I have a Windows Server 2008 R2 set up as a Hyper-V server. The server is a member of the domain running on the hosted virtual servers, but does only use local administrator to log on.
After changing the password on the local administrator account it has started generating about 10.000 audit failure events 4625 every day.
No servers or Workstations are using any resoures on this host server. There are no local services that uses the local administrator to logon.
The Network information in the error message is blank, so I am not able to figure out where it is comming from. Network logon type (3), but no source name or address.
Any suggestions as to what can be the cause of all these error Messages?
Thanks
______________________
The error message is:
An account failed to log on
Suspecting any network shared folder or services like iis installed locally or service/program attempting to access the server. All these required such admin account to run - from any other network component...change of password will likely invalidate any attempts in network (type=3) using previously entered password invalid login. Good to check and see if any programs have been installed on the server on or around the date the errors first started appearing.
Note that logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. Some shared to set DisableLoopbackCheck for iis instance
We will also want to check out for te Event ID 4740. This the event that is generated when an account is locked out. There is a property called "Caller Computer Name" which should identify the computer that the lockout originated from.
Also to deep dive if need be, pse see below
Turn on Netlogon Debugging:
nltest /dbflag:0x2080ffff
Net Stop Netlogon
Net Start NetLogon
after you restart Net Logon, Net Logon-related activity will be logged to %windir%\debug\netlogon.log
Note: Nltest is included as part of Windows Server 2008 and is also available as part of the Support Tools packages on the installation media for Windows Server 2003
After debugging, you can run nltest /dbflag:0x0 command from a command prompt to reset the debug flag to 0.
Net Stop Netlogon
Net Start Netlogon
rayves
ASKER
Sorry about the late response.
We have no event 4740, but I've done the DisableLoopbackCheck which hopefully will do the trick once I get to restart the server.
If that doesn't work I'll try the Netlogon Debugging.
Will post again when we see the result from the restart.
Thanks
btan
Also other prognosis in public shared below
a) Windows Workgroup logons, printer and file sharing may be common source of such issue. All PC's connected to the "Home network" will try and logon to each other for their respective WorkGroup. In some cases they will need accounts and passwords setup on each machine.
b) Quality of Service XML transactions that can go on backwards and forwards between your PC/Server and the router. Plug and play can attempt to "install" your router and there are various network exploration network management exploration tools that can pass data around. If traces can be delved into and realised machine and router have a never ending conversation about QoS and getting nowhere fast, we may just uninstalled the QoS protocol from the Network Adapter.
c) some say may be related to schannel errors that are very difficult to pinpoint and once you get them, about the only solution is to reinstall. However, they do not seem to be harmful. One live with it and rebuild the server.
d) turned off ports 80, 443, and 4125 on router and observed the 4625 events occurrences.
This solved the Audit Failure problem, but at the same time caused a new problem that I still haven't solved.
The services 'Pegasus WMI Wrapper' and 'OpenSSH server' will not start due to authentication errors.
I'll do some more troubleshooting and either post the solution here (I will be very happy for any tips as well), or post a new ticket in the HP section.
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
Note that logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. Some shared to set DisableLoopbackCheck for iis instance
We will also want to check out for te Event ID 4740. This the event that is generated when an account is locked out. There is a property called "Caller Computer Name" which should identify the computer that the lockout originated from.
Also to deep dive if need be, pse see below