Announcement

Collapse
No announcement yet.

Kerberos errors filling the DCs of a child domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Kerberos errors filling the DCs of a child domain

    Hello

    I'm facing this issue and I would like to know if any of you already faced it before.
    I'm an Enterprise Admin for a Single Forest (1 root and 26 child domains for a total of 12.000 users). We put in place the forest in 2004 and except little issues everything has always been perfect. No critical errors, no replication errors -except when network is down. Every domain has tipically 2 domain controllers (1 GC/1 DC), but biggest domains have 4 GCs/2 DCs.
    There is no routing between child domains. Child domains can only communicate with the central hub site which has the Root domain. Also KCC has been disabled for Inter-site generation.

    Because of business policies, I have no domain admin rights in the child domains, I just connect from time to time to child domain controllers and check events to see if everything is ok, When I find some issues I report to local domain admins who should fix the issues. Most of times I find collaborative people but sometimes (2 in the forest) I find people without skills or un-collaboratve.

    In two domains in this forest (ex: PT and BR) since Feb. 2008 there is a strange issue. I have no other possibility of investigation besides the DCs; I can only try to investigate from that place
    The issue: all DCs of both domains are logging a large amount of the events you will find below. The events are logged about every 5/10 minutes
    What I find strange is that IP addresses logged are always different. It seems that at least 80% of workstations of the involved domain generate this error in the DC/GC.
    My first thought was a Virus/Malware, but many months are passed and TrendMicro which has been always kept updated, is not reporting a virus on the network. Also, definitely there is no malfunction and people says that the network services are working as expected.
    another thing I thought was that there was some service installed on workstation that run as Administrator (Awful! I know ) and the problem started when some Domain Admin over there had changed the password. But if this guess is right I would also expect some service on the network which is not working.

    Is there anyone who has already faced this problem? Any suggestion? Thanks a lot.

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 1/28/2009
    Time: 3:32:21 PM
    User: NT AUTHORITY\SYSTEM
    Computer: EUROPEPTGC01
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: Administrator
    Domain: WKS001
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: WKS001
    Source Network Address: 172.28.60.40
    Source Port: 0
    --------
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 537
    Date: 1/25/2009
    Time: 9:11:20 AM
    User: NT AUTHORITY\SYSTEM
    Computer: EUROPEPTGC01
    Description:
    Logon Failure:
    Reason: An error occurred during logon
    User Name:
    Domain:
    Logon Type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Workstation Name: -
    Status code: 0xC000006D
    Substatus code: 0xC0000133
    Source Network Address: 172.28.60.63
    Source Port: 0

    Both events have
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -

  • #2
    Re: Kerberos errors filling the DCs of a child domain

    This should give you a pretty good hint about what is going on:

    Status code: 0xC000006D <-- STATUS_LOGON_FAILURE
    Substatus code: 0xC0000133 <--
    STATUS_TIME_DIFFERENCE_AT_DC
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Kerberos errors filling the DCs of a child domain

      Originally posted by guyt View Post
      This should give you a pretty good hint about what is going on:

      Status code: 0xC000006D <-- STATUS_LOGON_FAILURE
      Substatus code: 0xC0000133 <--
      STATUS_TIME_DIFFERENCE_AT_DC
      Is this documented somewhere?
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: Kerberos errors filling the DCs of a child domain

        Originally posted by Dumber View Post
        Is this documented somewhere?
        Here you can find a 'NTSTATUS values' list
        http://msdn.microsoft.com/en-us/libr...(PROT.10).aspx


        \Rems

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: Kerberos errors filling the DCs of a child domain

          Originally posted by Dumber View Post
          Is this documented somewhere?
          "Use the Error Code Lookup tool to determine error values from decimal and hexadecimal error codes in Microsoft Windows® operating systems"

          http://www.microsoft.com/downloads/d...displaylang=en

          Works not only for Exchange...
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            Re: Kerberos errors filling the DCs of a child domain

            Guy, thanks for your answer but I already found that explaination and
            1) all DCs are time syncronized and their time is equal to root DCs
            2) I issued time ago, a "/stripchart" between DCs with errors and Clients IP addresses in the log and thier difference was less than 10 seconds.

            Also, let me add another point: if there were such a time difference (a difference that generates Kerberos errors), then services like File Server would have stopped working.... everything is working fine!
            So there should be something else

            Comment


            • #7
              Re: Kerberos errors filling the DCs of a child domain

              Source Network Address: 172.28.60.63

              Is that a client or one of the DCs ?
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"

              Comment


              • #8
                Re: Kerberos errors filling the DCs of a child domain

                There are thousands of events. In every event there is a different IP addresses. All IP Addresses are from the network range of clients. No DC or Member Server is listed in these events.
                The most important thing: All events from ip addresses from clients, report username: Administrator (although it seems more the local administrator than the domain administrator)

                I don't really know what the hell to look for

                Comment


                • #9
                  Re: Kerberos errors filling the DCs of a child domain

                  Look at some of the desktop's Event Viewers.

                  Comment


                  • #10
                    Re: Kerberos errors filling the DCs of a child domain

                    Sorry, but no access to security log of clients
                    As you can read from my opening post, I have no domain admin rights on the child domain

                    Comment

                    Working...
                    X