SBS 2003 Failure Audit Help
I have a SBS 2003 box (yeah I know right?) that today I've been getting tons of Failure Audit events and a user keeps getting locked out. Something seems to be triggering it from local host (see screenshots).
ASKER
Port 3389 was open but it was closed early yesterday and then I rebooted the server. All my machines have McAfee SaaS.
Thanks. What about other ports? Anything else open to the server?
ASKER
I don't believe so. I came across this article but it seems odd to me that suddenly this would happen and I've been running Windows 7 workstations on my 2003 DC for years now.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/4db3bb1a-5cdf-4874-b58f-f3cbba0ea80a/eventid-675-failure-code-0x19-windows-server-2003-as-dc-windows-server-2008-as-member-server?forum=winserversecurity
https://social.technet.microsoft.com/Forums/windowsserver/en-US/4db3bb1a-5cdf-4874-b58f-f3cbba0ea80a/eventid-675-failure-code-0x19-windows-server-2003-as-dc-windows-server-2008-as-member-server?forum=winserversecurity
No port 25 open for emails?
ASKER
We use Office 365.
Okay - so at the moment there are no open ports through to the server at all?
If that is the case, then it could be a bit of malware and not knowing how good McAfee is, I'd recommend using something like MalwareBytes to scan the machines as well.
Does the specific user have any apps on the computer that might be causing the lockout?
Is this just a single user that gets the issues / lockouts, or is it random?
Has the user changed their password recently, just before the lockouts started?
How many DC's on the network?
Thanks
Alan
If that is the case, then it could be a bit of malware and not knowing how good McAfee is, I'd recommend using something like MalwareBytes to scan the machines as well.
Does the specific user have any apps on the computer that might be causing the lockout?
Is this just a single user that gets the issues / lockouts, or is it random?
Has the user changed their password recently, just before the lockouts started?
How many DC's on the network?
Thanks
Alan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is it configured to use the jballard account for DHCP?
ASKER
It was. He used to be a domain admin but hasn't been for awhile. So I entered my credentials and now the Failure Audits have stopped. I'm not sure why that would just now be happening.
Oh well - sounds like you've found the root of the problem. Glad it was nothing too sinister / malicious going on.
Alan
Alan
ASKER
Thanks Alan.
You're welcome. Hopefully you have plans to ditch SBS 2003 and put in a newer DC soon?
ASKER
I've been trying to ditch this thing for years haha. I thought I might be able to now that support officially ended but management won't budge. I'm trying again for 2016 to get a new DC. Crossing my fingers.
I'll keep my fingers crossed for you. If it's the only DC and it fails, it might be a bit painful!
ASKER
Found resolution myself from Google Searching.
Do you have port 3389 open direct to the server?
It could also be a local computer trying to hack the account so do you have a good AV product on all workstations and also have run a malware scan on all computers lately?
Alan