event ID 529

[Rusch]

I'm getting 529 failure audits in my security log from
users who are not part of the domain, nor should they
be. I recently activated DHCP on my Windows 2000 domain
controller running active directory, but the XP and 2000
stations that are grabbing DHCP addresses DO NOT login to
this domain, and they don't need to (workstation only).
They only use the server for DNS resolution and obtaining
IP addresses. Ever since I've activated a DHCP scope for
these workstations, they all show up in the security log
as login failures (their workstation user ID shows up).
Is there something that tries to auto login to a Windows
2000 server if it provides an address? It's flooding my
security log with unnecessary failure audit messages.

 

[Steven L Umbach]

There is an issue with XP but it should only happen on domain member
machines, see the KB link below for details. Another possibility is that
users on these machines are trying to access domain resources that they see
in Network Places, though you seem to indicate this mostly happened after
enabling dhcp scope. Another possibility [just a hunch - I have not seen
this myself] is that it may be caused by these machines if they are trying
to register/update dns records in the dns zone based on info they are
assigned by the dhcp scope. If you have secure only dynamic updates enabled,
you may want to try disabling that and/or on the non domain machines prevent
them form trying to register their dns connection in their tcp/ip properties
advanced/dns - unselect register this connection. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;811082