Information: Forum is in read-only mode
For details and other support options see

Multiple consistent Security Event Logs

Discuss Windows Event Log events. What they mean, what they tell you about your machine's security ... and whatever questions else you have.

Moderator: alorbach

Google Ads

Multiple consistent Security Event Logs

Postby .kg. » Mon May 22, 2006 11:38 am

Hello all,

I have 1 DC (Global catalog, all 5 fsmo roles), 1 ADC(Global catalog) and 20 XP clients.

I recently joined this organization. and before this, the GPOs were not configured to capture Audits on the network.

Considering the critical nature of our projects, I configured the GPO policy to capture Audits (failure n success) for both the Clients n the Servers.

Plus, enabled certain other policies relating to secure Network Communication.

For DCs:

Security Options---

-Microsoft network client: Send unencrypted password to third-party SMB servers==Disabled
-Network access: Allow anonymous SID/Name translation==Disabled
-Network access: Do not allow anonymous enumeration of SAM accounts and shares==Enabled
-Domain member: Digitally encrypt secure channel data (when possible)==Enabled
-Network access: Do not allow anonymous enumeration of SAM accounts==Enabled
-Domain member: Digitally encrypt or sign secure channel data (always)==Enabled
-LAN manager Authentication Level==Send LM & NTLM - use NTLMv2 session security if negotiated

Audit Policy---

-Audit account logon events==Failure
-Audit account management==Failure
-Audit directory service access==Failure
-Audit logon events==Failure
-Audit object access==Not Configured
-Audit policy change==Failure
-Audit privilege use==Failure
-Audit process tracking==Not Configured
-Audit system events==Failure

Since then, the event logs of the Servers (both the DC n the ADC) as well as certain clients have been showing Multiple consistent Failure Audits for Object Access, Logon/Logoff, Account Logon, Privilege Use with 'User' varying from Network Service, System, Domain Users and Domain Admins.

My concerns grew when I found external IP(s) communicating with my ADC at regular times. They were in no way related to us. I checked and found that 1-2 of them were from small websites, n others were from block of IPs allocated by the Internic.

However, since then I have been monitoring changes, movements in the services closely.

The following are the errors that have been occuring now on the network:

a. Wireless connections (of 2 users) disconnect n re-connect automatically during the day. It is not periodic or regular though. # this Never happened before.

b. The Events always show regular failure attempts by different sources n users.

The following events are most common in the server logs-

Account Logon

Pre-authentication failed:
User Name: kg
User ID: domain\kg
Service Name: krbtgt/domain
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address:

***(note: ADC ip is logged as localhost here dont know why?)***

Privilege Use

Privileged Service Called:
Server: Security
Service: -
Primary User Name: kg
Primary Domain: domain
Primary Logon ID: (0x0,0x8EB8B)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeRestorePrivilege

Object Access
Object Open:
Object Server: SC Manager
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,42740}
Process ID: 544
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: ADC$
Primary Domain: domain
Primary Logon ID: (0x0,0x3E7)
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x3E4)
Connect to service controller
Lock service database for exclusive access

Apart from this log, at times, the services.exe starts consuming too much CPU usage.


Logon Failure:
Reason: Unknown user name or bad password
User Name: kg
Domain: domain
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: ADC
Caller User Name: ADC$
Caller Domain: domain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 500
Transited Services: -
Source Network Address:
Source Port: 0

Also, even though ADC is a GC, users event log has this error (at times when DC is not up):


No Domain Controller is available for domain ESINDIA due to the following:
There are currently no logon servers available to service the logon request. .
Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.


One more log event that I am concerned about is:


TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.


These failures are logged in multitudes and they dont follow any regularity. For eg. LogOn/LogOff / Account Logon events were logged even when the user logged on to the domain in straight one time.

I have searched on different forums n on Microsoft, but not much help except than Turning the Audits Off.

Any suggestions are Welcome.

Thanks for your efforts.
Posts: 3
Joined: Mon May 22, 2006 11:16 am

Google Ads

Return to Windows Events

Who is online

Users browsing this forum: No registered users and 0 guests