Event ID: 537 Windows 2000
Posted on 2012-03-29
Hopefully someone might be able to help. I keep getting the following Audit failure on one of our Exchange boxes:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
User: NT AUTHORITY\SYSTEM
Reason: An unexpected error occurred during logon
Logon Type: 3
Authentication Package: NTLM
This audit failure fills up the log in about a minute, which is weird to say the least.
The server is quite old, (Windows 2000 SP4 with all critical and important patches), and is one of our exchange servers and I’d a bit loathed to reboot it as it will cause a lot of paperwork.
I was wondering if anyone had come across this issue before.
I’ve had a look around on the web for similar issues, but I haven’t found one that fits the bill precisely. There are a lot of 537 events depicting Kerberos errors, but as you can see the logon process is blank. Also a few people have suggested that it might be a DC time issue, but all out DCs have the correct time and replication is A-OK.
Using Process Explorer, (by sysinternals) I think it’s the LSASS.exe process that’s the cause as it’s chewing up a load of CPU time. I’m not sure though as I can’t trace it back to the Audit failure, as you can see the logs aren’t detailed enough. I don’t want to kill it as I know it’ll probably hang the server.
Any information on how to retrieve further details on how to obtain more information about logon failures would be most grateful.
AD functional level 2003
DCs: 4 Win 2003 servers and 1 Win 2008 R2 server
Exchange: 3 Win 2003 servers and 1 win 2000 (SP4) server.