Hi,
Ok, please transfer FSMOs to the WIndows server 2008 server to test the
result. if this issue still persists, please post here with the latest
symbols.
Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! -
www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
--->Thread-Topic: Multiple event IDs 675, 676 and 681
--->thread-index: AcjxYwnV06JJwYIxTw2fX/9sZcP5CA==
--->X-WBNR-Posting-Host: 65.55.21.8
--->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <
[email protected]>
--->References: <
[email protected]>
<
[email protected]>
<
[email protected]>
<O#
[email protected]>
--->Subject: Re: Multiple event IDs 675, 676 and 681
--->Date: Tue, 29 Jul 2008 03:08:24 -0700
--->Lines: 158
--->Message-ID: <
[email protected]>
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> charset="Utf-8"
--->Content-Transfer-Encoding: 7bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
--->Newsgroups: microsoft.public.win2000.security
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.security:1633
--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->X-Tomcat-NG: microsoft.public.win2000.security
--->
--->1. There is no time skew on any of my DCs.
--->2. There are no users with locked out accounts.
--->
--->I will try moving the FSMOs to a 2k8 server.
--->--
--->Madrilleno
--->
--->
--->"Morgan che(MSFT)" wrote:
--->
--->> Hi,
--->>
--->> Thanks for posting here.
--->>
--->> Form my understanding, you have promoted Windows server 2008 as an
--->> additional DC of windows serve 2000.On the server of windows server
2000
--->> holding all FSMO roles, you found some security error messages in
Event
--->> log. If I misunderstood, please advise me.
--->>
--->> Event ID: 675
--->> Event Type: Failure Audit
--->> Event Source: Security
--->> Computer:
--->> Event Category: Account Logon
--->> User: NT AUTHORITY\SYSTEM
--->> Description:
--->> Pre-authentication failed:
--->> Service Name: krbtgt
--->>
--->> The failure might be due to time skew > 5 minutes. Please check the
time
--->> and time zone between the client and server. Are they synchronized?
If not,
--->> please use net time command to force them to synchronize. You can
refer to
--->> the following articles:
--->>
--->> Using the NET TIME Command to Synchronize Windows XP Workstations
--->>
http://support.microsoft.com/kb/314090
--->>
--->> Net Time
--->>
http://technet2.microsoft.com/windowsserver/en/library/396e2cab-b011-459a-ac
--->> 5c-326a562d42461033.mspx?mfr=true
--->>
--->> NET TIME /Domain Will Not Sync Time with Domain Time Source Server
--->>
http://support.microsoft.com/kb/193825
--->>
--->> In addition, Event ID 676 and 681 is related to Password
authorization
--->> failure. Windows server 2000 holds PDC role that is responsible for
--->> password verification, so the corresponding verification error may
occur
--->> much on it. Please check if some users passwords have been expired or
--->> locked.
--->>
--->> Also, I suggest you transfer FSMO roles to the server with Windows
server
--->> 2008 to test the result. You can refer to the following article to
perform
--->> to transfer FSMO roles.
--->>
--->> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
controller
--->>
http://support.microsoft.com/kb/255504
--->>
--->> If anything is unclear or you need further assistance, please post
back.
--->>
--->>
--->> Sincerely
--->> Morgan Che
--->> Microsoft Online Support
--->> Microsoft Global Technical Support Center
--->>
--->> Get Secure! -
www.microsoft.com/security
--->> =====================================================
--->> When responding to posts, please "Reply to Group" via your newsreader
so
--->> that others may learn and benefit from your issue.
--->> =====================================================
--->> This posting is provided "AS IS" with no warranties, and confers no
rights.
--->>
--->>
--->> --------------------
--->> --->Thread-Topic: Multiple event IDs 675, 676 and 681
--->> --->thread-index: AcjxWi+jLO3Tg+KLRAC5uWq1/+eNRg==
--->> --->X-WBNR-Posting-Host: 207.46.192.207
--->> --->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <
[email protected]>
--->> --->References: <
[email protected]>
--->> <
[email protected]>
--->> --->Subject: Re: Multiple event IDs 675, 676 and 681
--->> --->Date: Tue, 29 Jul 2008 02:05:02 -0700
--->> --->Lines: 46
--->> --->Message-ID: <
[email protected]>
--->> --->MIME-Version: 1.0
--->> --->Content-Type: text/plain;
--->> ---> charset="Utf-8"
--->> --->Content-Transfer-Encoding: 7bit
--->> --->X-Newsreader: Microsoft CDO for Windows 2000
--->> --->Content-Class: urn:content-classes:message
--->> --->Importance: normal
--->> --->Priority: normal
--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
--->> --->Newsgroups: microsoft.public.win2000.security
--->> --->Path: TK2MSFTNGHUB02.phx.gbl
--->> --->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.win2000.security:1631
--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->> --->X-Tomcat-NG: microsoft.public.win2000.security
--->> --->
--->> --->The events show both machine and user accounts, and yes, I have
been
--->> through
--->> --->eventid.net, but I couldn't find anything helpful.
--->> --->--
--->> --->Madrilleno
--->> --->
--->> --->
--->> --->"Meinolf Weber" wrote:
--->> --->
--->> --->> Hello Madrilleno,
--->> --->>
--->> --->> Basically these are authentication errors, maybe through some
service
--->> accounts
--->> --->> where you changed passwords? So if you check the events, are
they
--->> pointing
--->> --->> to users or computers?
--->> --->>
--->> --->> Did you look here:
--->> --->> 675
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&ph
--->> ase=1
--->> --->> 676
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=676&eventno=668&source=Security&p
--->> hase=1
--->> --->> 681
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=681&eventno=3&source=Security&pha
--->> se=1
--->> --->>
--->> --->> Best regards
--->> --->>
--->> --->> Meinolf Weber
--->> --->> Disclaimer: This posting is provided "AS IS" with no
warranties, and
--->> confers
--->> --->> no rights.
--->> --->> ** Please do NOT email, only reply to Newsgroups
--->> --->> ** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
--->> --->>
--->> --->> > I have a domain running in mixed mode which has two Server
2008 DCs
--->> --->> > and a Server 2000 DC. The server 2000 DC holds the five FSMO
roles.
--->> --->> >
--->> --->> > I am seeing a lot of Event ID 675,676 & 681 in the security
logs
--->> --->> > denoting authentication failures.
--->> --->> >
--->> --->> > I have trawled around on the Internet for hours, but have not
found
--->> --->> > any pointers to why these are happening.
--->> --->> >
--->> --->> > The DC is a virtual server which I am using to stage on my
route to
--->> --->> > running the domain as Server 2008 native. There are no
corresponding
--->> --->> > errors on the 2k8 DCs.
--->> --->> >
--->> --->>
--->> --->>
--->> --->>
--->> --->
--->>
--->>
--->
