Multiple event IDs 675, 676 and 681

M

Madrilleno

I have a domain running in mixed mode which has two Server 2008 DCs and a
Server 2000 DC. The server 2000 DC holds the five FSMO roles.

I am seeing a lot of Event ID 675,676 & 681 in the security logs denoting
authentication failures.

I have trawled around on the Internet for hours, but have not found any
pointers to why these are happening.

The DC is a virtual server which I am using to stage on my route to running
the domain as Server 2008 native. There are no corresponding errors on the
2k8 DCs.
 
M

Meinolf Weber

Hello Madrilleno,

Basically these are authentication errors, maybe through some service accounts
where you changed passwords? So if you check the events, are they pointing
to users or computers?

Did you look here:
675
http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&phase=1
676
http://www.eventid.net/display.asp?eventid=676&eventno=668&source=Security&phase=1
681
http://www.eventid.net/display.asp?eventid=681&eventno=3&source=Security&phase=1

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
M

Madrilleno

The events show both machine and user accounts, and yes, I have been through
eventid.net, but I couldn't find anything helpful.
 
M

Morgan che

Hi,

Thanks for posting here.

Form my understanding, you have promoted Windows server 2008 as an
additional DC of windows serve 2000.On the server of windows server 2000
holding all FSMO roles, you found some security error messages in Event
log. If I misunderstood, please advise me.

Event ID: 675
Event Type: Failure Audit
Event Source: Security
Computer:
Event Category: Account Logon
User: NT AUTHORITY\SYSTEM
Description:
Pre-authentication failed:
Service Name: krbtgt

The failure might be due to time skew > 5 minutes. Please check the time
and time zone between the client and server. Are they synchronized? If not,
please use net time command to force them to synchronize. You can refer to
the following articles:

Using the NET TIME Command to Synchronize Windows XP Workstations
http://support.microsoft.com/kb/314090

Net Time
http://technet2.microsoft.com/windowsserver/en/library/396e2cab-b011-459a-ac
5c-326a562d42461033.mspx?mfr=true

NET TIME /Domain Will Not Sync Time with Domain Time Source Server
http://support.microsoft.com/kb/193825

In addition, Event ID 676 and 681 is related to Password authorization
failure. Windows server 2000 holds PDC role that is responsible for
password verification, so the corresponding verification error may occur
much on it. Please check if some users passwords have been expired or
locked.

Also, I suggest you transfer FSMO roles to the server with Windows server
2008 to test the result. You can refer to the following article to perform
to transfer FSMO roles.

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504

If anything is unclear or you need further assistance, please post back.


Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->Thread-Topic: Multiple event IDs 675, 676 and 681
--->thread-index: AcjxWi+jLO3Tg+KLRAC5uWq1/+eNRg==
--->X-WBNR-Posting-Host: 207.46.192.207
--->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <[email protected]>
--->References: <[email protected]>
<[email protected]>
--->Subject: Re: Multiple event IDs 675, 676 and 681
--->Date: Tue, 29 Jul 2008 02:05:02 -0700
--->Lines: 46
--->Message-ID: <[email protected]>
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> charset="Utf-8"
--->Content-Transfer-Encoding: 7bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
--->Newsgroups: microsoft.public.win2000.security
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.security:1631
--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->X-Tomcat-NG: microsoft.public.win2000.security
--->
--->The events show both machine and user accounts, and yes, I have been
through
--->eventid.net, but I couldn't find anything helpful.
--->--
--->Madrilleno
--->
--->
--->"Meinolf Weber" wrote:
--->
--->> Hello Madrilleno,
--->>
--->> Basically these are authentication errors, maybe through some service
accounts
--->> where you changed passwords? So if you check the events, are they
pointing
--->> to users or computers?
--->>
--->> Did you look here:
--->> 675
--->>
http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&ph
ase=1
--->> 676
--->>
http://www.eventid.net/display.asp?eventid=676&eventno=668&source=Security&p
hase=1
--->> 681
--->>
http://www.eventid.net/display.asp?eventid=681&eventno=3&source=Security&pha
se=1
--->>
--->> Best regards
--->>
--->> Meinolf Weber
--->> Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
--->> no rights.
--->> ** Please do NOT email, only reply to Newsgroups
--->> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
--->>
--->> > I have a domain running in mixed mode which has two Server 2008 DCs
--->> > and a Server 2000 DC. The server 2000 DC holds the five FSMO roles.
--->> >
--->> > I am seeing a lot of Event ID 675,676 & 681 in the security logs
--->> > denoting authentication failures.
--->> >
--->> > I have trawled around on the Internet for hours, but have not found
--->> > any pointers to why these are happening.
--->> >
--->> > The DC is a virtual server which I am using to stage on my route to
--->> > running the domain as Server 2008 native. There are no corresponding
--->> > errors on the 2k8 DCs.
--->> >
--->>
--->>
--->>
--->
 
M

Madrilleno

1. There is no time skew on any of my DCs.
2. There are no users with locked out accounts.

I will try moving the FSMOs to a 2k8 server.
 
M

Morgan che

Hi,

Ok, please transfer FSMOs to the WIndows server 2008 server to test the
result. if this issue still persists, please post here with the latest
symbols.


Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->Thread-Topic: Multiple event IDs 675, 676 and 681
--->thread-index: AcjxYwnV06JJwYIxTw2fX/9sZcP5CA==
--->X-WBNR-Posting-Host: 65.55.21.8
--->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <[email protected]>
--->References: <[email protected]>
<[email protected]>
<[email protected]>
<O#[email protected]>
--->Subject: Re: Multiple event IDs 675, 676 and 681
--->Date: Tue, 29 Jul 2008 03:08:24 -0700
--->Lines: 158
--->Message-ID: <[email protected]>
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> charset="Utf-8"
--->Content-Transfer-Encoding: 7bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
--->Newsgroups: microsoft.public.win2000.security
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.security:1633
--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->X-Tomcat-NG: microsoft.public.win2000.security
--->
--->1. There is no time skew on any of my DCs.
--->2. There are no users with locked out accounts.
--->
--->I will try moving the FSMOs to a 2k8 server.
--->--
--->Madrilleno
--->
--->
--->"Morgan che(MSFT)" wrote:
--->
--->> Hi,
--->>
--->> Thanks for posting here.
--->>
--->> Form my understanding, you have promoted Windows server 2008 as an
--->> additional DC of windows serve 2000.On the server of windows server
2000
--->> holding all FSMO roles, you found some security error messages in
Event
--->> log. If I misunderstood, please advise me.
--->>
--->> Event ID: 675
--->> Event Type: Failure Audit
--->> Event Source: Security
--->> Computer:
--->> Event Category: Account Logon
--->> User: NT AUTHORITY\SYSTEM
--->> Description:
--->> Pre-authentication failed:
--->> Service Name: krbtgt
--->>
--->> The failure might be due to time skew > 5 minutes. Please check the
time
--->> and time zone between the client and server. Are they synchronized?
If not,
--->> please use net time command to force them to synchronize. You can
refer to
--->> the following articles:
--->>
--->> Using the NET TIME Command to Synchronize Windows XP Workstations
--->> http://support.microsoft.com/kb/314090
--->>
--->> Net Time
--->>
http://technet2.microsoft.com/windowsserver/en/library/396e2cab-b011-459a-ac
--->> 5c-326a562d42461033.mspx?mfr=true
--->>
--->> NET TIME /Domain Will Not Sync Time with Domain Time Source Server
--->> http://support.microsoft.com/kb/193825
--->>
--->> In addition, Event ID 676 and 681 is related to Password
authorization
--->> failure. Windows server 2000 holds PDC role that is responsible for
--->> password verification, so the corresponding verification error may
occur
--->> much on it. Please check if some users passwords have been expired or
--->> locked.
--->>
--->> Also, I suggest you transfer FSMO roles to the server with Windows
server
--->> 2008 to test the result. You can refer to the following article to
perform
--->> to transfer FSMO roles.
--->>
--->> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
controller
--->> http://support.microsoft.com/kb/255504
--->>
--->> If anything is unclear or you need further assistance, please post
back.
--->>
--->>
--->> Sincerely
--->> Morgan Che
--->> Microsoft Online Support
--->> Microsoft Global Technical Support Center
--->>
--->> Get Secure! - www.microsoft.com/security
--->> =====================================================
--->> When responding to posts, please "Reply to Group" via your newsreader
so
--->> that others may learn and benefit from your issue.
--->> =====================================================
--->> This posting is provided "AS IS" with no warranties, and confers no
rights.
--->>
--->>
--->> --------------------
--->> --->Thread-Topic: Multiple event IDs 675, 676 and 681
--->> --->thread-index: AcjxWi+jLO3Tg+KLRAC5uWq1/+eNRg==
--->> --->X-WBNR-Posting-Host: 207.46.192.207
--->> --->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <[email protected]>
--->> --->References: <[email protected]>
--->> <[email protected]>
--->> --->Subject: Re: Multiple event IDs 675, 676 and 681
--->> --->Date: Tue, 29 Jul 2008 02:05:02 -0700
--->> --->Lines: 46
--->> --->Message-ID: <[email protected]>
--->> --->MIME-Version: 1.0
--->> --->Content-Type: text/plain;
--->> ---> charset="Utf-8"
--->> --->Content-Transfer-Encoding: 7bit
--->> --->X-Newsreader: Microsoft CDO for Windows 2000
--->> --->Content-Class: urn:content-classes:message
--->> --->Importance: normal
--->> --->Priority: normal
--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
--->> --->Newsgroups: microsoft.public.win2000.security
--->> --->Path: TK2MSFTNGHUB02.phx.gbl
--->> --->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.win2000.security:1631
--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->> --->X-Tomcat-NG: microsoft.public.win2000.security
--->> --->
--->> --->The events show both machine and user accounts, and yes, I have
been
--->> through
--->> --->eventid.net, but I couldn't find anything helpful.
--->> --->--
--->> --->Madrilleno
--->> --->
--->> --->
--->> --->"Meinolf Weber" wrote:
--->> --->
--->> --->> Hello Madrilleno,
--->> --->>
--->> --->> Basically these are authentication errors, maybe through some
service
--->> accounts
--->> --->> where you changed passwords? So if you check the events, are
they
--->> pointing
--->> --->> to users or computers?
--->> --->>
--->> --->> Did you look here:
--->> --->> 675
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&ph
--->> ase=1
--->> --->> 676
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=676&eventno=668&source=Security&p
--->> hase=1
--->> --->> 681
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=681&eventno=3&source=Security&pha
--->> se=1
--->> --->>
--->> --->> Best regards
--->> --->>
--->> --->> Meinolf Weber
--->> --->> Disclaimer: This posting is provided "AS IS" with no
warranties, and
--->> confers
--->> --->> no rights.
--->> --->> ** Please do NOT email, only reply to Newsgroups
--->> --->> ** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
--->> --->>
--->> --->> > I have a domain running in mixed mode which has two Server
2008 DCs
--->> --->> > and a Server 2000 DC. The server 2000 DC holds the five FSMO
roles.
--->> --->> >
--->> --->> > I am seeing a lot of Event ID 675,676 & 681 in the security
logs
--->> --->> > denoting authentication failures.
--->> --->> >
--->> --->> > I have trawled around on the Internet for hours, but have not
found
--->> --->> > any pointers to why these are happening.
--->> --->> >
--->> --->> > The DC is a virtual server which I am using to stage on my
route to
--->> --->> > running the domain as Server 2008 native. There are no
corresponding
--->> --->> > errors on the 2k8 DCs.
--->> --->> >
--->> --->>
--->> --->>
--->> --->>
--->> --->
--->>
--->>
--->
 
M

Morgan che

Hi,

I am wirting to see how evertything is going?

Have this issue been sovled or you need further assistance? please feel
free to let me know.
Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->Thread-Topic: Multiple event IDs 675, 676 and 681
--->thread-index: AcjxYwnV06JJwYIxTw2fX/9sZcP5CA==
--->X-WBNR-Posting-Host: 65.55.21.8
--->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <[email protected]>
--->References: <[email protected]>
<[email protected]>
<[email protected]>
<O#[email protected]>
--->Subject: Re: Multiple event IDs 675, 676 and 681
--->Date: Tue, 29 Jul 2008 03:08:24 -0700
--->Lines: 158
--->Message-ID: <[email protected]>
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> charset="Utf-8"
--->Content-Transfer-Encoding: 7bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
--->Newsgroups: microsoft.public.win2000.security
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.security:1633
--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->X-Tomcat-NG: microsoft.public.win2000.security
--->
--->1. There is no time skew on any of my DCs.
--->2. There are no users with locked out accounts.
--->
--->I will try moving the FSMOs to a 2k8 server.
--->--
--->Madrilleno
--->
--->
--->"Morgan che(MSFT)" wrote:
--->
--->> Hi,
--->>
--->> Thanks for posting here.
--->>
--->> Form my understanding, you have promoted Windows server 2008 as an
--->> additional DC of windows serve 2000.On the server of windows server
2000
--->> holding all FSMO roles, you found some security error messages in
Event
--->> log. If I misunderstood, please advise me.
--->>
--->> Event ID: 675
--->> Event Type: Failure Audit
--->> Event Source: Security
--->> Computer:
--->> Event Category: Account Logon
--->> User: NT AUTHORITY\SYSTEM
--->> Description:
--->> Pre-authentication failed:
--->> Service Name: krbtgt
--->>
--->> The failure might be due to time skew > 5 minutes. Please check the
time
--->> and time zone between the client and server. Are they synchronized?
If not,
--->> please use net time command to force them to synchronize. You can
refer to
--->> the following articles:
--->>
--->> Using the NET TIME Command to Synchronize Windows XP Workstations
--->> http://support.microsoft.com/kb/314090
--->>
--->> Net Time
--->>
http://technet2.microsoft.com/windowsserver/en/library/396e2cab-b011-459a-ac
--->> 5c-326a562d42461033.mspx?mfr=true
--->>
--->> NET TIME /Domain Will Not Sync Time with Domain Time Source Server
--->> http://support.microsoft.com/kb/193825
--->>
--->> In addition, Event ID 676 and 681 is related to Password
authorization
--->> failure. Windows server 2000 holds PDC role that is responsible for
--->> password verification, so the corresponding verification error may
occur
--->> much on it. Please check if some users passwords have been expired or
--->> locked.
--->>
--->> Also, I suggest you transfer FSMO roles to the server with Windows
server
--->> 2008 to test the result. You can refer to the following article to
perform
--->> to transfer FSMO roles.
--->>
--->> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
controller
--->> http://support.microsoft.com/kb/255504
--->>
--->> If anything is unclear or you need further assistance, please post
back.
--->>
--->>
--->> Sincerely
--->> Morgan Che
--->> Microsoft Online Support
--->> Microsoft Global Technical Support Center
--->>
--->> Get Secure! - www.microsoft.com/security
--->> =====================================================
--->> When responding to posts, please "Reply to Group" via your newsreader
so
--->> that others may learn and benefit from your issue.
--->> =====================================================
--->> This posting is provided "AS IS" with no warranties, and confers no
rights.
--->>
--->>
--->> --------------------
--->> --->Thread-Topic: Multiple event IDs 675, 676 and 681
--->> --->thread-index: AcjxWi+jLO3Tg+KLRAC5uWq1/+eNRg==
--->> --->X-WBNR-Posting-Host: 207.46.192.207
--->> --->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <[email protected]>
--->> --->References: <[email protected]>
--->> <[email protected]>
--->> --->Subject: Re: Multiple event IDs 675, 676 and 681
--->> --->Date: Tue, 29 Jul 2008 02:05:02 -0700
--->> --->Lines: 46
--->> --->Message-ID: <[email protected]>
--->> --->MIME-Version: 1.0
--->> --->Content-Type: text/plain;
--->> ---> charset="Utf-8"
--->> --->Content-Transfer-Encoding: 7bit
--->> --->X-Newsreader: Microsoft CDO for Windows 2000
--->> --->Content-Class: urn:content-classes:message
--->> --->Importance: normal
--->> --->Priority: normal
--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
--->> --->Newsgroups: microsoft.public.win2000.security
--->> --->Path: TK2MSFTNGHUB02.phx.gbl
--->> --->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.win2000.security:1631
--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->> --->X-Tomcat-NG: microsoft.public.win2000.security
--->> --->
--->> --->The events show both machine and user accounts, and yes, I have
been
--->> through
--->> --->eventid.net, but I couldn't find anything helpful.
--->> --->--
--->> --->Madrilleno
--->> --->
--->> --->
--->> --->"Meinolf Weber" wrote:
--->> --->
--->> --->> Hello Madrilleno,
--->> --->>
--->> --->> Basically these are authentication errors, maybe through some
service
--->> accounts
--->> --->> where you changed passwords? So if you check the events, are
they
--->> pointing
--->> --->> to users or computers?
--->> --->>
--->> --->> Did you look here:
--->> --->> 675
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&ph
--->> ase=1
--->> --->> 676
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=676&eventno=668&source=Security&p
--->> hase=1
--->> --->> 681
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=681&eventno=3&source=Security&pha
--->> se=1
--->> --->>
--->> --->> Best regards
--->> --->>
--->> --->> Meinolf Weber
--->> --->> Disclaimer: This posting is provided "AS IS" with no
warranties, and
--->> confers
--->> --->> no rights.
--->> --->> ** Please do NOT email, only reply to Newsgroups
--->> --->> ** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
--->> --->>
--->> --->> > I have a domain running in mixed mode which has two Server
2008 DCs
--->> --->> > and a Server 2000 DC. The server 2000 DC holds the five FSMO
roles.
--->> --->> >
--->> --->> > I am seeing a lot of Event ID 675,676 & 681 in the security
logs
--->> --->> > denoting authentication failures.
--->> --->> >
--->> --->> > I have trawled around on the Internet for hours, but have not
found
--->> --->> > any pointers to why these are happening.
--->> --->> >
--->> --->> > The DC is a virtual server which I am using to stage on my
route to
--->> --->> > running the domain as Server 2008 native. There are no
corresponding
--->> --->> > errors on the 2k8 DCs.
--->> --->> >
--->> --->>
--->> --->>
--->> --->>
--->> --->
--->>
--->>
--->
 
M

Madrilleno

This is a live installation, so I have to explore other avenues before I
transfer the FSMOs. At the moment, I have a suspicion that the problem lies
somewhere between DNS and machine account passwords being out of sync. I have
just unjoined a suspect client from the domain, deleted its account in AD,
then joined it again. I had already tried resetting its password using netdom
to no avail. I am now monitoring to see if this has had any effect.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event ID 681 and 529 3
Event IDs 560, 595, 675 2
event id 675, 681, 529 every 2, 2.5 minutes 2
Event 529 and 681 5
Security Event 681 1
Event IDs 565, 675, 537 0
Security Event Log Failure Audit 681 3
DCOM Autho Error 529 and 681 with Default Authentication Level = N 1

Top