Solved

Event ID 4625

Posted on 2014-09-23
7
1,003 Views
Last Modified: 2014-09-30
Researching an error in our Security Event Log.  After reading server blogs, I am still unsure of how to interpret this.

It appears AppsServer.mydomain.com tried to connect to the VPNS-TS$ and failed. Is that correct?
My goal is to find what is causing this event, and make sure it is a legitimate request, and if so correct the login issue.

Any help on trouble shooting this is apprecated.

Here is the Error 4625.  
----------------------
- System

  + Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 4625
 
   Version 0
 
   Level 0
 
   Task 12544
 
   Opcode 0
 
   Keywords 0x8010000000000000
 
  - TimeCreated

   [ SystemTime]  2014-09-23T11:58:47.795531900Z
 
   EventRecordID 51157616
 
   Correlation
 
  - Execution

   [ ProcessID]  548
   [ ThreadID]  5968
 
   Channel Security
 
   Computer AppsServer.mydomain.com
 
   Security
 

- EventData

  SubjectUserSid S-1-0-0
  SubjectUserName -
  SubjectDomainName -
  SubjectLogonId 0x0
  TargetUserSid S-1-0-0
  TargetUserName VPNS-TS$
  TargetDomainName MyDomain
  Status 0xc000006d
  FailureReason %%2313
  SubStatus 0xc0000064
  LogonType 3
  LogonProcessName NtLmSsp  
  AuthenticationPackageName NTLM
  WorkstationName VPNS-TS
  TransmittedServices -
  LmPackageName -
  KeyLength 0
  ProcessId 0x0
  ProcessName -
  IpAddress 192.168.100.41
  IpPort 52607
0
Comment
Question by:HCSHAW
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 34

Expert Comment

by:it_saige
ID: 40339459
No, this means that the computer VPNS-TS could not connect to the domain.  This computer may or may not be joined to the domain.  Look in Active Directory Users and Computer and see if you can find an entry for VPNS-TS in your Computers OU.  If you cannot, then the computer needs to be rejoined to the domain (if it is supposed to be there).  If it is there, try resetting the account by right-clicking on the entry and choose, Reset Account.

More information:

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

Specifically [0xC00000064] means - user name does not exist.

-saige-
0
 

Author Comment

by:HCSHAW
ID: 40339487
Hmmm.  Thats good to know.   The Serve is in the Active Directory.   If I select RESET ACCOUNT will that have any impact.  The one is question is a Terminal Server.   Don't want to screw up everybodys day.  : )
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40339523
Well resetting the account will break the connection to the domain and the TS server will have to be rejoined to the domain anyway.  Since the TS server is already not connecting, this is a moot point.

As long as there are no additional problems (other than an Event entry).  You can rejoin the TS server after hours.

-saige-
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 

Author Comment

by:HCSHAW
ID: 40339539
That sounds reasonable to me...   We will do it after hours today and monitor to confirm the event message has gone away.

What is the account name that is not found?  is it the VPNS-TS$?   Why the $?   Is this a hidden system account since it has the $ on it ?
0
 
LVL 34

Accepted Solution

by:
it_saige earned 500 total points
ID: 40339593
If you cannot find the account name (which should be VPNS-TS), then you would simply need to go to the TS server and see what it's current Workgroup/Domain membership is.  
If it is a member of a workgroup:
1. Join it to the domain.
2. Reboot.

If it is a member of the domain:
1.  Join it to a workgroup.
2.  Reboot.
3.  Rejoin it to the domain.
4.  Reboot.

The dollar, in this case, does not signify hidden but rather is an identifier.  Accounts that end in '$' are assumed to be machine accounts.

More can be read about Computer Accounts in the Domain here:

http://books.google.com/books?id=eIPA4v0u05EC&pg=PA215&lpg=PA215&dq=why+do+domain+computer+accounts+have+a+dollar&source=bl&ots=gwOUyk0Rcf&sig=8V7xp4pe36-LI_AdK67WUjcFClU&hl=en&sa=X&ei=5ZchVPKkDMW-ggS9gYGYDw&ved=0CDoQ6AEwAw#v=onepage&q=why%20do%20domain%20computer%20accounts%20have%20a%20dollar&f=false

-saige-
0
 

Author Closing Comment

by:HCSHAW
ID: 40339611
Thanks for the tips.
0
 

Author Comment

by:HCSHAW
ID: 40352193
Followup Note:    Following the steps of re-joining to the domain did fix the error.
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question