Windows 2003 domain controller security event log filling with 538 576 and 540 events.

Posted on 2007-10-02
Last Modified: 2008-06-12
I know that this question has been asked here before, but here goes.
I am working on a Windows 2003 domain where we have a domain controller that has thousands of event IDs 538, 576, and 540 filling up the security log.  The username is always the servername followed by a $

The events stream into the log at a rate of about 30-40 a second.

We are required to audit successful logon and logoffs. We cannot turn off auditing to solve this problem.

What causes all of these events and what can I do to stop them at the source?
Question by:reesejl
    LVL 20

    Expert Comment

    LVL 15

    Expert Comment

    ARe you running SQL on this machine as well?  If so there's a polling feature in SQL that could very well cause these events.
    You can disable this feature with the instructions in this article.

      If you are running hp toolbox on this machine, that might be causing your issue as well.  
    See this post for an explanation of both. the last two posts in the forum at the bottom are talking about both of these solutions.

    If neither of those helps, check out this MS KB article about Kerberos tokens and IIS.;en-us;287537

    I hope that something in these helps you out.

    Author Comment

    lazarus98..  I checked the logoff type and it is a type 3.  
    I ran a "netstat -a" on the domain controller in question and found that there were ports from about 1026 up to 5000 that are coming from the suspect IP address, in a "TIME_WAIT" state.

    The events that are ID 540 are as follows:

    Successful Network Logon:
    User Name: SERVERNAME$
    Domain: DOMAINNAME
    Logon ID: (0x0,0x337xxx)    <--- this number changes
    Logon Type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Workstation Name:
    Logon GUID: (GUID....)
    Caller User Name:
    Caller Domain:
    Caller Logon ID:
    Caller Process ID:
    Transited Services:
    Source Network Address:  <the IP of the server sending all the events>
    Source Port: <different every time, but looks like it increments by 2 each time>

    We don't have IIS, HP Toolbox, or SQL server on this machine.

    I ran network monitor, and tried to isolate the packets that were going to that port on those two servers, and found that they are mostly LDAP packets.

    Any other ideas?
    LVL 20

    Expert Comment

    Check your domain controllers policy for Auditing configuration:
    Audit logon events:
    538 unsuccessful logon
    540 successful logon
    576 audit privilege use

    Not much you can do about 538

    Look at this KB from MS for the 576:
    Look at this KB from MS for the 540:

    The problem is not going to be something easy to fix, as LDAP used a lot. You can fiddle with your audit policy, but if your not allowed to you may well have to put up with it and filter out the bad info for reporting. issues.

    Author Comment

    That seems to be the consensus for a solution to this problem. But unfortunately we are not allowed to turn off that auditing.  

    The thing is that the huge amount of packets are coming from ONE server. So there must be something going on that we can mitigate. Or at least understand what's causing it.
    LVL 38

    Expert Comment

    This is just a guess.

    Clients can cache domain logons. If they used that cache logon of a user's domian credentials that are no longer valid, they will have a problem logging onto the domain controller. Authentication will fail. If you get a call from someone saying they are having problems logging on to the domain, check and see if they have the domain credintials cached on their computer.  You can do this by going into control pannel>>Users, click on the advanced tab and click on manage passwords. This applies for XP boxes. Other OS versions may be different.

    Author Comment

    Could the use of Vintela on a server cause this type of problem?
    LVL 20

    Expert Comment

    Thats possible, but you would probably need to go to Quest' site and see if they have any known issues like that. But with the complexity of bringing Unix/Linux clients into the fray it could be very possible on a single sign setup like Vintela uses.

    Accepted Solution

    We have determined the cause of the problem... The server causing all of the entries has NFS services installed on it.  There is a checkbox on it set to "Active Directory Lookup".  None of our other servers with NFS on it has that checked.  When we removed the check, the messages stopped....
    Thanks everyone for your ideas...
    LVL 20

    Expert Comment

    You have to love when something simple like that bring everything to a screaming halt. Makes you wonder why they don't ask questions like that in the setup.
    LVL 1

    Expert Comment

    Closed, 500 points refunded.
    Community Support Moderator

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Suggested Solutions

    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now