SBS 2003 Failure Audit Help

I have a SBS 2003 box (yeah I know right?) that today I've been getting tons of Failure Audit events and a user keeps getting locked out.  Something seems to be triggering it from local host (see screenshots).Screenshot 1Screenshot 2
LVL 1
Bob BerrymanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
It could be all manner of things!  What ports do you have open on your firewall?

Do you have port 3389 open direct to the server?

It could also be a local computer trying to hack the account so do you have a good AV product on all workstations and also have run a malware scan on all computers lately?

Alan
0
Bob BerrymanAuthor Commented:
Port 3389 was open but it was closed early yesterday and then I rebooted the server.  All my machines have McAfee SaaS.
0
Alan HardistyCo-OwnerCommented:
Thanks.  What about other ports?  Anything else open to the server?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Bob BerrymanAuthor Commented:
I don't believe so.  I came across this article but it seems odd to me that suddenly this would happen and I've been running Windows 7 workstations on my 2003 DC for years now.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/4db3bb1a-5cdf-4874-b58f-f3cbba0ea80a/eventid-675-failure-code-0x19-windows-server-2003-as-dc-windows-server-2008-as-member-server?forum=winserversecurity
0
Alan HardistyCo-OwnerCommented:
No port 25 open for emails?
0
Bob BerrymanAuthor Commented:
We use Office 365.
0
Alan HardistyCo-OwnerCommented:
Okay - so at the moment there are no open ports through to the server at all?

If that is the case, then it could be a bit of malware and not knowing how good McAfee is, I'd recommend using something like MalwareBytes to scan the machines as well.

Does the specific user have any apps on the computer that might be causing the lockout?

Is this just a single user that gets the issues / lockouts, or is it random?

Has the user changed their password recently, just before the lockouts started?

How many DC's on the network?

Thanks

Alan
0
Bob BerrymanAuthor Commented:
Wow after more researching I think this is what was going on.  The DHCP Scope credentials were old.  Didn't even know that was a thing.

http://briandagan.com/fix-ad-account-keeps-getting-locked-out-speci
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan HardistyCo-OwnerCommented:
Is it configured to use the jballard account for DHCP?
0
Bob BerrymanAuthor Commented:
It was.  He used to be a domain admin but hasn't been for awhile.  So I entered my credentials and now the Failure Audits have stopped.  I'm not sure why that would just now be happening.
0
Alan HardistyCo-OwnerCommented:
Oh well - sounds like you've found the root of the problem.  Glad it was nothing too sinister / malicious going on.

Alan
0
Bob BerrymanAuthor Commented:
Thanks Alan.
0
Alan HardistyCo-OwnerCommented:
You're welcome.  Hopefully you have plans to ditch SBS 2003 and put in a newer DC soon?
0
Bob BerrymanAuthor Commented:
I've been trying to ditch this thing for years haha.  I thought I might be able to now that support officially ended but management won't budge.  I'm trying again for 2016 to get a new DC. Crossing my fingers.
0
Alan HardistyCo-OwnerCommented:
I'll keep my fingers crossed for you.  If it's the only DC and it fails, it might be a bit painful!
0
Bob BerrymanAuthor Commented:
Found resolution myself from Google Searching.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.