Solved

event id 675 2000 server failure audit

Posted on 2006-06-18
10
884 Views
Last Modified: 2008-02-01
Hello,
I have been getting this event in the security events approximately every 15 minutes since I joined the new webserver to the domain.  The web server is running windows 2000 advanced. The PDC is running windows 2000 server.   I originally named the web server after the old web server which it replaced, but since then I renamed it to try and rectify the problem.  Let's say the old server was mary.domainnet.com and the new serveris bob.domainet.com.  There is only one domain controller.  I have tried nltest and got several errors.  Please let me know any other information that you require to help solve this.  I did a search and have seen that this event can be caused my a malicious user using the wrong password, but I am sure that is not the case.  I have tried using nltest, but I am not sure how to interpret the output or even what to query or syntax.  I did see something about failure regarding secure channel.   Here is the results from event:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            6/18/2006
Time:            6:12:26 PM
User:            NT AUTHORITY\SYSTEM
Computer:      PDC1
Description:
Pre-authentication failed:
       User Name:            ELM$
       User ID:            Domainet\bob$
       Service Name:            krbtgt/Domainet.COM
       Pre-Authentication Type:      0x2
       Failure Code:            0x18
       Client Address:            72.222.10.222
 
0
Comment
Question by:lizardqueen007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
10 Comments
 
LVL 9

Accepted Solution

by:
NYtechGuy earned 500 total points
ID: 16931459

Although you changed the name, the SID of the machine may still be the same.

You should follow these steps:

1. Remove the server from the domain (reset the local admin password first!)
2. Rename the server to the correct name
3. Review your Active Directory for any unnecessary computer accounts (from either old or new server)
4. Rejoin the server to the domain

in this manner, you will have a new computer account with a new SID created for the server with the correct name

Thanks!

Justin
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16931632
NYtechGuy,
I have already tried these things. Before I tried renaming the webserver I did reset the password, but maybe I didn't remove it from the domain first.  Please elaborate on removing from domain, do I set it to a workgroup of a different name?
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16931643
Is there an easy way to check the sid of the web server. I see that sysinternals has a utility to change the sid, but perhaps the way you described is easier.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:lizardqueen007
ID: 16931645
Also, I have only been signed into the webserver locally.  Is this a problem?
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16931655
When I changed to a workgroup, I got the message to the effect:  You have been diconnected from the domain, but we were unable to remove the account.  Contact the administrator.  I hate that, I'm supposed to be the administrator.  Ok, I've contacted myself-now what??
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16931664
Nytechguy, when you say "2. Rename the server to the correct name", do you mean the old name or a name of my choosing?
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16931865
So far, so good NYtechguy,  You may have solved the problem!  30 Minutes after rejoining domain and no errors. (fingers crossed)
Laura
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 16934492

lizardqueen-

There are actually multiple SIDs.  One is generated during machine build, and another is generated during the process of joining a server to a domain.  The second is what we are concerned with.  My thought is that your old server and new server are using the same computer account (and therefore SID) and causing issues.  The new server does not have the same sid - hence the error.

> Is there an easy way to check the sid of the web server. I see that sysinternals has a utility to change the sid, but perhaps the way you described is easier.

If you run this SYSINTERNALS tool (which works very well) you should be disjoined from the domain (in a workgroup).  Once you change the SID join it to the domain.  I don't know of a way to check the SID, but that should be necessary.  I am sure it is possible however.

> Also, I have only been signed into the webserver locally.  Is this a problem?

As long as the machine is a member of the domain it doesn't matter what you sign in as.

> When I changed to a workgroup, I got the message to the effect:  You have been diconnected from the domain, but we were unable to remove the account.  
> Contact the administrator.  I hate that, I'm supposed to be the administrator.  Ok, I've contacted myself-now what??

The computer account was not removed (which happens frequently) but this would be fixed by my suggestion to manually delete unnecessary computer accounts from AD/Users & Computers.

> Nytechguy, when you say "2. Rename the server to the correct name", do you mean the old name or a name of my choosing?

Yes, the name of your choosing.

------------------------------------------

If you experience any issues, I would suggest following all of my steps above but adding the following between STEPS 2 and 3:

2a. Run SYSINTERALS SID generator tool

Let me know if you need help!

Justin




0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16935254
Thanks Nytechguy, your answer did the trick!
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 16935276

Thanks!

Glad to help
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question