none
Event ID 2513 RRS feed

  • Question

  • Dears,

    I'm facing the following issue with my server 2k8 R2:

    Log Name:      Directory Service
    Source:        Microsoft-Windows-ActiveDirectory_DomainService
    Date:          10/23/2012 4:14:52 PM
    Event ID:      2513
    Task Category: DS RPC Client
    Level:         Error
    Keywords:      Classic
    User:          ANONYMOUS LOGON
    Computer:      MAIL.Tower-ieg.com.jo
    Description:
    Attempting to set the desired authentication protocol for a connection to the following DSA failed.
    DSA:
    a01f45bb-1e5d-46c5-bef0-94f674bd1037._msdcs.Tower-ieg.com.jo

    Additional Data:
    Error:
    1747 The authentication service is unknown.

    Event Xml:

      <System>
        <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
        <EventID Qualifiers="49152">2513</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>22</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8080000000000000</Keywords>
        <TimeCreated SystemTime="2012-10-23T14:14:52.978163700Z" />
        <EventRecordID>6185</EventRecordID>
        <Correlation />
        <Execution ProcessID="644" ThreadID="808" />
        <Channel>Directory Service</Channel>
        <Computer>MAIL.Tower-ieg.com.jo</Computer>
        <Security UserID="S-1-5-7" />
      </System>
      <EventData>
        <Data>a01f45bb-1e5d-46c5-bef0-94f674bd1037._msdcs.Tower-ieg.com.jo</Data>
        <Data>The authentication service is unknown.</Data>
        <Data>1747</Data>
      </EventData>
    </Event>

    Please I need your help urgent.

    Thanks in Advance

    Ibrahim

    Thursday, November 8, 2012 6:44 AM

Answers

  • It appears there is unknown traffic trying to authenticate itself from the AD & its been rejected due to failure in proving its identity. I would suggest check the connectivity & your firewall for the source of this anonymous traffic arising, may be using netmon or wireshark.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, November 8, 2012 8:21 AM
    Moderator
  • SID: S-1-5-7 represents Anonymous logon - originating from MAIL.Tower-ieg.com.jo

    You do have information about the date/time of this event - so the next step would be to identify processes running on the source computer around that time. If this behavior still continues, Process Monitor from Sysinternals or, as Awinish has suggested, network capture might help you find the answer

    hth
    Marcin

    Thursday, November 8, 2012 11:45 AM

All replies

  • It appears there is unknown traffic trying to authenticate itself from the AD & its been rejected due to failure in proving its identity. I would suggest check the connectivity & your firewall for the source of this anonymous traffic arising, may be using netmon or wireshark.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, November 8, 2012 8:21 AM
    Moderator
  • SID: S-1-5-7 represents Anonymous logon - originating from MAIL.Tower-ieg.com.jo

    You do have information about the date/time of this event - so the next step would be to identify processes running on the source computer around that time. If this behavior still continues, Process Monitor from Sysinternals or, as Awinish has suggested, network capture might help you find the answer

    hth
    Marcin

    Thursday, November 8, 2012 11:45 AM
  • I have issued the command netsh winsock reset...but issue still persist. As you are saying to monitor the network traffic, which traffic i should look for like port no, source etc.
    Wednesday, April 29, 2015 7:11 PM