Announcement

Collapse
No announcement yet.

Security Event Logs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Event Logs

    Hi All

    Im wondering if anyone can help me to solve issues im having, let me explain my environment.

    We were recently taken over by a multinational and our single forest single domain AD environment was one way trusted with the mothership, now they have migrated AD objects ie users and computer accounts to the mothership domain and now we have joined all workstations to the mother ship domain so all users now loginto the mothership domain not the legacy "our" domain, now users still access email and sharepoint from the legacy via the trust but its not that smooth as there are numerous account lock outs and speed issues since the change over.

    The latest issue i have been asked by the admins at the mothership is to investigate why so many "Failure Audits" are occuring on the DC's of the motherships servers originaling from "MY-Exchange" on the legacy domain. I presume its because its a one way trust and the requests are being somehow blocked by the trust would i be correct any one got any ideas, below is what i see in my exchange event logs

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 680
    Date: 12/05/2011
    Time: 16:00:24
    User: NT AUTHORITY\SYSTEM
    Computer: MY-EXCHANGE
    Description:
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon account: jdoe
    Source Workstation: WKST000113
    Error Code: 0xC0000064

    below is what the mothership get on their event logs, they say they have got 850 of these events in the last week alone?

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 680
    Date: 5/11/2011
    Time: 11:09:42 AM
    User: NT AUTHORITY\SYSTEM
    Computer: MOTHERSHIPDC001
    Description:
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon account: Administrator
    Source Workstation: MY-EXCHANGE
    Error Code: 0xC000006A

    Any help would be greatly appreciated.
    Oak

  • #2
    Re: Security Event Logs

    is any of this any help?
    http://www.eventid.net/display.asp?e...curity&phase=1


    Is there any difference between the OS and functional levels on the two sides of the organisation ?

    it's very possible there are some cached or stored passwords on the old computers somewhere
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Security Event Logs

      hi camel

      i have looked at eventid.net already but it doesnt really poinpoint anything?

      in reagrds to the functional level of the forest/domain im sure its 2003 both sides

      Comment


      • #4
        Re: Security Event Logs

        well, that link I provided, admittedly, probably doesn't "pinpoint" a specific answer.

        but it definitely gives you some things you can look at - I just only chose to mention one of the possibilites in the outcomes on that link.,
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: Security Event Logs

          as far as i can tell there are no cached credentials?

          Comment


          • #6
            Re: Security Event Logs

            any other ideas on what it might be?

            Comment


            • #7
              Re: Security Event Logs

              Is there any way i can track logon attempts/request from the MY-EXCHANGE to the Mothership DC to find the source?

              Comment


              • #8
                Re: Security Event Logs

                Originally posted by Oak View Post
                Is there any way i can track logon attempts/request from the MY-EXCHANGE to the Mothership DC to find the source?
                Yep, use Audit Logon Events
                Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                Comment


                • #9
                  Re: Security Event Logs

                  All,
                  This is a professional board, so lets display more professional attitudes here.
                  I have deleted several posts as not at all relevant to the discussion, and if they re-appear in any similar form, I will issue sanctions.
                  If anyone has any problems with this, please PM me.
                  Last edited by Ossian; 13th May 2011, 09:42.
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment

                  Working...
                  X