Solved

Event ID 4625

Posted on 2014-09-23
7
983 Views
Last Modified: 2014-09-30
Researching an error in our Security Event Log.  After reading server blogs, I am still unsure of how to interpret this.

It appears AppsServer.mydomain.com tried to connect to the VPNS-TS$ and failed. Is that correct?
My goal is to find what is causing this event, and make sure it is a legitimate request, and if so correct the login issue.

Any help on trouble shooting this is apprecated.

Here is the Error 4625.  
----------------------
- System

  + Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 4625
 
   Version 0
 
   Level 0
 
   Task 12544
 
   Opcode 0
 
   Keywords 0x8010000000000000
 
  - TimeCreated

   [ SystemTime]  2014-09-23T11:58:47.795531900Z
 
   EventRecordID 51157616
 
   Correlation
 
  - Execution

   [ ProcessID]  548
   [ ThreadID]  5968
 
   Channel Security
 
   Computer AppsServer.mydomain.com
 
   Security
 

- EventData

  SubjectUserSid S-1-0-0
  SubjectUserName -
  SubjectDomainName -
  SubjectLogonId 0x0
  TargetUserSid S-1-0-0
  TargetUserName VPNS-TS$
  TargetDomainName MyDomain
  Status 0xc000006d
  FailureReason %%2313
  SubStatus 0xc0000064
  LogonType 3
  LogonProcessName NtLmSsp  
  AuthenticationPackageName NTLM
  WorkstationName VPNS-TS
  TransmittedServices -
  LmPackageName -
  KeyLength 0
  ProcessId 0x0
  ProcessName -
  IpAddress 192.168.100.41
  IpPort 52607
0
Comment
Question by:HCSHAW
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 34

Expert Comment

by:it_saige
ID: 40339459
No, this means that the computer VPNS-TS could not connect to the domain.  This computer may or may not be joined to the domain.  Look in Active Directory Users and Computer and see if you can find an entry for VPNS-TS in your Computers OU.  If you cannot, then the computer needs to be rejoined to the domain (if it is supposed to be there).  If it is there, try resetting the account by right-clicking on the entry and choose, Reset Account.

More information:

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

Specifically [0xC00000064] means - user name does not exist.

-saige-
0
 

Author Comment

by:HCSHAW
ID: 40339487
Hmmm.  Thats good to know.   The Serve is in the Active Directory.   If I select RESET ACCOUNT will that have any impact.  The one is question is a Terminal Server.   Don't want to screw up everybodys day.  : )
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40339523
Well resetting the account will break the connection to the domain and the TS server will have to be rejoined to the domain anyway.  Since the TS server is already not connecting, this is a moot point.

As long as there are no additional problems (other than an Event entry).  You can rejoin the TS server after hours.

-saige-
0
Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

 

Author Comment

by:HCSHAW
ID: 40339539
That sounds reasonable to me...   We will do it after hours today and monitor to confirm the event message has gone away.

What is the account name that is not found?  is it the VPNS-TS$?   Why the $?   Is this a hidden system account since it has the $ on it ?
0
 
LVL 34

Accepted Solution

by:
it_saige earned 500 total points
ID: 40339593
If you cannot find the account name (which should be VPNS-TS), then you would simply need to go to the TS server and see what it's current Workgroup/Domain membership is.  
If it is a member of a workgroup:
1. Join it to the domain.
2. Reboot.

If it is a member of the domain:
1.  Join it to a workgroup.
2.  Reboot.
3.  Rejoin it to the domain.
4.  Reboot.

The dollar, in this case, does not signify hidden but rather is an identifier.  Accounts that end in '$' are assumed to be machine accounts.

More can be read about Computer Accounts in the Domain here:

http://books.google.com/books?id=eIPA4v0u05EC&pg=PA215&lpg=PA215&dq=why+do+domain+computer+accounts+have+a+dollar&source=bl&ots=gwOUyk0Rcf&sig=8V7xp4pe36-LI_AdK67WUjcFClU&hl=en&sa=X&ei=5ZchVPKkDMW-ggS9gYGYDw&ved=0CDoQ6AEwAw#v=onepage&q=why%20do%20domain%20computer%20accounts%20have%20a%20dollar&f=false

-saige-
0
 

Author Closing Comment

by:HCSHAW
ID: 40339611
Thanks for the tips.
0
 

Author Comment

by:HCSHAW
ID: 40352193
Followup Note:    Following the steps of re-joining to the domain did fix the error.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question