v-gzwang
Fri May 09 00:32:06 PDT 2008
Hello,
Thank you for your post.
My name is Gary Wang, and it is my pleasure to work with you on this issue!
Please allow me to confirm that my understandings are correct. As I
understand it, the issue is:
You got lots of event id 675 on SBS server and you want to know how to
resolve them.
If I have misunderstood your concerns please feel free to let me know.
Suggestion :
==============
Based on my search, this issue most likely be due to that some
process/services on the application server sending the invalid credential.
And I would like to suggest that you check the following:
1. Let's perform a Clean Boot at first. A Clean Boot will allow us to
isolate any programs that are loading at startup that may be causing a
conflict with other device drivers or programs that are installed in your
SBS server.
1) Run MSCONFIG.EXE. (MSCONFIG is a built-in tool for Windows XP\2003
systems.)
2) In the Services tab, click "Hide All Microsoft Services" and click
"Disable All". Please note that the Exchange services could be marked as
non-Microsoft. Please do not disable those services.
3) In the Startup tab, click "Disable All". Click OK. (This will
temporarily prevent third-party programs from running automatically during
start-up.)
4) Restart the computer. Does the problem still persist?
If the problem does not occur, it indicates that the problem is related to
one application or service we have disabled. You can use the MSCONFIG tool
again to re-enable the disabled item one by one to find out the culprit.
2. Check your DHCP credential settings as below:
1) Open DHCPMGMT.MSC server, right click the DHCP server's name then
choose Properties.
2) Navigate to Advanced tab, then click "Credentials".
3) Make sure it was configured to use the correct password of
Administrator.
3. If you are using Exchange 2003 Server which was migrated from Exchange
5.5, the issue could be happen due to that remnant 5.5 service account not
cleaned up properly after migrate from 5.5 to 2003 and now become invalid.
In this case, you can try to clean the following in ADSIEDIT.msc:
.\Configuration\Services\Microsoft Exchange\Organization
Name\Administrative Groups\AG Name
- msExchLegacyAccoun
- msExchLegacyDomain
- msExchEncryptedPassword
Adsiedit Overview
http://technet2.microsoft.com/WindowsServer/en/library/ebca3324-5427-471a-bc
19-9aa1decd3d401033.mspx
If we cannot resolve the issue after we perform the above steps, please
help me collect some information for further investigation:
Information Need
==============
1. When did the problem start to happen? Did you change any settings before
the problem happens?
2. Please save the event logs on SBS to *.evt files and send to me.
3. Please download network monitor utility from Microsoft web site and run
it on SBS. Now, wait till the time you get another failure event. The
moment you get that event, please stop the trace and note the time also. If
you do not get any event in every 1-2 hrs, please delete the trace and
start it again. You can download network monitor from the link given below:
http://www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59d-f4d8-4213-
8d17-2f6dde7d7aac&DisplayLang=en
4. Please enable netlogon logging on SBS using the article
http://support.microsoft.com/default.aspx?scid=kb;EN-US;109626
and send me the netlogon log after you get the events again.
5. Using Windows Logon Monitor utility on SBS and then follow the steps
given below:
1) Download Windows Logon Monitor Utility at
<https://sftasia.one.microsoft.com/choosetransfer.aspx?key=e02b46f5-ac9b-4f0
4-adbf-a724ae65e914>. Please click receive files from Microsoft.
The password is: *xQST30wiHHCBk^@
2) Install Windows Logon Monitor, follow these steps:
a. At the command prompt, change to the folder where you have saved the
Windows Logon Monitor setup files.
b. Type wlmsetup /setup , and then press ENTER.
c. Restart your computer to complete the Windows Logon Monitor setup
process.
3) Configuring Windows Logon Monitor
Warning: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk.
To configure Windows Logon Monitor, configure the registry entries that are
available under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Wlmssp
The following registry entries are available under the Wlmssp registry
subkey:
UserFilter
Type: REG_MULTI_SZ
Default value: [blank]
The value of this entry specifies the users who will be logged. To add a
list of users who will be logged, right-click UserFilter, click Modify, and
then add the list of users in the Value data box.
DebugFlags
Type: REG_DWORD
Default value: 0x00000000
If this entry is set to 0x00000004, debug information will be appended to
the Wlmdbg.log file. If the Wlmdbg.log file does not exist, it will be
created. The Wlmdbg.log file is located in the %windir%\System32 folder.
Note After you configure these registry entries, you must restart your
computer.
4) Please send the wlmdbg.log to me.
My E-mail address is v-gzwang@microsoft.com
I look forward to your reply. Also, if you have any questions or concerns,
please do not hesitate to let me know. I am happy to help. :-)
Thank you for your time and cooperation!
Best regards,
Gary Wang(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check
http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Multiple Security Events (675)
| thread-index: Aciw8gJg1JmQfpLxTaGZHua7gmLHMA==
| X-WBNR-Posting-Host: 207.46.192.207
| From: =?Utf-8?B?UmlwbGV5?= <Ripley@discussions.microsoft.com>
| Subject: Multiple Security Events (675)
| Date: Thu, 8 May 2008 02:58:04 -0700
| Lines: 21
| Message-ID: <0299E664-EEC3-4474-A165-5B9A34D70AF8@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:106764
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| For the past two years now I have been plagued with multiple and
excessive
| amounts of Failure Audits being reported on my SBS 2003 server. These
events
| occur everyday, sometimes every minute of every day. So you can imagine
there
| are quite a lot.
|
| I logged questions at various sites (on here too) and I've searched the
| internet for answers to these events. But I continue to find NOTHING.
Surely
| someone must know how to stop or even just troubleshoot these errors?
I've
| looked at Kerberos related info and got lost along the way, I've
downloaded
| the Kerbtray tool but have no idea what I'm looking at.
|
| Can anyone help?? The details of the errors are as follows:
| -------------------------------------------------------------------
| Pre-authentication failed:
| User Name: Administrator
| User ID: PLASMAN\Administrator
| Service Name: krbtgt/PLASMAN
| Pre-Authentication Type: 0x2
| Failure Code: 0x18
| Client Address: 127.0.0.1
| --------------------------------------------------------------------
|