Daily Server Report (Critical Errors, Event ID: 537)
Barry McConomy
Daily Server Report
I have recently started to get a lot of "Critical Errors in Security Log"
(5,448), see below.
Can anybody advise/help?
Regards
Barry
Source: Security
Event ID: 537
Logon Failure:
Reason: An error occurred during logon
User Name: ***
Domain: ***
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC00002EE
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port:
Brandy Nee [MSFT]
Thank you for posting to the SBS Newsgroup.
I understand that you find there are plenty of Event IDs 537 with a
substatus code of 0xC00002EE on your machine. If I have misunderstood your
concern, please let me know.
The status code 0xC00002EE translates to STATUS_FINISHED_CONTEST_DELETED.
It means that a security context was deleted before the context was
completed. Also, Logon type of 3 is a network logon, this is considered a
logon failure. I need to gather some detailed information, please see:
I) Does this issue happen on client workstation or server?
II) Does this issue happen on some specific computers or all of them?
III) Does your server and all clients' workstation work well now? Can you
access the Internet, receive/send emails, etc? Is there any performance
issue in your Network?
Based on my experience, there are various factors can cause this issue,
please see:
1. I suggest you that perform a scanning for virus and spyware/adware on
your computers. You can download spybot to scan for spyware/adware:
http://www.safer-networking.org/en/download/index.html
2. There are maybe some hackers from the internet trying to guess your
users' passwords. So I suggest you that configure your network more
securely. You can refer to the following document to secure your Network:
This document helps you to more securely configure your Microsoft Windows
Small Business Server 2003 network. Completing the tasks in this document
helps you protect the availability, integrity, and confidentiality of your
network.
Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/technet/prodtechnol/sbs/2003/maintain/sbsecnet.mspx
3. Third party software. Some third party software installed on the client
workstations may try to log on or log off server by using incorrect account
because it does not support the Kerberos authentication. I suggest that you
perform a clean boot on the machine which gives our Event ID 537 to see
whether the issue occur:
a. Click Start->Run, type "MSCONFIG" (without the quotation marks) and
click OK.
b. In the System Configuration Utility (MSConfig) window, click the
"Startup" tab.
c. Click to clear all the check marks from the list box under "Startup".
d. Click the Services tab, check the "Hide all Microsoft Services" box and
then click the "Disable All" button to disable the non-Microsoft services.
e. Click OK to close the MSConfig window. Click Yes when you are asked to
restart your computer in order to enable the changes.
f. After restarting, please check whether this issue still exists.
For your reference:
817310 Cannot Log On to a Heavily Loaded Exchange Server 2003 Computer by
Using Outlook Mobile Access
http://support.microsoft.com/?id=817310
Audit logon events
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/e104c96f-e243-41c5-aaea-d046555a079d.mspx
Auditing User Authentication
http://support.microsoft.com/?id=174073
Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx
Please take your time to read through my suggestions. If you have any
updates, please feel free to let me know. I am looking forward to hearing
from you!
Best regards,
Brandy Nee
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: "Barry McConomy" <sm...@siscan.com>
>Newsgroups: microsoft.public.windows.server.sbs
>Subject: Daily Server Report (Critical Errors, Event ID: 537)
>Date: Wed, 15 Feb 2006 08:16:07 -0500
>Organization: Posted via Supernews, http://www.supernews.com
>Message-ID: <11v6a9i...@corp.supernews.com>
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-Complaints-To: ab...@supernews.com
>Lines: 34
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!nntp.giganews.com!transit3.readnews.com!
news-out.readnews.com!sn-xt-sjc-02!sn-xt-sjc-06!sn-post-01!supernews.com!cor
p.supernews.com!not-for-mail
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:244652
>X-Tomcat-NG: microsoft.public.windows.server.sbs
Barry McConomy
I) It happens on a Workstation
II) A specific computer.
III) Tes, all working well to tye best of my knowledge.
I will carry our items 1 to 3 on Monday and report back.
Regards
Barry
""Brandy Nee [MSFT]"" <v-br...@online.microsoft.com> wrote in message
news:jbiOkNqM...@TK2MSFTNGXA01.phx.gbl...
Brandy Nee [MSFT]
Thank you for posting back!
Please take your time to perform my suggestions on the client workstation.
If you have any further updates, please feel free to let me know. I am
always standing by and looking forward to hearing from you!
Best regards,
Brandy Nee
>Subject: Re: Daily Server Report (Critical Errors, Event ID: 537)
>Date: Thu, 16 Feb 2006 07:26:58 -0500
>Organization: Posted via Supernews, http://www.supernews.com
>Message-ID: <11v8rm3...@corp.supernews.com>
>References: <11v6a9i...@corp.supernews.com>
<jbiOkNqM...@TK2MSFTNGXA01.phx.gbl>
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-Complaints-To: ab...@supernews.com
>Lines: 194
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!newshub.sdsu.edu!sn-xt-sjc-03!sn-xt-sjc-01!sn-post-01!supernews.com!co
rp.supernews.com!not-for-mail
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:244963
>X-Tomcat-NG: microsoft.public.windows.server.sbs
Barry McConomy
I) It happens on a Workstation
II) A specific computer.
III) Yes, all working well to the best of my knowledge.
I will carry our items 1 to 3 next Monday (February 27th) and report back.
Regards
Barry
""Brandy Nee [MSFT]"" <v-br...@online.microsoft.com> wrote in message
news:jbiOkNqM...@TK2MSFTNGXA01.phx.gbl...
Brandy Nee [MSFT]
Thank you for posting back and keeping us updated!
I am sorry to bother you. Please take your time to perform my suggestions.
Best regards,
Brandy Nee
>Subject: Re: Daily Server Report (Critical Errors, Event ID: 537)
>Date: Thu, 23 Feb 2006 08:07:02 -0500
>Organization: Posted via Supernews, http://www.supernews.com
>Message-ID: <11vrckr...@corp.supernews.com>
>References: <11v6a9i...@corp.supernews.com>
<jbiOkNqM...@TK2MSFTNGXA01.phx.gbl>
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-Complaints-To: ab...@supernews.com
>Lines: 195
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!newshub.sdsu.edu!router2.astraweb.com!mrouter.astraweb.com!news.astraw
eb.com!router1.astraweb.com!sn-xt-sjc-15!sn-xt-sjc-09!sn-post-01!supernews.c
om!corp.supernews.com!not-for-mail
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:246837
>X-Tomcat-NG: microsoft.public.windows.server.sbs
Brandy Nee [MSFT]
Thank you for posting back and keeping us updated!
I am sorry to bother you. Please take your time to perform my suggestions
and see how it foes. If you have any updates, please feel free to let me
Best regards,
Brandy Nee
>Subject: Re: Daily Server Report (Critical Errors, Event ID: 537)
>Date: Thu, 23 Feb 2006 08:07:02 -0500
>Organization: Posted via Supernews, http://www.supernews.com
>Message-ID: <11vrckr...@corp.supernews.com>
>References: <11v6a9i...@corp.supernews.com>
<jbiOkNqM...@TK2MSFTNGXA01.phx.gbl>
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-Complaints-To: ab...@supernews.com
>Lines: 195
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!newshub.sdsu.edu!router2.astraweb.com!mrouter.astraweb.com!news.astraw
eb.com!router1.astraweb.com!sn-xt-sjc-15!sn-xt-sjc-09!sn-post-01!supernews.c
om!corp.supernews.com!not-for-mail
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:246837
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
Barry McConomy
At last I have manage to return to my Clients.
I) Yes, this happens on a client workstation
II) One specific computer
III) Yes, every thing works well.
1) Done all OK.
2) Noted.
3) I checked the specific computer Event Logs and noticed repeating errors:-
a) System Event ID: 10009, Source: DCOM
b) Application Event ID: 1091, Source: Userenv
I have screen shots it you want me to send direct to you.
Any help would be appreciated.
Regards
Barry
""Brandy Nee [MSFT]"" <v-br...@online.microsoft.com> wrote in message
news:jbiOkNqM...@TK2MSFTNGXA01.phx.gbl...
Brandy Nee [MSFT]
Thank you for posting back and keeping us updated!
I understand that the issue persists. Please help me to confirm following
information:
1> Is there any hp laserjet toolbox software running on that problematic
machine? This issue can be caused if there are applications from client
computers trying to logon by incorrect accounts and password. I suggest
that you schedule a down time to boot the problematic computer into Safe
Mode to see how it goes.
2> After each 537 event, is there a 538 event logged?
3> Please check if the Windows Time is synchronized. To do so:
1. Please go to the workstation which the 537 events complain and run the
following command:
net time
2. Check if the workstation is syncing time with the SBS 2003 server and if
not, run the following command:
net time /setsntp:<SBS_Server_Name>
NOTE: Replace <SBS_Server_Name> with the real server name of the SBS 2003
server.
3. Run the following command and check if the event does not occur
complaining this workstation:
w32tm /resync
4> If the issue persists, please help me to export the Application and
System Log to me. To do so:
On the problematic computer, run "eventvwr" (without quotation marks),
right click Application, select Save Log File As, please save as .evt file
and send it to me.
Please perform the same step for System and Security Log.
Thanks a lot for your time and I am looking forward to hearing from you!
Best regards,
Brandy Nee
>Subject: Re: Daily Server Report (Critical Errors, Event ID: 537)
>Date: Mon, 3 Apr 2006 17:13:29 -0400
>Organization: Posted via Supernews, http://www.supernews.com
>Message-ID: <12333mp...@corp.supernews.com>
>References: <11v6a9i...@corp.supernews.com>
<jbiOkNqM...@TK2MSFTNGXA01.phx.gbl>
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-Complaints-To: ab...@supernews.com
>Lines: 205
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed.c
w.net!cw.net!news-FFM2.ecrc.de!news.glorb.com!sn-xt-sjc-15!sn-xt-sjc-11!sn-x
t-sjc-07!sn-post-02!sn-post-01!supernews.com!corp.supernews.com!not-for-mail
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:257829
>X-Tomcat-NG: microsoft.public.windows.server.sbs
Barry McConomy
Yes, there is a HP Laserjet 3030.
I think this may be the issue, at this time I am not sure what to do.
Regards
Barry
""Brandy Nee [MSFT]"" <v-br...@online.microsoft.com> wrote in message
news:OFY4Fg7V...@TK2MSFTNGXA01.phx.gbl...
Brandy Nee [MSFT]
Thank you for posting back!
I suggest that you start the computer into the Safe Mode to see how it
goes. If the isuse persists, I suggest that you temporarily remove the
software and test the issue again.
Please take your time to perform the steps. If you have any further
updates, please feel free to let me know. I am looking forwar to hearing
from you!
Best regards,
Brandy Nee
>Date: Tue, 4 Apr 2006 17:26:21 -0400
>Organization: Posted via Supernews, http://www.supernews.com
>Message-ID: <1235oqj...@corp.supernews.com>
>References: <11v6a9i...@corp.supernews.com>
<jbiOkNqM...@TK2MSFTNGXA01.phx.gbl>
<12333mp...@corp.supernews.com>
<OFY4Fg7V...@TK2MSFTNGXA01.phx.gbl>
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>X-Complaints-To: ab...@supernews.com
>Lines: 145
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed00
.sul.t-online.de!t-online.de!newsfeed.freenet.de!feeder2.ecngs.de!ecngs!feed
er.ecngs.de!216.196.110.149.MISMATCH!border2.nntp.ams.giganews.com!nntp.giga
news.com!sn-ams-06!sn-xt-ams-03!sn-post-ams-01!sn-post-01!supernews.com!corp
.supernews.com!not-for-mail
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:258090
>X-Tomcat-NG: microsoft.public.windows.server.sbs
Brandy Nee [MSFT]
Thank you for posting back and keeping us updated!
I am sorry to bother you! Please take your time to perform my suggestions.
If you have any updates, please feel free to let me know. By the way, since
you going to reply me in 10 days, can I temporary close the thread, please?
When you will be free, you just need to reply back to the Newsgroup and
your post will be automatically open.
Thanks a lot for your time and understanding!
Best regards,
Brandy Nee
>Date: Tue, 4 Apr 2006 17:26:21 -0400
>Organization: Posted via Supernews, http://www.supernews.com
>Message-ID: <1235oqj...@corp.supernews.com>
>References: <11v6a9i...@corp.supernews.com>
<jbiOkNqM...@TK2MSFTNGXA01.phx.gbl>
<12333mp...@corp.supernews.com>
<OFY4Fg7V...@TK2MSFTNGXA01.phx.gbl>
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>X-Complaints-To: ab...@supernews.com
>Lines: 145
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed00
.sul.t-online.de!t-online.de!newsfeed.freenet.de!feeder2.ecngs.de!ecngs!feed
er.ecngs.de!216.196.110.149.MISMATCH!border2.nntp.ams.giganews.com!nntp.giga
news.com!sn-ams-06!sn-xt-ams-03!sn-post-ams-01!sn-post-01!supernews.com!corp
.supernews.com!not-for-mail
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:258090
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
Brandy Nee [MSFT]
Thank you for posting back!
Thanks a lot for your kindly understanding! If you have any updates, please
feel free to let me know. I am always standing by and looking forward to
hearing from you!
Best regards,
Brandy Nee
>Date: Tue, 4 Apr 2006 17:26:21 -0400
>Organization: Posted via Supernews, http://www.supernews.com
>Message-ID: <1235oqj...@corp.supernews.com>
>References: <11v6a9i...@corp.supernews.com>
<jbiOkNqM...@TK2MSFTNGXA01.phx.gbl>
<12333mp...@corp.supernews.com>
<OFY4Fg7V...@TK2MSFTNGXA01.phx.gbl>
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>X-Complaints-To: ab...@supernews.com
>Lines: 145
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed00
.sul.t-online.de!t-online.de!newsfeed.freenet.de!feeder2.ecngs.de!ecngs!feed
er.ecngs.de!216.196.110.149.MISMATCH!border2.nntp.ams.giganews.com!nntp.giga
news.com!sn-ams-06!sn-xt-ams-03!sn-post-ams-01!sn-post-01!supernews.com!corp
.supernews.com!not-for-mail
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:258090
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>