none
Numerous Event ID: 680 RRS feed

  • Question

  • Hi All

    Im wondering if anyone can help me to solve issues im having, let me explain my environment.

    We were recently taken over by a multinational and our single forest single domain AD environment was one way trusted with the mothership, now they have migrated AD objects ie users and computer accounts to the mothership domain and now we have joined all workstations to the mother ship domain so all users now loginto the mothership domain not the legacy "our" domain, now users still access email and sharepoint from the legacy via the trust but its not that smooth as there are numerous account lock outs and speed issues since the change over.

    The latest issue i have been asked by the admins at the mothership is to investigate why so many "Failure Audits" are occuring on the DC's of the motherships servers originaling from "MY-Exchange" on the legacy domain. I presume its because its a one way trust and the requests are being somehow blocked by the trust would i be correct any one got any ideas, below is what i see in my exchange event logs

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 680
    Date: 12/05/2011
    Time: 16:00:24
    User: NT AUTHORITY\SYSTEM
    Computer: MY-EXCHANGE
    Description:
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon account: jdoe
    Source Workstation: WKST000113
    Error Code: 0xC0000064

    below is what the mothership get on their event logs, they say they have got 850 of these events in the last week alone?

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 680
    Date: 5/11/2011
    Time: 11:09:42 AM
    User: NT AUTHORITY\SYSTEM
    Computer: MOTHERSHIPDC001
    Description:
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon account: Administrator
    Source Workstation: MY-EXCHANGE
    Error Code: 0xC000006A

    Any help would be greatly appreciated.
    Spudney
    Friday, May 13, 2011 8:56 AM

All replies

  • Below event from Mothership DC

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 680
    Date:  5/12/2011
    Time:  4:46:07 PM
    User:  NT AUTHORITY\SYSTEM
    Computer: Mothership-DC01 (In Trusting DOMAIN)
    Description:
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
     Logon account: Administrator
     Source Workstation: MY-EXCHANGE (My trusted DOMAIN)
     Error Code: 0xC000006A

     

    Is there a way i can figure out why the logon attempt was made in the first place?


    Spudney
    Friday, May 13, 2011 9:22 AM
  • Hello,

    first make sure that no firewall is blocking required ports:

    http://support.microsoft.com/kb/179442/ http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

    As you talk about migration to the other forest, was it done with ADMT, which requires a 2 way trust for the migration?

    Do you use Sidhistory on the migrated accounts?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, May 15, 2011 11:11 AM
  • Hi Meinolf

    You can use a one way trust for ADMT which is what was used?

    The sid history was also migrated and the firewall ports are functioning correctly?

    What else might it be?

    Spud


    Spudney
    Tuesday, May 17, 2011 9:19 AM
  • Take a look at below article, if its applicable to your environment. Else, use Netmon/Wireshark/Ethereal to capture the traffic for analyzing the possibilities of failure.

    http://support.microsoft.com/kb/936182

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, May 17, 2011 10:31 AM
    Moderator
  • Thanks Anwish

    But how can i audit logon attempts specifically to the parent domain from the legacy domain from administrator account?

     


    Spudney
    Wednesday, May 18, 2011 8:13 AM
  • The tool mentioned in my earlier post will give you real time data, if 680 is occurring frequently.You can't rule out presence worm or spyware, which might be the issue too .

    Take a look at hotfix, if its applicable, but i would use above tool which can be best way to reach out the issue.

    http://support.microsoft.com/kb/947861/en-us

    http://www.eventid.net/display.asp?eventid=680&eventno=2267&source=Security&phase=1

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG 

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, May 18, 2011 8:26 AM
    Moderator
  • Should i be using Netmon/Wireshark/Ethereal on the mothership domain or on the legacy domain? i presume the mothership?

    the event id 680's are showing up on the motherships security event logs not the legacy domain but a one way trust only exists, if all workstations log into the mothership domain and exchange is still on the legacy domain should a two way trust not exist for authentication to function correctly for mothership users to successfully access exchange services on the legacy domain, it looks like the administrator account in the legacy domain is causing a lot of these 680's originating from the exchange box.

     

    Any help much appreciated.


    Spudney
    Thursday, May 26, 2011 9:13 AM
  • Use it on domain where you are seeing the events i.e. in your mothership domain.

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG 

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, May 26, 2011 9:30 AM
    Moderator
  • what can this tell us, i have no access to the mothership domain so i ahve to tell them what to do can you explain what i need to ask them or what to look for in a bit more detail?
    Spudney
    Thursday, May 26, 2011 9:43 AM
  • Monitor the flow of traffic & why this account is being trying to authenticate in other domain.

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG 

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, May 26, 2011 10:10 AM
    Moderator
  • Thanks Awinish, I will ask them that and report back.
    Spudney
    Thursday, May 26, 2011 10:12 AM