• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 406
  • Last Modified:

Logging 537,539,1083,1955,700 and 701 error on DC

A few months back I added a second DC on my network. The installation and configuration went ok. I added AD, DNS and wins. It passed DCDiag and Netdiag. I recently started getting errors in my event viewer on both DCs in the Directory Service and Security logs. I have attached a text file with some of the entries. The last entry in the file is due to an account
lockout but it happened at a time when no ne was at the location

Events.txt
0
InSearchOf
Asked:
InSearchOf
  • 2
  • 2
  • 2
  • +1
3 Solutions
 
AmericomCommented:
Since you get those errors, is your DCDiag and NetDiag still pass? It probably would as those messages on your Directory Services log may occour occasionally regarding the write conflict as it usually due to busy of a DC etc. But it usually retry again at a different time. The other one about online defragmentation happens every 12 hours by default.

The only one you probably need concern is the account lockout. If really no one on site and you get those account lockouts events, then trace to the usernames and their desktop/laptop and see if anything configure to run such as services with user account name, or scheduled tasks with user account name but with old password.

If you can't find anything obviously from their machine configuration and event logs, try download this Account lockout and Management Tools:
This tool can help you troubleshoot the root cause of the account lockout:
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
0
 
chrishudson123Commented:
Refer KB http://support.microsoft.com/kb/296714 
If there are lot of account lockout we will see these errors
I can see 1083 events are for the user CN=Deidre-Ann Frater,OU=Users and Groups,OU=St. Agatha,DC=nyfoundling,DC=org
Is it possible to rename this user account and monitor

Then abt 537 errors ,Status code 0xC000006D refers to bad user name login attempt
Closely monitor the security log and if you are seeing lot of failures froma particular machine pls isolate that machien from n/w to figure out accnt lockout issue
0
 
ChiefITCommented:
Your errors are saying that your clients are using NTLM to try and authenticate with a 2003 server. When you added the 2003 server, did you add it to an NT4 network. If so, they are incompatible by default unless you prepare the forest and domain for that fuction.

2003 server uses kerberos authentication by default.

So, we need to know what servers you have for domain servers. Then, if you are trying to run a mixed domain, I believe you have to prep the domain first.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
chrishudson123Commented:
Adding to my prev notes....

First priority : Find the rootcause of Account Lockout
http://support.microsoft.com/kb/315585

If the login attempts arefrom different servers ,check for conficker virus
http://technet.microsoft.com/en-us/security/dd452420.aspx
0
 
InSearchOfAuthor Commented:
Thanks for the suggestions. I will try them. As far as the DCs go they are both 2003 Servers and there are no NT$ servers or workstations. The workstations are mostly XP Pro with some 2000 workstations and a few 2000 Servers running SP4. The function level of the DCs are set to 2003.
0
 
InSearchOfAuthor Commented:
Chrishudson123, this procedure for troubleshooting account lockouts does not work on 64 bit machines. I tried a while back and it would not work and it did not work for me. Even the Technet article says it is for a 32 bit platform. Is there something I can use on 64 bit machines?
0
 
ChiefITCommented:
This is what I was eluding to:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23132123.html

Do you see the "$" dollar sign at the end of your security log entry, or are you seeing the same symptoms as the above thread. That $ sign is usually a dead givaway. You may have once had an old NT4 machine in there that your clients logged onto using NTLM authentication and those specific clients have not made the changes back to Kerberos authentication.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now