrong password, but I am sure that is not the case.  I have tried using nltest, but I am not sure how to interpret the output or even what to query or syntax.  I did see something about failure regarding secure channel.   Here is the results from event:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            6/18/2006
Time:            6:12:26 PM
User:            NT AUTHORITY\SYSTEM
Computer:      PDC1
Description:
Pre-authentication failed:
       User Name:            ELM$
       User ID:            Domainet\bob$
       Service Name:            krbtgt/Domainet.COM
       Pre-Authentication Type:      0x2
       Failure Code:            0x18
       Client Address:            72.222.10.222
 
LVL 1
lizardqueen007Asked:
Who is Participating?
 
NYtechGuyConnect With a Mentor Commented:

Although you changed the name, the SID of the machine may still be the same.

You should follow these steps:

1. Remove the server from the domain (reset the local admin password first!)
2. Rename the server to the correct name
3. Review your Active Directory for any unnecessary computer accounts (from either old or new server)
4. Rejoin the server to the domain

in this manner, you will have a new computer account with a new SID created for the server with the correct name

Thanks!

Justin
0
 
lizardqueen007Author Commented:
NYtechGuy,
I have already tried these things. Before I tried renaming the webserver I did reset the password, but maybe I didn't remove it from the domain first.  Please elaborate on removing from domain, do I set it to a workgroup of a different name?
0
 
lizardqueen007Author Commented:
Is there an easy way to check the sid of the web server. I see that sysinternals has a utility to change the sid, but perhaps the way you described is easier.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
lizardqueen007Author Commented:
Also, I have only been signed into the webserver locally.  Is this a problem?
0
 
lizardqueen007Author Commented:
When I changed to a workgroup, I got the message to the effect:  You have been diconnected from the domain, but we were unable to remove the account.  Contact the administrator.  I hate that, I'm supposed to be the administrator.  Ok, I've contacted myself-now what??
0
 
lizardqueen007Author Commented:
Nytechguy, when you say "2. Rename the server to the correct name", do you mean the old name or a name of my choosing?
0
 
lizardqueen007Author Commented:
So far, so good NYtechguy,  You may have solved the problem!  30 Minutes after rejoining domain and no errors. (fingers crossed)
Laura
0
 
NYtechGuyCommented:

lizardqueen-

There are actually multiple SIDs.  One is generated during machine build, and another is generated during the process of joining a server to a domain.  The second is what we are concerned with.  My thought is that your old server and new server are using the same computer account (and therefore SID) and causing issues.  The new server does not have the same sid - hence the error.

> Is there an easy way to check the sid of the web server. I see that sysinternals has a utility to change the sid, but perhaps the way you described is easier.

If you run this SYSINTERNALS tool (which works very well) you should be disjoined from the domain (in a workgroup).  Once you change the SID join it to the domain.  I don't know of a way to check the SID, but that should be necessary.  I am sure it is possible however.

> Also, I have only been signed into the webserver locally.  Is this a problem?

As long as the machine is a member of the domain it doesn't matter what you sign in as.

> When I changed to a workgroup, I got the message to the effect:  You have been diconnected from the domain, but we were unable to remove the account.  
> Contact the administrator.  I hate that, I'm supposed to be the administrator.  Ok, I've contacted myself-now what??

The computer account was not removed (which happens frequently) but this would be fixed by my suggestion to manually delete unnecessary computer accounts from AD/Users & Computers.

> Nytechguy, when you say "2. Rename the server to the correct name", do you mean the old name or a name of my choosing?

Yes, the name of your choosing.

------------------------------------------

If you experience any issues, I would suggest following all of my steps above but adding the following between STEPS 2 and 3:

2a. Run SYSINTERALS SID generator tool

Let me know if you need help!

Justin




0
 
lizardqueen007Author Commented:
Thanks Nytechguy, your answer did the trick!
0
 
NYtechGuyCommented:

Thanks!

Glad to help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.