Failed Security Audit

  • Thread starter Thread starter Scarebus
  • Start date Start date
S

Scarebus

The Domain Controller's (Win 2k) Security Event log is constantly giving the
following Failure warning for each Workstation that is in the network:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 677
Date: 06/10/2004
Time: 17:23:28
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Service Ticket Request Failed:
User Name: STATION1$
User Domain: FR.COM
Service Name: krbtgt/FR.COM
Ticket Options: 0x2
Failure Code: 0x20
Client Address: 192.168.2.8

I've tried removing each Workstation from the Domain and rejoining - it
initially works but after a short while the Failure messages start again.

Where do I start to look?

Gerry
 
If the computers generating these events are downlevel operating systems
such as NT4.0 these errors are normal as they can not use Kerberos. From
your description though I would first check your dns configuration for the
domain in that the domain controllers must be pointing to only themselves or
other W2K domain controllers for their preferred dns server and the domain
computers must be pointing ONLY [never an ISP dns server] to a domain
controller running AD dns for the domain as their preferred dns server. The
link below explains this more.

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 --
Active Directory dns FAQ.

Also look in Event Viewer on your domain controllers and on the domain
computer that caused this event to see if any pertinent errors are recorded.
If you have an ipsec policy in the domain, domain controllers must be exempt
by their IP addresses with a permit filter action. There are a couple
support tools that can help. Run netdiag on at least the pdc fsmo domain
controller and then dcdiag on it to see if any pertinent failed
tests/errors/warnings show up. Also run netdiag on the domain computer that
caused this failure audit. Many or most errors found are due to dns or
networking misconfiguration. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag
and how to install support tools.
http://www.eventid.net/display.asp?eventid=677&eventno=4&source=Security&phase=1
-- results from EventId.net for Event ID 677
 
Back
Top