Logging 537,539,1083,1955,700 and 701 error on DC

Posted on 2009-02-18
Last Modified: 2012-06-27
A few months back I added a second DC on my network. The installation and configuration went ok. I added AD, DNS and wins. It passed DCDiag and Netdiag. I recently started getting errors in my event viewer on both DCs in the Directory Service and Security logs. I have attached a text file with some of the entries. The last entry in the file is due to an account
lockout but it happened at a time when no ne was at the location

Question by:InSearchOf
    LVL 18

    Assisted Solution

    Since you get those errors, is your DCDiag and NetDiag still pass? It probably would as those messages on your Directory Services log may occour occasionally regarding the write conflict as it usually due to busy of a DC etc. But it usually retry again at a different time. The other one about online defragmentation happens every 12 hours by default.

    The only one you probably need concern is the account lockout. If really no one on site and you get those account lockouts events, then trace to the usernames and their desktop/laptop and see if anything configure to run such as services with user account name, or scheduled tasks with user account name but with old password.

    If you can't find anything obviously from their machine configuration and event logs, try download this Account lockout and Management Tools:
    This tool can help you troubleshoot the root cause of the account lockout:
    LVL 3

    Assisted Solution

    Refer KB
    If there are lot of account lockout we will see these errors
    I can see 1083 events are for the user CN=Deidre-Ann Frater,OU=Users and Groups,OU=St. Agatha,DC=nyfoundling,DC=org
    Is it possible to rename this user account and monitor

    Then abt 537 errors ,Status code 0xC000006D refers to bad user name login attempt
    Closely monitor the security log and if you are seeing lot of failures froma particular machine pls isolate that machien from n/w to figure out accnt lockout issue
    LVL 38

    Accepted Solution

    Your errors are saying that your clients are using NTLM to try and authenticate with a 2003 server. When you added the 2003 server, did you add it to an NT4 network. If so, they are incompatible by default unless you prepare the forest and domain for that fuction.

    2003 server uses kerberos authentication by default.

    So, we need to know what servers you have for domain servers. Then, if you are trying to run a mixed domain, I believe you have to prep the domain first.
    LVL 3

    Expert Comment

    Adding to my prev notes....

    First priority : Find the rootcause of Account Lockout

    If the login attempts arefrom different servers ,check for conficker virus

    Author Comment

    Thanks for the suggestions. I will try them. As far as the DCs go they are both 2003 Servers and there are no NT$ servers or workstations. The workstations are mostly XP Pro with some 2000 workstations and a few 2000 Servers running SP4. The function level of the DCs are set to 2003.

    Author Comment

    Chrishudson123, this procedure for troubleshooting account lockouts does not work on 64 bit machines. I tried a while back and it would not work and it did not work for me. Even the Technet article says it is for a 32 bit platform. Is there something I can use on 64 bit machines?
    LVL 38

    Expert Comment

    This is what I was eluding to:

    Do you see the "$" dollar sign at the end of your security log entry, or are you seeing the same symptoms as the above thread. That $ sign is usually a dead givaway. You may have once had an old NT4 machine in there that your clients logged onto using NTLM authentication and those specific clients have not made the changes back to Kerberos authentication.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now