Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1062
  • Last Modified:

Event ID 4625

Researching an error in our Security Event Log.  After reading server blogs, I am still unsure of how to interpret this.

It appears AppsServer.mydomain.com tried to connect to the VPNS-TS$ and failed. Is that correct?
My goal is to find what is causing this event, and make sure it is a legitimate request, and if so correct the login issue.

Any help on trouble shooting this is apprecated.

Here is the Error 4625.  
----------------------
- System

  + Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 4625
 
   Version 0
 
   Level 0
 
   Task 12544
 
   Opcode 0
 
   Keywords 0x8010000000000000
 
  - TimeCreated

   [ SystemTime]  2014-09-23T11:58:47.795531900Z
 
   EventRecordID 51157616
 
   Correlation
 
  - Execution

   [ ProcessID]  548
   [ ThreadID]  5968
 
   Channel Security
 
   Computer AppsServer.mydomain.com
 
   Security
 

- EventData

  SubjectUserSid S-1-0-0
  SubjectUserName -
  SubjectDomainName -
  SubjectLogonId 0x0
  TargetUserSid S-1-0-0
  TargetUserName VPNS-TS$
  TargetDomainName MyDomain
  Status 0xc000006d
  FailureReason %%2313
  SubStatus 0xc0000064
  LogonType 3
  LogonProcessName NtLmSsp  
  AuthenticationPackageName NTLM
  WorkstationName VPNS-TS
  TransmittedServices -
  LmPackageName -
  KeyLength 0
  ProcessId 0x0
  ProcessName -
  IpAddress 192.168.100.41
  IpPort 52607
0
HCSHAW
Asked:
HCSHAW
  • 4
  • 3
1 Solution
 
it_saigeDeveloperCommented:
No, this means that the computer VPNS-TS could not connect to the domain.  This computer may or may not be joined to the domain.  Look in Active Directory Users and Computer and see if you can find an entry for VPNS-TS in your Computers OU.  If you cannot, then the computer needs to be rejoined to the domain (if it is supposed to be there).  If it is there, try resetting the account by right-clicking on the entry and choose, Reset Account.

More information:

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

Specifically [0xC00000064] means - user name does not exist.

-saige-
0
 
HCSHAWAuthor Commented:
Hmmm.  Thats good to know.   The Serve is in the Active Directory.   If I select RESET ACCOUNT will that have any impact.  The one is question is a Terminal Server.   Don't want to screw up everybodys day.  : )
0
 
it_saigeDeveloperCommented:
Well resetting the account will break the connection to the domain and the TS server will have to be rejoined to the domain anyway.  Since the TS server is already not connecting, this is a moot point.

As long as there are no additional problems (other than an Event entry).  You can rejoin the TS server after hours.

-saige-
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
HCSHAWAuthor Commented:
That sounds reasonable to me...   We will do it after hours today and monitor to confirm the event message has gone away.

What is the account name that is not found?  is it the VPNS-TS$?   Why the $?   Is this a hidden system account since it has the $ on it ?
0
 
it_saigeDeveloperCommented:
If you cannot find the account name (which should be VPNS-TS), then you would simply need to go to the TS server and see what it's current Workgroup/Domain membership is.  
If it is a member of a workgroup:
1. Join it to the domain.
2. Reboot.

If it is a member of the domain:
1.  Join it to a workgroup.
2.  Reboot.
3.  Rejoin it to the domain.
4.  Reboot.

The dollar, in this case, does not signify hidden but rather is an identifier.  Accounts that end in '$' are assumed to be machine accounts.

More can be read about Computer Accounts in the Domain here:

http://books.google.com/books?id=eIPA4v0u05EC&pg=PA215&lpg=PA215&dq=why+do+domain+computer+accounts+have+a+dollar&source=bl&ots=gwOUyk0Rcf&sig=8V7xp4pe36-LI_AdK67WUjcFClU&hl=en&sa=X&ei=5ZchVPKkDMW-ggS9gYGYDw&ved=0CDoQ6AEwAw#v=onepage&q=why%20do%20domain%20computer%20accounts%20have%20a%20dollar&f=false

-saige-
0
 
HCSHAWAuthor Commented:
Thanks for the tips.
0
 
HCSHAWAuthor Commented:
Followup Note:    Following the steps of re-joining to the domain did fix the error.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now