Every 5 seconds I see a Failure Audit 529 - Logon type 2 - Logon process advapi - User account is my domain admin
Posted on 2008-06-16
I have a Windows 2003 domain controller with all MS updates installed. It's running SQL, IIS, and of course all DC functions. Every 5 seconds in my security log I get a Failure Audit 529. See below:
Reason: Unknown user name or bad password
User Name: DOMAIN ADMIN
Domain: OUR DOMAIN
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: DC SERVER NAME
Caller User Name: DOMAIN ADMIN
Caller Domain: OUR DOMAIN
Caller Logon ID: (0x0,0x2471B)
Caller Process ID: 2748
Transited Services: -
Source Network Address: -
Source Port: -
I have searched and searched for a solution. I've heard it could be IIS, a virus, a hacker... None of those seem to lead me anywhere. The fact that it's happening exactly every 5 seconds makes me think it's a process.
I've stopped all IIS services to see if was that and I still get the event every 5 seconds. I've done complete virus scans and found nothing. I've checked all tasks running on the computer and they have the correct login info and don't run every 5 seconds. I've also looked at all services that use the domain admin account and all are started and running (so the passwords are correct).
Any ideas? I've seen the MS KB articles, I've seen the other experts-exchange articles, I've seen the articles on other sites from a google search... I post here when I've tried everything else. Thanks for your help.