Solved

event id 675 2000 server failure audit

Posted on 2006-06-18
10
875 Views
Last Modified: 2008-02-01
Hello,
I have been getting this event in the security events approximately every 15 minutes since I joined the new webserver to the domain.  The web server is running windows 2000 advanced. The PDC is running windows 2000 server.   I originally named the web server after the old web server which it replaced, but since then I renamed it to try and rectify the problem.  Let's say the old server was mary.domainnet.com and the new serveris bob.domainet.com.  There is only one domain controller.  I have tried nltest and got several errors.  Please let me know any other information that you require to help solve this.  I did a search and have seen that this event can be caused my a malicious user using the wrong password, but I am sure that is not the case.  I have tried using nltest, but I am not sure how to interpret the output or even what to query or syntax.  I did see something about failure regarding secure channel.   Here is the results from event:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            6/18/2006
Time:            6:12:26 PM
User:            NT AUTHORITY\SYSTEM
Computer:      PDC1
Description:
Pre-authentication failed:
       User Name:            ELM$
       User ID:            Domainet\bob$
       Service Name:            krbtgt/Domainet.COM
       Pre-Authentication Type:      0x2
       Failure Code:            0x18
       Client Address:            72.222.10.222
 
0
Comment
Question by:lizardqueen007
  • 7
  • 3
10 Comments
 
LVL 9

Accepted Solution

by:
NYtechGuy earned 500 total points
ID: 16931459

Although you changed the name, the SID of the machine may still be the same.

You should follow these steps:

1. Remove the server from the domain (reset the local admin password first!)
2. Rename the server to the correct name
3. Review your Active Directory for any unnecessary computer accounts (from either old or new server)
4. Rejoin the server to the domain

in this manner, you will have a new computer account with a new SID created for the server with the correct name

Thanks!

Justin
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16931632
NYtechGuy,
I have already tried these things. Before I tried renaming the webserver I did reset the password, but maybe I didn't remove it from the domain first.  Please elaborate on removing from domain, do I set it to a workgroup of a different name?
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16931643
Is there an easy way to check the sid of the web server. I see that sysinternals has a utility to change the sid, but perhaps the way you described is easier.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16931645
Also, I have only been signed into the webserver locally.  Is this a problem?
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16931655
When I changed to a workgroup, I got the message to the effect:  You have been diconnected from the domain, but we were unable to remove the account.  Contact the administrator.  I hate that, I'm supposed to be the administrator.  Ok, I've contacted myself-now what??
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:lizardqueen007
ID: 16931664
Nytechguy, when you say "2. Rename the server to the correct name", do you mean the old name or a name of my choosing?
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16931865
So far, so good NYtechguy,  You may have solved the problem!  30 Minutes after rejoining domain and no errors. (fingers crossed)
Laura
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 16934492

lizardqueen-

There are actually multiple SIDs.  One is generated during machine build, and another is generated during the process of joining a server to a domain.  The second is what we are concerned with.  My thought is that your old server and new server are using the same computer account (and therefore SID) and causing issues.  The new server does not have the same sid - hence the error.

> Is there an easy way to check the sid of the web server. I see that sysinternals has a utility to change the sid, but perhaps the way you described is easier.

If you run this SYSINTERNALS tool (which works very well) you should be disjoined from the domain (in a workgroup).  Once you change the SID join it to the domain.  I don't know of a way to check the SID, but that should be necessary.  I am sure it is possible however.

> Also, I have only been signed into the webserver locally.  Is this a problem?

As long as the machine is a member of the domain it doesn't matter what you sign in as.

> When I changed to a workgroup, I got the message to the effect:  You have been diconnected from the domain, but we were unable to remove the account.  
> Contact the administrator.  I hate that, I'm supposed to be the administrator.  Ok, I've contacted myself-now what??

The computer account was not removed (which happens frequently) but this would be fixed by my suggestion to manually delete unnecessary computer accounts from AD/Users & Computers.

> Nytechguy, when you say "2. Rename the server to the correct name", do you mean the old name or a name of my choosing?

Yes, the name of your choosing.

------------------------------------------

If you experience any issues, I would suggest following all of my steps above but adding the following between STEPS 2 and 3:

2a. Run SYSINTERALS SID generator tool

Let me know if you need help!

Justin




0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16935254
Thanks Nytechguy, your answer did the trick!
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 16935276

Thanks!

Glad to help
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
#Citrix #POC #XenDesktop #vCenter #VMware #ESX
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now