I am seeing the following in the security logs of both cluster nodes:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 531
Date: 7/18/2007
Time: 8:17:54 AM
User: NT AUTHORITY\SYSTEM
Computer: NODE01
Description:
Logon Failure:
Reason: Account currently disabled
User Name:
Domain:
Logon Type: 3
Logon Process: Authz
Authentication Package: Kerberos
Workstation Name: NODE01
Caller User Name: NODE01$
Caller Domain: CORP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1876
Transited Services: -
Source Network Address: -
Source Port: -
This is a Server 2003 cluster in A/P mode running Exchange 2003, and only NODE01 is being flagged. I am not seeing any related errors in the DC logs, application logs, etc. I checked the Cluster log and found the following at that timeframe:
00000e28.000015b0::2007/07/18-13:17:41.046 INFO [FM] FmpEnumerateGroupResources: Entry for group <63eadc6a-1ef4-497c-88d8-9274d101fbe7>....
00000e28.000015b0::2007/07/18-13:17:41.046 INFO [FM] FmpEnumerateGroupResources: Exit for group <63eadc6a-1ef4-497c-88d8-9274d101fbe7>....
00000e28.00001590::2007/07/18-13:17:41.046 INFO [FM] FmpEnumerateGroupResources: Entry for group <f60e398c-c4c9-457d-8363-87b0798a2a7d>....
00000e28.00001590::2007/07/18-13:17:41.046 INFO [FM] FmpEnumerateGroupResources: Exit for group <f60e398c-c4c9-457d-8363-87b0798a2a7d>....
00000e28.00000fac::2007/07/18-13:18:35.140 INFO [Qfs] GetDiskFreeSpaceEx Q:\MSCS\, status 0
00000e28.00001590::2007/07/18-13:18:41.265 INFO [FM] FmpEnumerateGroupResources: Entry for group <63eadc6a-1ef4-497c-88d8-9274d101fbe7>....
These all seem pretty standard to me. These security events began cropping up about three weeks ago.
Any ideas out there?
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 531
Date: 7/18/2007
Time: 8:17:54 AM
User: NT AUTHORITY\SYSTEM
Computer: NODE01
Description:
Logon Failure:
Reason: Account currently disabled
User Name:
Domain:
Logon Type: 3
Logon Process: Authz
Authentication Package: Kerberos
Workstation Name: NODE01
Caller User Name: NODE01$
Caller Domain: CORP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1876
Transited Services: -
Source Network Address: -
Source Port: -
This is a Server 2003 cluster in A/P mode running Exchange 2003, and only NODE01 is being flagged. I am not seeing any related errors in the DC logs, application logs, etc. I checked the Cluster log and found the following at that timeframe:
00000e28.000015b0::2007/07/18-13:17:41.046 INFO [FM] FmpEnumerateGroupResources: Entry for group <63eadc6a-1ef4-497c-88d8-9274d101fbe7>....
00000e28.000015b0::2007/07/18-13:17:41.046 INFO [FM] FmpEnumerateGroupResources: Exit for group <63eadc6a-1ef4-497c-88d8-9274d101fbe7>....
00000e28.00001590::2007/07/18-13:17:41.046 INFO [FM] FmpEnumerateGroupResources: Entry for group <f60e398c-c4c9-457d-8363-87b0798a2a7d>....
00000e28.00001590::2007/07/18-13:17:41.046 INFO [FM] FmpEnumerateGroupResources: Exit for group <f60e398c-c4c9-457d-8363-87b0798a2a7d>....
00000e28.00000fac::2007/07/18-13:18:35.140 INFO [Qfs] GetDiskFreeSpaceEx Q:\MSCS\, status 0
00000e28.00001590::2007/07/18-13:18:41.265 INFO [FM] FmpEnumerateGroupResources: Entry for group <63eadc6a-1ef4-497c-88d8-9274d101fbe7>....
These all seem pretty standard to me. These security events began cropping up about three weeks ago.
Any ideas out there?
