Link to home
Create AccountLog in
Avatar of The_Claw
The_Claw

asked on

Event 4776 & 4625 logged from workgroup computer on Server 2008 R2 domain server

Hello,
 
I've tried looking through various Internet forums and haven't found anything conclusive with the following problem we are experiencing.  We have one machine that exists in a workgroup by itself.  However, at one point this client was on our domain when it was being built.  The machine was properly removed from the domain before being put into production.  Since then the machine is causing 3-4 4776 and 4625 audit security events to be logged every 5 minutes on only one of our member servers.  The interesting thing is that the member server logging these events uses the same name as a previous domain controller in service when the machine in question was built.  The server was properly demoted to being a member server last year and new domain controllers have since taken over that role.  I do not think there is any harm in these events being generated, but it does create a huge overload of events to sift through when we review the security event logs every day.  Ideally I would like to make these security events stop happening.  If that isn't possible for some reason I would like to be able to create a Custom View in the Event Viewer to not display 4776 & 4625 events from this machine while still being able to review these events for other machines if generated.

To help further troubleshoot this issue I wanted to add that the server name the workgroup computer is trying to access also used to be a file server where we stored software for install across the network.  Is it possible that the machine is still trying to access the domain server because we installed software to it when it was part of the domain.  I really would like to break the cycle of the continued logon attempts to this server because they are unnecessary and we do not see this behavior on any other member server on our domain.  I tried to create a group policy that would deny access to this member server across the network for the workgroup user, but since it is not a domain account group policy will not allow me to add the user.  I hope this additional information helps with the troubleshooting process.  I am open to any and all ideas.

I have also attached a PDF of the 4776 and 4625 events we are seeing.

Thanks.
Logon-Failures.pdf
Avatar of Rick Hobbs
Rick Hobbs
Flag of United States of America image

Please take a look at this link.  I know you are not crashing, but the errors, otherwise, seem the same.  Check these settings on the demoted server.

http://www.aaronpalermo.com/wordpress/archives/96
Avatar of The_Claw
The_Claw

ASKER

I had seen that page in my initial research, but dismissed it as it referred to the computer crashing due to the log filling up.  You did give me the idea to see what was happening in the event logs on the workgroup computer though.  I just cleared everything out and will check back on it later.  It would be nice if there were corresponding failures on the client machine as well.  My fear is that something in the machine is still attached to that server name for some reason or another and that is why it keeps trying to logon with its credentials, but those credentials do not exist on the domain hence the failures are generated. Any idea what failure ID I should be looking for on the client side?
My additional research has proven there are no corresponding failure events generated on the client side that match those generated on the member server.  It was worth a shot, but unfortunately it gives me little more to go on.
Every five minutes?

Check your FRS event logs for replication errors or warnings.

Also look for group policy events.
There have been no consistent replication errors other than those that might be caused by explainable events (e.g. loss of communication).  I have not seen any issues with group policy events either.  I think this is what is most troubling about the situation is that it generates a lot of noise, but nothing else to go on other than the security logon events on the member server.  If this weren't an business critical workstation I would blow it away and rebuild it.
ASKER CERTIFIED SOLUTION
Avatar of ChiefIT
ChiefIT
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
I did create an outbound firewall rule to stop all traffic to the domain server and it fixed the issue.  I may take your recommendations and try to tweak the policy to only the traffic causing the event log failures.

Thanks.