Solved

Every 5 seconds I see a Failure Audit 529 - Logon type 2 - Logon process advapi - User account is my domain admin

Posted on 2008-06-16
3
1,049 Views
Last Modified: 2013-12-04
I have a Windows 2003 domain controller with all MS updates installed. It's running SQL, IIS, and of course all DC functions. Every 5 seconds in my security log I get a Failure Audit 529. See below:

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:                            DOMAIN ADMIN
       Domain:            OUR DOMAIN
       Logon Type:      2
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      DC SERVER NAME
       Caller User Name:      DOMAIN ADMIN
       Caller Domain:      OUR DOMAIN
       Caller Logon ID:      (0x0,0x2471B)
       Caller Process ID:      2748
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

I have searched and searched for a solution. I've heard it could be IIS, a virus, a hacker... None of those seem to lead me anywhere. The fact that it's happening exactly every 5 seconds makes me think it's a process.

I've stopped all IIS services to see if was that and I still get the event every 5 seconds. I've done complete virus scans and found nothing. I've checked all tasks running on the computer and they have the correct login info and don't run every 5 seconds. I've also looked at all services that use the domain admin account and all are started and running (so the passwords are correct).

Any ideas? I've seen the MS KB articles, I've seen the other experts-exchange articles, I've seen the articles on other sites from a google search... I post here when I've tried everything else. Thanks for your help.
0
Comment
Question by:BigZWillis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 21798223
What is the process with PID 2748?
0
 

Author Comment

by:BigZWillis
ID: 21798397
We are on the right track. Good catch... I didn't notice that until I pasted the full error. Anyway, it's the Reporting Services Service. So has to do with SQL. I've configured reporting services with the correct username and password. I just double checked the service and in the report services configuration too. However, when I stop the service the event does stop logging... I need reporting services. Any suggestions? Thanks.
0
 
LVL 32

Expert Comment

by:r-k
ID: 21798481
Thanks :) Glad I was able to help a bit. Did you get the problem solved?
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question