Security Log Event ID 537

P

Pat Rooney

Hi,

I recently upgraded from NT 4 to AD with a mixture of 2000 and 2003 domain
controllers. All went well except that the NT4 clients are unable to access
shares on the W2k DCs - access denied, Win2k clients can browse the shares
fine. Also, we are getting a lot of Event ID 537 login failure events in the
event log.

On the 2003 DC the event log gives more detail:
Event ID 537 Status Code 0xC000006D Subcode 0xC0000133

Any idea what could cause this?

Pat Rooney
SOTA Technology Ltd.
 
S

Steven L Umbach

My guess is that it is a security option or user right assignment . The NT4.0 clients
should have at least SP4. In security options for the domain check the security
options for lan manager authentication level and try setting it to send NTLMv2
responses only and also the four options for digitally sign client communications,
disable any settings for "require" - at least temporarily. There is also a security
option "let everyone permissions apply to anonymous users" which may be needed for
NT4.0 access on Windows 2003 domains. --- Steve
 
P

Pat Rooney

Steven,

OK, all the NT clients are SP6 so that should be fine. I also installed the
DS client software on one PC to see if that made any difference, which it
didn't. I went through your other suggestion
- the "let everyone permissions apply to anonymous users" had already been
enabled, but still NT4 clients are unable to browse W2k Domain Controllers.
I noticed however, that they can browse shares on the Win 2003 DC.

Weird.

Pat Rooney
 
M

Marina Roos

Got WINS installed on the server? NT4 needs it. Also options 044 and 046
(0x8) in DHCP-server, Scope options.

Marina
 
P

Pat Rooney

Yep, WINS and DNS is on two servers with all the options set and name
resolution via WINS or DNS is working fine
Pat Rooney
 
S

Steven L Umbach

Interesting. I have not had much experience in domains with mixed domain
controllers such as yours, I have a small test network setup but with no
NT4.0 clients as of now and my suggestions are based on settings that I know
can "break" things based on past experience. I have yet to find a resource
that defines how to manage security policy in such a situation since W2K and
W2003 domain controllers have a somewhat different set of security options
and user rights, and how that is going to interact and propagate to domain
controllers and affected domain clients. From what you post I would suggest
looking at the Domain Security Policy on one of the Windows 2000 domain
controllers and the Local Security Policy for "effective" settings. For the
W2K domain controllers, I would check that the digitally sign options for
always are at least temporarily disabled. Then the additional restrictions
for anonymous connections option can cause problems in some situations if it
is set to "no access without explicit anonymous permissions". Also check
that the everyone group is in the "access this computer from the network"
user right assignment for the W2K domain controllers. Again I do't know what
the exact problem is but these are some things worth checking out. --- Steve
 
P

Pat Rooney

Steven,

Thanks for the tips. I think that having three different operating systems
on a network is probably asking for trouble! I'll check out the items you
mention & let you know how I get on.

Pat Rooney
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event ID 537 1
Event IDs 565, 675, 537 0
Failure Audit ID 537 1
Logon/Logoff Failure Audit - Event 537 in Windows Server 2003 3
Event ID 537 on Root Windows 2000 DC 1
Large Number of Event ID 537 2
Event Log Security Failure Message 1
unnecesarry event ID 537 1

Top