none
Hundreds of audit events 4624, 4634, and 4672 every second on Server 2008 SP2 Domain Controller. RRS feed

  • Question

  • I have a Windows Server 2008 SP2 Domain Controller that is logging about 400 to 500 audit events per second in the security log.

     

    I get repeated entries of:

     

    4624 Logon

    4634 Logoff

    4672 Special Logon

     

    I clear the security event log, and after 10 seconds I have about 5,000 entries.

     

    Lsass.exe is constantly running at about 5% to 15% CPU.

     

    4624 Logon:

    An account was successfully logged on.

     

    Subject:

                    Security ID:                            NULL SID

                    Account Name:                     -

                    Account Domain:                 -

                    Logon ID:                               0x0

     

    Logon Type:                                          3

     

    New Logon:

                    Security ID:                            SYSTEM

                    Account Name:                     HSERVER$

                    Account Domain:                 HOPKINS

                    Logon ID:                               0x5689610

                    Logon GUID:                          {21ab2e6f-e096-18fd-7904-caa887330f25}

     

    Process Information:

                    Process ID:                             0x0

                    Process Name:                      -

     

    Network Information:

                    Workstation Name:             

                    Source Network Address:    fe80::84a0:133d:9782:3644  (This is my actual SERVER address)

                    Source Port:                           56303

     

    Detailed Authentication Information:

                    Logon Process:                     Kerberos

                    Authentication Package:     Kerberos

                    Transited Services:                -

                    Package Name (NTLM only):              -

                    Key Length:                           0

     

    4634 Logoff

    An account was logged off.

     

    Subject:

                    Security ID:                            SYSTEM

                    Account Name:                     HSERVER$

                    Account Domain:                 HOPKINS

                    Logon ID:                               0x568967a

     

    Logon Type:                                          3

     

    I don’t think this is caused by any of my workstations. 

     

    The output from a NETSTAT –AN has about 5000 entries as shown below…

     

    Proto  Local Address          Foreign Address        State

      UDP    0.0.0.0:55428          *:*                   

      UDP    0.0.0.0:55429          *:*                   

      UDP    0.0.0.0:55430          *:*                   

      UDP    0.0.0.0:55431          *:*                   

      UDP    0.0.0.0:55432          *:*                   

      UDP    0.0.0.0:55433          *:*                   

      UDP    0.0.0.0:55434          *:*                   

      UDP    [::]:55481             *:*                    

      UDP    [::]:55482             *:*                   

      UDP    [::]:55483             *:*                   

      UDP    [::]:55484             *:*                   

      UDP    [::]:55485             *:*                   

      UDP    [::]:55486             *:*                   

      UDP    [::]:55487             *:*                   

      UDP    [::]:55488             *:*                   

      UDP    [::]:55489             *:*                   

      UDP    [::]:55490             *:*                   

      UDP    [::]:55491             *:*                   

     

    I don’t know what to do about this other than starting to shutdown services and keep checking till it stops.

     

    Thanks for any help or insight

    Tuesday, October 4, 2011 6:23 PM

Answers

  • Hi,

     

    Logon Type 3 means Network logon. This is common if you have shared files/printers. Other over-the-network logons are classed as logon type 3 as well such as most logons to IIS.

     

    Currently, please check the firewall and security updates:

     

    1.    Make sure you have enabled a firewall on this DC.

    2.    Update the system with the latest security updates.

    3.    Does this DC have IIS installed?

     

    Meanwhile, please understand that it is not recommended to run file and printer, exchange server on Domain Controller.

     

    If the issue is urgent or you prefer a paid professional, please contact Microsoft Customer Support Service (CSS).

     

    To obtain the phone numbers for specific technology request, please refer to the website listed below:

    http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

     

    If you are outside the US, please refer to http://support.microsoft.com for regional support phone numbers.

     

    Regards,

    Bruce

    • Marked as answer by Bruce-Liu Monday, October 10, 2011 2:25 AM
    Wednesday, October 5, 2011 6:05 AM

All replies

  • If you have a ton of users this may be expected behaivior, you can tone it down by adjusting your local policy settings to only log events relevant to what you want. 

    I would suggest logging failures, and not all successfuls, (unless you want to go all super security audit and maintain tons of large log files)


    :P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.
    Tuesday, October 4, 2011 8:29 PM
  • Thanks Jason,

    Actually, I am supposed to be the paid professional...

    First time posting to the technet forums though.

    As far as users, we have maybe 10 users on the server.

    It is a domain controller, running file and print, along with antivirus and Backup Exec.

    I can easily log only failures, but that would only hide the problem that we are having.

    I may try to shutdown as many services as I can and see if it makes a difference.

     

    Tuesday, October 4, 2011 10:42 PM
  • Hi,

     

    Logon Type 3 means Network logon. This is common if you have shared files/printers. Other over-the-network logons are classed as logon type 3 as well such as most logons to IIS.

     

    Currently, please check the firewall and security updates:

     

    1.    Make sure you have enabled a firewall on this DC.

    2.    Update the system with the latest security updates.

    3.    Does this DC have IIS installed?

     

    Meanwhile, please understand that it is not recommended to run file and printer, exchange server on Domain Controller.

     

    If the issue is urgent or you prefer a paid professional, please contact Microsoft Customer Support Service (CSS).

     

    To obtain the phone numbers for specific technology request, please refer to the website listed below:

    http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

     

    If you are outside the US, please refer to http://support.microsoft.com for regional support phone numbers.

     

    Regards,

    Bruce

    • Marked as answer by Bruce-Liu Monday, October 10, 2011 2:25 AM
    Wednesday, October 5, 2011 6:05 AM
  • Thanks Bruce,

    If the Source Network Address is the ipv6 address of my server, would that rule out File and Print access from a workstation client?  Maybe that is where I am getting confused.  It would be great if it was caused by a workstation on the network.

    If there is a chance that a workstation on the local network is causing this via shared file or printer access, I will one by one disconnect my workstations from the network.  That might give me an indication as to where the problem lies. As soon as the problem stops, I will see it right away.

    I understand how we should not have file and print or exchange for that matter on a DC.  This is a small site, and we could not afford to install 2 servers.

    If I cannot resolve it via trial and error, then I will place a support call with Microsoft.

    Wednesday, October 5, 2011 11:01 AM
  • Jake,

    I am having this same issue. I am setup much like you are. Small amount of users and connected workstations, one printer. DC is hosting file and print and symantec AV server. It is like the DC is just lonely and wants to talk to itself. I have another network that is similarly, almost identically, setup and it does not have this problem. On the "broken" network I get 300+ events in a single minute vs. 53 in a ten minute window on the other network. Did you find a solution?

    Thursday, April 12, 2012 12:06 AM
  • Shortly after posting this problem, we had moved 3 desktop computers to another location on another network.  One or two of them were not running Professional, but the home version of XP or Vista.  I believe that it may have been caused by one of these workstations, because I have not seen the problem since moving the 3 workstations off the network and to another location.  I wish I could remember more, but October of last year seems like such a long time ago...

    If you were to shutdown all your workstations at night, do the events stop as well?  I see you are getting 300+ per minute, which is still much less than the 5000 I was getting every 10 seconds.

    Perhaps by trial and error, shutting down workstations may give some indication to where the problem lies.

    Sorry I don't have anything more that can help you with this.

    Thursday, April 12, 2012 12:27 AM
  • Bruce, please don't mark your own answer as THE answer when they do nothing to resolve the original question. It is still not resolved - and we have the same problem. 
    Thursday, February 13, 2014 9:25 AM