Event Log Errors

[Guest]

As soon as I retired my previous PDC I started getting errors in my security
eventy log & I don't know why. Help!
I followed KB255690 for transferring FSMO roles, KB295419 for transferring
the Global Catalog. My other event logs are clean. It's just the security
log that gets all the errors.

Event ID: 537
Source: Security
Type: Failure
User: NT AUTHORITY\SYSTEM
Category: Logon/Logoff
Reason: An unexpected error occurred during logon
Username:
Domain:
Logon Type: 3
Logon Process: Kerbos
Authentication Package: Kerbos
Workstation Name: -

Event ID: 675
Source: Security
Type: Failure
User: NT AUTHORITY\SYSTEM
Category: Logon/Logoff
Reason: An unexpected error occurred during logon
Username:
Domain:
Logon Type: 3
Logon Process: Kerbos
Authentication Package: Kerbos
Workstation Name: -

Event ID: 675
Source: Security
Type: Failure
User: NT AUTHORITY\SYSTEM
Category: Account Logon
Description: Pre-authentication failed
Username: juser
User ID: DOMAIN\juser
Service Name: krbtgt/DOMAIN
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client address: 10.0.0.127


Event ID: 681
Source: Security
Type: Failure
User: NT AUTHORITY\SYSTEM
Category: Account Logon
Description: The logon to account: supervisor by
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: SERVER2 failed. The
error code was: 3221225578

 

[Austin M. Horst]

http://www.eventid.net/display.asp?eventid=537&eventno=194&source=Security&phase=1
http://support.microsoft.com/kb/145828
http://support.microsoft.com/kb/174073
http://support.microsoft.com/kb/174074
http://support.microsoft.com/kb/230476
http://support.microsoft.com/kb/262177
http://support.microsoft.com/kb/289243
http://support.microsoft.com/kb/289246
http://support.microsoft.com/kb/318922
http://support.microsoft.com/kb/327889
http://support.microsoft.com/kb/817310

http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&phase=1
http://support.microsoft.com/kb/174074
http://support.microsoft.com/kb/217098
http://support.microsoft.com/kb/328570
http://support.microsoft.com/kb/329195
http://support.microsoft.com/kb/824209

http://www.eventid.net/display.asp?eventid=681&eventno=3&source=Security&phase=1
http://support.microsoft.com/kb/174074
http://support.microsoft.com/kb/272594
http://support.microsoft.com/kb/273499
http://support.microsoft.com/kb/287626
http://support.microsoft.com/kb/297989
http://support.microsoft.com/kb/321448
http://support.microsoft.com/kb/326985
http://support.microsoft.com/kb/824209
http://support.microsoft.com/kb/837142


Austin M. Horst

 

[Guest]

I have looked into each of these and none appear to be applicable to my
situation. My time is in sync, username & passwords are correct because
users are able to access the domain, shares, printers & e-mail. Everything
looks fine using kerbtray, netdiag, & in DNS. Any other ideas? I need to
fix this.

 

[Austin M. Horst]

Did you look at "Description of Security Event 681"
http://support.microsoft.com/kb/273499
The "Error code" that you provided for Event ID: 681 (3221225578) is someone typing the correct username, but wrong password.
If 537 and 675 are occurring at the same time, it just that simple: a bad password.

You are obviously auditing users logon events, so have you determined which user(s) are causing 537 and 675?
Is it the same username, multiple users, every user?
Is it always internal users? If not, see "Windows 2000 Auditing and Intrusion Detection"
http://www.microsoft.com/technet/security/prodtech/windows2000/secmod144.mspx


Austin M. Horst