Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Event ID 537 on all DCs 2

Status
Not open for further replies.
Dfig

Dfig

MIS
Feb 5, 2005
104
US
We have 2 DCs running Win 2003 R2 SP2. The Security Logs in Event Viewer have been logging Event ID 537 for a while on both DCs. It occurs with different workstations on different subnets and non DC member Servers. Here are a couple of entries:


Date: XXXXXXXXXXX Source: Security
Time XXXXXXXXXXX Category: Logon/Logoff
Type: Failure Aud Event ID: 537
User: NT AUTHORITY\SYSTEM
Computer: DC1

Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.16.31.61
Source Port: 1039


For more information, see Help and Support Center at
--------------------------------------------------------------------------------
Date: XXXXXXXXXXX Source: Security
Time XXXXXXXXXXX Category: Logon/Logoff
Type: Failure Aud Event ID: 537
User: NT AUTHORITY\SYSTEM
Computer: CITRIX

Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: NYF-CITRIX
Status code: 0xC00000DC
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.16.8.10
Source Port: 0


For more information, see Help and Support Center at

I am trying to find out what affect if any these errors have on our network.

 
Sort by date Sort by votes
Well the errors are just showing failed authentication - so something is trying to authenticate. Find out what. I don't think authentication takes up much bandwidth to be honest.

Run ethereal/wireshark on the network (preferably span out a port from a switch) and check out what traffic is going where, etc. and see if you can find any obvious patterns.
 
Upvote 0 Downvote
Thanks allywilson. I'll try that. I did not know if this was cause for concern. If I remember correctly, this started happening after I promoted a server to a DC with DCPromo.
 
Upvote 0 Downvote
that would be true...until its a DC, it cant log domain authentications. once you made it a DC, now failed authentications from any machine with a secure channel to it will be logged as long as those authentications are from a domain based account (or foreign security principal, such as SYSTEM)

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
187
penguinroundup
penguinroundup
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
258
DrB0b
DrB0b
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
208
RRankin355
RRankin355
James281
  • Locked
  • Question
Enrolment agent (enrol on behalf of) stopped working
Replies
1
Views
185
mikehook
mikehook
lacked
  • Locked
  • Question
problem with windows update on windows server 2016
Replies
1
Views
175
maybeimaleo
maybeimaleo

Part and Inventory Search

Sponsor

Back
Top