Multiple event IDs 675, 676 and 681

The events show both machine and user accounts, and yes, I have been through
eventid.net, but I couldn't find anything helpful.
--
Madrilleno


"Meinolf Weber" wrote:

> Hello Madrilleno,
>
> Basically these are authentication errors, maybe through some service accounts
> where you changed passwords? So if you check the events, are they pointing
> to users or computers?
>
> Did you look here:
> 675
> http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Secur...&phase=
> 676
> http://www.eventid.net/display.asp?eventid=676&eventno=668&source=Secu...y&phase
> 681
> http://www.eventid.net/display.asp?eventid=681&eventno=3&source=Security&phase=1
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > I have a domain running in mixed mode which has two Server 2008 DCs
> > and a Server 2000 DC. The server 2000 DC holds the five FSMO roles.
> >
> > I am seeing a lot of Event ID 675,676 & 681 in the security logs
> > denoting authentication failures.
> >
> > I have trawled around on the Internet for hours, but have not found
> > any pointers to why these are happening.
> >
> > The DC is a virtual server which I am using to stage on my route to
> > running the domain as Server 2008 native. There are no corresponding
> > errors on the 2k8 DCs.
> >
>
>
>

Hi,

Thanks for posting here.

Form my understanding, you have promoted Windows server 2008 as an
additional DC of windows serve 2000.On the server of windows server 2000
holding all FSMO roles, you found some security error messages in Event
log. If I misunderstood, please advise me.

Event ID: 675
Event Type: Failure Audit
Event Source: Security
Computer:
Event Category: Account Logon
User: NT AUTHORITY\SYSTEM
Description:
Pre-authentication failed:
Service Name: krbtgt

The failure might be due to time skew > 5 minutes. Please check the time
and time zone between the client and server. Are they synchronized? If not,
please use net time command to force them to synchronize. You can refer to
the following articles:

Using the NET TIME Command to Synchronize Windows XP Workstations
http://support.microsoft.com/kb/314090

Net Time
http://technet2.microsoft.com/windowsserver/en/library/396e2cab-b011-459a-ac
5c-326a562d42461033.mspx?mfr=true

NET TIME /Domain Will Not Sync Time with Domain Time Source Server
http://support.microsoft.com/kb/193825

In addition, Event ID 676 and 681 is related to Password authorization
failure. Windows server 2000 holds PDC role that is responsible for
password verification, so the corresponding verification error may occur
much on it. Please check if some users passwords have been expired or
locked.

Also, I suggest you transfer FSMO roles to the server with Windows server
2008 to test the result. You can refer to the following article to perform
to transfer FSMO roles.

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504

If anything is unclear or you need further assistance, please post back.


Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->Thread-Topic: Multiple event IDs 675, 676 and 681
--->thread-index: AcjxWi+jLO3Tg+KLRAC5uWq1/+eNRg==
--->X-WBNR-Posting-Host: 207.46.192.207
--->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <madrilleno.TakeThisOut@newsgroup.nospam>
--->References: <D405A4C5-34B9-4C42-AAC6-74AD0E505E08.TakeThisOut@microsoft.com>
<ff16fb66a4e608cabf6df483b24b.TakeThisOut@msnews.microsoft.com>
--->Subject: Re: Multiple event IDs 675, 676 and 681
--->Date: Tue, 29 Jul 2008 02:05:02 -0700
--->Lines: 46
--->Message-ID: <54E27A70-00FD-4B9E-AF91-DD743AEC53F7.TakeThisOut@microsoft.com>
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> charset="Utf-8"
--->Content-Transfer-Encoding: 7bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
--->Newsgroups: microsoft.public.win2000.security
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.security:1631
--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->X-Tomcat-NG: microsoft.public.win2000.security
--->
--->The events show both machine and user accounts, and yes, I have been
through
--->eventid.net, but I couldn't find anything helpful.
--->--
--->Madrilleno
--->
--->
--->"Meinolf Weber" wrote:
--->
--->> Hello Madrilleno,
--->>
--->> Basically these are authentication errors, maybe through some service
accounts
--->> where you changed passwords? So if you check the events, are they
pointing
--->> to users or computers?
--->>
--->> Did you look here:
--->> 675
--->>
http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&ph
ase=1
--->> 676
--->>
http://www.eventid.net/display.asp?eventid=676&eventno=668&source=Security&p
hase=1
--->> 681
--->>
http://www.eventid.net/display.asp?eventid=681&eventno=3&source=Security&pha
se=1
--->>
--->> Best regards
--->>
--->> Meinolf Weber
--->> Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
--->> no rights.
--->> ** Please do NOT email, only reply to Newsgroups
--->> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
--->>
--->> > I have a domain running in mixed mode which has two Server 2008 DCs
--->> > and a Server 2000 DC. The server 2000 DC holds the five FSMO roles.
--->> >
--->> > I am seeing a lot of Event ID 675,676 & 681 in the security logs
--->> > denoting authentication failures.
--->> >
--->> > I have trawled around on the Internet for hours, but have not found
--->> > any pointers to why these are happening.
--->> >
--->> > The DC is a virtual server which I am using to stage on my route to
--->> > running the domain as Server 2008 native. There are no corresponding
--->> > errors on the 2k8 DCs.
--->> >
--->>
--->>
--->>
--->

1. There is no time skew on any of my DCs.
2. There are no users with locked out accounts.

I will try moving the FSMOs to a 2k8 server.
--
Madrilleno


"Morgan che(MSFT)" wrote:

> Hi,
>
> Thanks for posting here.
>
> Form my understanding, you have promoted Windows server 2008 as an
> additional DC of windows serve 2000.On the server of windows server 2000
> holding all FSMO roles, you found some security error messages in Event
> log. If I misunderstood, please advise me.
>
> Event ID: 675
> Event Type: Failure Audit
> Event Source: Security
> Computer:
> Event Category: Account Logon
> User: NT AUTHORITY\SYSTEM
> Description:
> Pre-authentication failed:
> Service Name: krbtgt
>
> The failure might be due to time skew > 5 minutes. Please check the time
> and time zone between the client and server. Are they synchronized? If not,
> please use net time command to force them to synchronize. You can refer to
> the following articles:
>
> Using the NET TIME Command to Synchronize Windows XP Workstations
> http://support.microsoft.com/kb/314090
>
> Net Time
> http://technet2.microsoft.com/windowsserver/en/library/396e2cab-b011-459a-ac
> 5c-326a562d42461033.mspx?mfr=true
>
> NET TIME /Domain Will Not Sync Time with Domain Time Source Server
> http://support.microsoft.com/kb/193825
>
> In addition, Event ID 676 and 681 is related to Password authorization
> failure. Windows server 2000 holds PDC role that is responsible for
> password verification, so the corresponding verification error may occur
> much on it. Please check if some users passwords have been expired or
> locked.
>
> Also, I suggest you transfer FSMO roles to the server with Windows server
> 2008 to test the result. You can refer to the following article to perform
> to transfer FSMO roles.
>
> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
> http://support.microsoft.com/kb/255504
>
> If anything is unclear or you need further assistance, please post back.
>
>
> Sincerely
> Morgan Che
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> --------------------
> --->Thread-Topic: Multiple event IDs 675, 676 and 681
> --->thread-index: AcjxWi+jLO3Tg+KLRAC5uWq1/+eNRg==
> --->X-WBNR-Posting-Host: 207.46.192.207
> --->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <madrilleno.TakeThisOut@newsgroup.nospam>
> --->References: <D405A4C5-34B9-4C42-AAC6-74AD0E505E08.TakeThisOut@microsoft.com>
> <ff16fb66a4e608cabf6df483b24b.TakeThisOut@msnews.microsoft.com>
> --->Subject: Re: Multiple event IDs 675, 676 and 681
> --->Date: Tue, 29 Jul 2008 02:05:02 -0700
> --->Lines: 46
> --->Message-ID: <54E27A70-00FD-4B9E-AF91-DD743AEC53F7.TakeThisOut@microsoft.com>
> --->MIME-Version: 1.0
> --->Content-Type: text/plain;
> ---> charset="Utf-8"
> --->Content-Transfer-Encoding: 7bit
> --->X-Newsreader: Microsoft CDO for Windows 2000
> --->Content-Class: urn:content-classes:message
> --->Importance: normal
> --->Priority: normal
> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
> --->Newsgroups: microsoft.public.win2000.security
> --->Path: TK2MSFTNGHUB02.phx.gbl
> --->Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.security:1631
> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
> --->X-Tomcat-NG: microsoft.public.win2000.security
> --->
> --->The events show both machine and user accounts, and yes, I have been
> through
> --->eventid.net, but I couldn't find anything helpful.
> --->--
> --->Madrilleno
> --->
> --->
> --->"Meinolf Weber" wrote:
> --->
> --->> Hello Madrilleno,
> --->>
> --->> Basically these are authentication errors, maybe through some service
> accounts
> --->> where you changed passwords? So if you check the events, are they
> pointing
> --->> to users or computers?
> --->>
> --->> Did you look here:
> --->> 675
> --->>
> http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&ph
> ase=1
> --->> 676
> --->>
> http://www.eventid.net/display.asp?eventid=676&eventno=668&source=Security&p
> hase=1
> --->> 681
> --->>
> http://www.eventid.net/display.asp?eventid=681&eventno=3&source=Security&pha
> se=1
> --->>
> --->> Best regards
> --->>
> --->> Meinolf Weber
> --->> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers
> --->> no rights.
> --->> ** Please do NOT email, only reply to Newsgroups
> --->> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> --->>
> --->> > I have a domain running in mixed mode which has two Server 2008 DCs
> --->> > and a Server 2000 DC. The server 2000 DC holds the five FSMO roles.
> --->> >
> --->> > I am seeing a lot of Event ID 675,676 & 681 in the security logs
> --->> > denoting authentication failures.
> --->> >
> --->> > I have trawled around on the Internet for hours, but have not found
> --->> > any pointers to why these are happening.
> --->> >
> --->> > The DC is a virtual server which I am using to stage on my route to
> --->> > running the domain as Server 2008 native. There are no corresponding
> --->> > errors on the 2k8 DCs.
> --->> >
> --->>
> --->>
> --->>
> --->
>
>

Hi,

Ok, please transfer FSMOs to the WIndows server 2008 server to test the
result. if this issue still persists, please post here with the latest
symbols.


Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->Thread-Topic: Multiple event IDs 675, 676 and 681
--->thread-index: AcjxYwnV06JJwYIxTw2fX/9sZcP5CA==
--->X-WBNR-Posting-Host: 65.55.21.8
--->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <madrilleno.TakeThisOut@newsgroup.nospam>
--->References: <D405A4C5-34B9-4C42-AAC6-74AD0E505E08.TakeThisOut@microsoft.com>
<ff16fb66a4e608cabf6df483b24b.TakeThisOut@msnews.microsoft.com>
<54E27A70-00FD-4B9E-AF91-DD743AEC53F7.TakeThisOut@microsoft.com>
<O#JNb$V8IHA.4832@TK2MSFTNGHUB02.phx.gbl>
--->Subject: Re: Multiple event IDs 675, 676 and 681
--->Date: Tue, 29 Jul 2008 03:08:24 -0700
--->Lines: 158
--->Message-ID: <E28728AC-1B99-451B-978B-AE8111B3E069.TakeThisOut@microsoft.com>
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> charset="Utf-8"
--->Content-Transfer-Encoding: 7bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
--->Newsgroups: microsoft.public.win2000.security
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.security:1633
--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->X-Tomcat-NG: microsoft.public.win2000.security
--->
--->1. There is no time skew on any of my DCs.
--->2. There are no users with locked out accounts.
--->
--->I will try moving the FSMOs to a 2k8 server.
--->--
--->Madrilleno
--->
--->
--->"Morgan che(MSFT)" wrote:
--->
--->> Hi,
--->>
--->> Thanks for posting here.
--->>
--->> Form my understanding, you have promoted Windows server 2008 as an
--->> additional DC of windows serve 2000.On the server of windows server
2000
--->> holding all FSMO roles, you found some security error messages in
Event
--->> log. If I misunderstood, please advise me.
--->>
--->> Event ID: 675
--->> Event Type: Failure Audit
--->> Event Source: Security
--->> Computer:
--->> Event Category: Account Logon
--->> User: NT AUTHORITY\SYSTEM
--->> Description:
--->> Pre-authentication failed:
--->> Service Name: krbtgt
--->>
--->> The failure might be due to time skew > 5 minutes. Please check the
time
--->> and time zone between the client and server. Are they synchronized?
If not,
--->> please use net time command to force them to synchronize. You can
refer to
--->> the following articles:
--->>
--->> Using the NET TIME Command to Synchronize Windows XP Workstations
--->> http://support.microsoft.com/kb/314090
--->>
--->> Net Time
--->>
http://technet2.microsoft.com/windowsserver/en/library/396e2cab-b011-459a-ac
--->> 5c-326a562d42461033.mspx?mfr=true
--->>
--->> NET TIME /Domain Will Not Sync Time with Domain Time Source Server
--->> http://support.microsoft.com/kb/193825
--->>
--->> In addition, Event ID 676 and 681 is related to Password
authorization
--->> failure. Windows server 2000 holds PDC role that is responsible for
--->> password verification, so the corresponding verification error may
occur
--->> much on it. Please check if some users passwords have been expired or
--->> locked.
--->>
--->> Also, I suggest you transfer FSMO roles to the server with Windows
server
--->> 2008 to test the result. You can refer to the following article to
perform
--->> to transfer FSMO roles.
--->>
--->> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
controller
--->> http://support.microsoft.com/kb/255504
--->>
--->> If anything is unclear or you need further assistance, please post
back.
--->>
--->>
--->> Sincerely
--->> Morgan Che
--->> Microsoft Online Support
--->> Microsoft Global Technical Support Center
--->>
--->> Get Secure! - www.microsoft.com/security
--->> =====================================================
--->> When responding to posts, please "Reply to Group" via your newsreader
so
--->> that others may learn and benefit from your issue.
--->> =====================================================
--->> This posting is provided "AS IS" with no warranties, and confers no
rights.
--->>
--->>
--->> --------------------
--->> --->Thread-Topic: Multiple event IDs 675, 676 and 681
--->> --->thread-index: AcjxWi+jLO3Tg+KLRAC5uWq1/+eNRg==
--->> --->X-WBNR-Posting-Host: 207.46.192.207
--->> --->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <madrilleno.TakeThisOut@newsgroup.nospam>
--->> --->References: <D405A4C5-34B9-4C42-AAC6-74AD0E505E08.TakeThisOut@microsoft.com>
--->> <ff16fb66a4e608cabf6df483b24b.TakeThisOut@msnews.microsoft.com>
--->> --->Subject: Re: Multiple event IDs 675, 676 and 681
--->> --->Date: Tue, 29 Jul 2008 02:05:02 -0700
--->> --->Lines: 46
--->> --->Message-ID: <54E27A70-00FD-4B9E-AF91-DD743AEC53F7.TakeThisOut@microsoft.com>
--->> --->MIME-Version: 1.0
--->> --->Content-Type: text/plain;
--->> ---> charset="Utf-8"
--->> --->Content-Transfer-Encoding: 7bit
--->> --->X-Newsreader: Microsoft CDO for Windows 2000
--->> --->Content-Class: urn:content-classes:message
--->> --->Importance: normal
--->> --->Priority: normal
--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
--->> --->Newsgroups: microsoft.public.win2000.security
--->> --->Path: TK2MSFTNGHUB02.phx.gbl
--->> --->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.win2000.security:1631
--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->> --->X-Tomcat-NG: microsoft.public.win2000.security
--->> --->
--->> --->The events show both machine and user accounts, and yes, I have
been
--->> through
--->> --->eventid.net, but I couldn't find anything helpful.
--->> --->--
--->> --->Madrilleno
--->> --->
--->> --->
--->> --->"Meinolf Weber" wrote:
--->> --->
--->> --->> Hello Madrilleno,
--->> --->>
--->> --->> Basically these are authentication errors, maybe through some
service
--->> accounts
--->> --->> where you changed passwords? So if you check the events, are
they
--->> pointing
--->> --->> to users or computers?
--->> --->>
--->> --->> Did you look here:
--->> --->> 675
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&ph
--->> ase=1
--->> --->> 676
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=676&eventno=668&source=Security&p
--->> hase=1
--->> --->> 681
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=681&eventno=3&source=Security&pha
--->> se=1
--->> --->>
--->> --->> Best regards
--->> --->>
--->> --->> Meinolf Weber
--->> --->> Disclaimer: This posting is provided "AS IS" with no
warranties, and
--->> confers
--->> --->> no rights.
--->> --->> ** Please do NOT email, only reply to Newsgroups
--->> --->> ** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
--->> --->>
--->> --->> > I have a domain running in mixed mode which has two Server
2008 DCs
--->> --->> > and a Server 2000 DC. The server 2000 DC holds the five FSMO
roles.
--->> --->> >
--->> --->> > I am seeing a lot of Event ID 675,676 & 681 in the security
logs
--->> --->> > denoting authentication failures.
--->> --->> >
--->> --->> > I have trawled around on the Internet for hours, but have not
found
--->> --->> > any pointers to why these are happening.
--->> --->> >
--->> --->> > The DC is a virtual server which I am using to stage on my
route to
--->> --->> > running the domain as Server 2008 native. There are no
corresponding
--->> --->> > errors on the 2k8 DCs.
--->> --->> >
--->> --->>
--->> --->>
--->> --->>
--->> --->
--->>
--->>
--->

Hi,

I am wirting to see how evertything is going?

Have this issue been sovled or you need further assistance? please feel
free to let me know.
Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->Thread-Topic: Multiple event IDs 675, 676 and 681
--->thread-index: AcjxYwnV06JJwYIxTw2fX/9sZcP5CA==
--->X-WBNR-Posting-Host: 65.55.21.8
--->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <madrilleno DeleteThis @newsgroup.nospam>
--->References: <D405A4C5-34B9-4C42-AAC6-74AD0E505E08 DeleteThis @microsoft.com>
<ff16fb66a4e608cabf6df483b24b DeleteThis @msnews.microsoft.com>
<54E27A70-00FD-4B9E-AF91-DD743AEC53F7 DeleteThis @microsoft.com>
<O#JNb$V8IHA.4832@TK2MSFTNGHUB02.phx.gbl>
--->Subject: Re: Multiple event IDs 675, 676 and 681
--->Date: Tue, 29 Jul 2008 03:08:24 -0700
--->Lines: 158
--->Message-ID: <E28728AC-1B99-451B-978B-AE8111B3E069 DeleteThis @microsoft.com>
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> charset="Utf-8"
--->Content-Transfer-Encoding: 7bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
--->Newsgroups: microsoft.public.win2000.security
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.security:1633
--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->X-Tomcat-NG: microsoft.public.win2000.security
--->
--->1. There is no time skew on any of my DCs.
--->2. There are no users with locked out accounts.
--->
--->I will try moving the FSMOs to a 2k8 server.
--->--
--->Madrilleno
--->
--->
--->"Morgan che(MSFT)" wrote:
--->
--->> Hi,
--->>
--->> Thanks for posting here.
--->>
--->> Form my understanding, you have promoted Windows server 2008 as an
--->> additional DC of windows serve 2000.On the server of windows server
2000
--->> holding all FSMO roles, you found some security error messages in
Event
--->> log. If I misunderstood, please advise me.
--->>
--->> Event ID: 675
--->> Event Type: Failure Audit
--->> Event Source: Security
--->> Computer:
--->> Event Category: Account Logon
--->> User: NT AUTHORITY\SYSTEM
--->> Description:
--->> Pre-authentication failed:
--->> Service Name: krbtgt
--->>
--->> The failure might be due to time skew > 5 minutes. Please check the
time
--->> and time zone between the client and server. Are they synchronized?
If not,
--->> please use net time command to force them to synchronize. You can
refer to
--->> the following articles:
--->>
--->> Using the NET TIME Command to Synchronize Windows XP Workstations
--->> http://support.microsoft.com/kb/314090
--->>
--->> Net Time
--->>
http://technet2.microsoft.com/windowsserver/en/library/396e2cab-b011-459a-ac
--->> 5c-326a562d42461033.mspx?mfr=true
--->>
--->> NET TIME /Domain Will Not Sync Time with Domain Time Source Server
--->> http://support.microsoft.com/kb/193825
--->>
--->> In addition, Event ID 676 and 681 is related to Password
authorization
--->> failure. Windows server 2000 holds PDC role that is responsible for
--->> password verification, so the corresponding verification error may
occur
--->> much on it. Please check if some users passwords have been expired or
--->> locked.
--->>
--->> Also, I suggest you transfer FSMO roles to the server with Windows
server
--->> 2008 to test the result. You can refer to the following article to
perform
--->> to transfer FSMO roles.
--->>
--->> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
controller
--->> http://support.microsoft.com/kb/255504
--->>
--->> If anything is unclear or you need further assistance, please post
back.
--->>
--->>
--->> Sincerely
--->> Morgan Che
--->> Microsoft Online Support
--->> Microsoft Global Technical Support Center
--->>
--->> Get Secure! - www.microsoft.com/security
--->> =====================================================
--->> When responding to posts, please "Reply to Group" via your newsreader
so
--->> that others may learn and benefit from your issue.
--->> =====================================================
--->> This posting is provided "AS IS" with no warranties, and confers no
rights.
--->>
--->>
--->> --------------------
--->> --->Thread-Topic: Multiple event IDs 675, 676 and 681
--->> --->thread-index: AcjxWi+jLO3Tg+KLRAC5uWq1/+eNRg==
--->> --->X-WBNR-Posting-Host: 207.46.192.207
--->> --->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <madrilleno DeleteThis @newsgroup.nospam>
--->> --->References: <D405A4C5-34B9-4C42-AAC6-74AD0E505E08 DeleteThis @microsoft.com>
--->> <ff16fb66a4e608cabf6df483b24b DeleteThis @msnews.microsoft.com>
--->> --->Subject: Re: Multiple event IDs 675, 676 and 681
--->> --->Date: Tue, 29 Jul 2008 02:05:02 -0700
--->> --->Lines: 46
--->> --->Message-ID: <54E27A70-00FD-4B9E-AF91-DD743AEC53F7 DeleteThis @microsoft.com>
--->> --->MIME-Version: 1.0
--->> --->Content-Type: text/plain;
--->> ---> charset="Utf-8"
--->> --->Content-Transfer-Encoding: 7bit
--->> --->X-Newsreader: Microsoft CDO for Windows 2000
--->> --->Content-Class: urn:content-classes:message
--->> --->Importance: normal
--->> --->Priority: normal
--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
--->> --->Newsgroups: microsoft.public.win2000.security
--->> --->Path: TK2MSFTNGHUB02.phx.gbl
--->> --->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.win2000.security:1631
--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->> --->X-Tomcat-NG: microsoft.public.win2000.security
--->> --->
--->> --->The events show both machine and user accounts, and yes, I have
been
--->> through
--->> --->eventid.net, but I couldn't find anything helpful.
--->> --->--
--->> --->Madrilleno
--->> --->
--->> --->
--->> --->"Meinolf Weber" wrote:
--->> --->
--->> --->> Hello Madrilleno,
--->> --->>
--->> --->> Basically these are authentication errors, maybe through some
service
--->> accounts
--->> --->> where you changed passwords? So if you check the events, are
they
--->> pointing
--->> --->> to users or computers?
--->> --->>
--->> --->> Did you look here:
--->> --->> 675
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&ph
--->> ase=1
--->> --->> 676
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=676&eventno=668&source=Security&p
--->> hase=1
--->> --->> 681
--->> --->>
--->>
http://www.eventid.net/display.asp?eventid=681&eventno=3&source=Security&pha
--->> se=1
--->> --->>
--->> --->> Best regards
--->> --->>
--->> --->> Meinolf Weber
--->> --->> Disclaimer: This posting is provided "AS IS" with no
warranties, and
--->> confers
--->> --->> no rights.
--->> --->> ** Please do NOT email, only reply to Newsgroups
--->> --->> ** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
--->> --->>
--->> --->> > I have a domain running in mixed mode which has two Server
2008 DCs
--->> --->> > and a Server 2000 DC. The server 2000 DC holds the five FSMO
roles.
--->> --->> >
--->> --->> > I am seeing a lot of Event ID 675,676 & 681 in the security
logs
--->> --->> > denoting authentication failures.
--->> --->> >
--->> --->> > I have trawled around on the Internet for hours, but have not
found
--->> --->> > any pointers to why these are happening.
--->> --->> >
--->> --->> > The DC is a virtual server which I am using to stage on my
route to
--->> --->> > running the domain as Server 2008 native. There are no
corresponding
--->> --->> > errors on the 2k8 DCs.
--->> --->> >
--->> --->>
--->> --->>
--->> --->>
--->> --->
--->>
--->>
--->

This is a live installation, so I have to explore other avenues before I
transfer the FSMOs. At the moment, I have a suspicion that the problem lies
somewhere between DNS and machine account passwords being out of sync. I have
just unjoined a suspect client from the domain, deleted its account in AD,
then joined it again. I had already tried resetting its password using netdom
to no avail. I am now monitoring to see if this has had any effect.
--
Madrilleno


"Morgan che(MSFT)" wrote:

> Hi,
>
> I am wirting to see how evertything is going?
>
> Have this issue been sovled or you need further assistance? please feel
> free to let me know.
> Sincerely
> Morgan Che
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> --------------------
> --->Thread-Topic: Multiple event IDs 675, 676 and 681
> --->thread-index: AcjxYwnV06JJwYIxTw2fX/9sZcP5CA==
> --->X-WBNR-Posting-Host: 65.55.21.8
> --->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <madrilleno.TakeThisOut@newsgroup.nospam>
> --->References: <D405A4C5-34B9-4C42-AAC6-74AD0E505E08.TakeThisOut@microsoft.com>
> <ff16fb66a4e608cabf6df483b24b.TakeThisOut@msnews.microsoft.com>
> <54E27A70-00FD-4B9E-AF91-DD743AEC53F7.TakeThisOut@microsoft.com>
> <O#JNb$V8IHA.4832@TK2MSFTNGHUB02.phx.gbl>
> --->Subject: Re: Multiple event IDs 675, 676 and 681
> --->Date: Tue, 29 Jul 2008 03:08:24 -0700
> --->Lines: 158
> --->Message-ID: <E28728AC-1B99-451B-978B-AE8111B3E069.TakeThisOut@microsoft.com>
> --->MIME-Version: 1.0
> --->Content-Type: text/plain;
> ---> charset="Utf-8"
> --->Content-Transfer-Encoding: 7bit
> --->X-Newsreader: Microsoft CDO for Windows 2000
> --->Content-Class: urn:content-classes:message
> --->Importance: normal
> --->Priority: normal
> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
> --->Newsgroups: microsoft.public.win2000.security
> --->Path: TK2MSFTNGHUB02.phx.gbl
> --->Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.security:1633
> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
> --->X-Tomcat-NG: microsoft.public.win2000.security
> --->
> --->1. There is no time skew on any of my DCs.
> --->2. There are no users with locked out accounts.
> --->
> --->I will try moving the FSMOs to a 2k8 server.
> --->--
> --->Madrilleno
> --->
> --->
> --->"Morgan che(MSFT)" wrote:
> --->
> --->> Hi,
> --->>
> --->> Thanks for posting here.
> --->>
> --->> Form my understanding, you have promoted Windows server 2008 as an
> --->> additional DC of windows serve 2000.On the server of windows server
> 2000
> --->> holding all FSMO roles, you found some security error messages in
> Event
> --->> log. If I misunderstood, please advise me.
> --->>
> --->> Event ID: 675
> --->> Event Type: Failure Audit
> --->> Event Source: Security
> --->> Computer:
> --->> Event Category: Account Logon
> --->> User: NT AUTHORITY\SYSTEM
> --->> Description:
> --->> Pre-authentication failed:
> --->> Service Name: krbtgt
> --->>
> --->> The failure might be due to time skew > 5 minutes. Please check the
> time
> --->> and time zone between the client and server. Are they synchronized?
> If not,
> --->> please use net time command to force them to synchronize. You can
> refer to
> --->> the following articles:
> --->>
> --->> Using the NET TIME Command to Synchronize Windows XP Workstations
> --->> http://support.microsoft.com/kb/314090
> --->>
> --->> Net Time
> --->>
> http://technet2.microsoft.com/windowsserver/en/library/396e2cab-b011-459a-ac
> --->> 5c-326a562d42461033.mspx?mfr=true
> --->>
> --->> NET TIME /Domain Will Not Sync Time with Domain Time Source Server
> --->> http://support.microsoft.com/kb/193825
> --->>
> --->> In addition, Event ID 676 and 681 is related to Password
> authorization
> --->> failure. Windows server 2000 holds PDC role that is responsible for
> --->> password verification, so the corresponding verification error may
> occur
> --->> much on it. Please check if some users passwords have been expired or
> --->> locked.
> --->>
> --->> Also, I suggest you transfer FSMO roles to the server with Windows
> server
> --->> 2008 to test the result. You can refer to the following article to
> perform
> --->> to transfer FSMO roles.
> --->>
> --->> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
> controller
> --->> http://support.microsoft.com/kb/255504
> --->>
> --->> If anything is unclear or you need further assistance, please post
> back.
> --->>
> --->>
> --->> Sincerely
> --->> Morgan Che
> --->> Microsoft Online Support
> --->> Microsoft Global Technical Support Center
> --->>
> --->> Get Secure! - www.microsoft.com/security
> --->> =====================================================
> --->> When responding to posts, please "Reply to Group" via your newsreader
> so
> --->> that others may learn and benefit from your issue.
> --->> =====================================================
> --->> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> --->>
> --->>
> --->> --------------------
> --->> --->Thread-Topic: Multiple event IDs 675, 676 and 681
> --->> --->thread-index: AcjxWi+jLO3Tg+KLRAC5uWq1/+eNRg==
> --->> --->X-WBNR-Posting-Host: 207.46.192.207
> --->> --->From: =?Utf-8?B?TWFkcmlsbGVubw==?= <madrilleno.TakeThisOut@newsgroup.nospam>
> --->> --->References: <D405A4C5-34B9-4C42-AAC6-74AD0E505E08.TakeThisOut@microsoft.com>
> --->> <ff16fb66a4e608cabf6df483b24b.TakeThisOut@msnews.microsoft.com>
> --->> --->Subject: Re: Multiple event IDs 675, 676 and 681
> --->> --->Date: Tue, 29 Jul 2008 02:05:02 -0700
> --->> --->Lines: 46
> --->> --->Message-ID: <54E27A70-00FD-4B9E-AF91-DD743AEC53F7.TakeThisOut@microsoft.com>
> --->> --->MIME-Version: 1.0
> --->> --->Content-Type: text/plain;
> --->> ---> charset="Utf-8"
> --->> --->Content-Transfer-Encoding: 7bit
> --->> --->X-Newsreader: Microsoft CDO for Windows 2000
> --->> --->Content-Class: urn:content-classes:message
> --->> --->Importance: normal
> --->> --->Priority: normal
> --->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
> --->> --->Newsgroups: microsoft.public.win2000.security
> --->> --->Path: TK2MSFTNGHUB02.phx.gbl
> --->> --->Xref: TK2MSFTNGHUB02.phx.gbl
> microsoft.public.win2000.security:1631
> --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
> --->> --->X-Tomcat-NG: microsoft.public.win2000.security
> --->> --->
> --->> --->The events show both machine and user accounts, and yes, I have
> been
> --->> through
> --->> --->eventid.net, but I couldn't find anything helpful.
> --->> --->--
> --->> --->Madrilleno
> --->> --->
> --->> --->
> --->> --->"Meinolf Weber" wrote:
> --->> --->
> --->> --->> Hello Madrilleno,
> --->> --->>
> --->> --->> Basically these are authentication errors, maybe through some
> service
> --->> accounts
> --->> --->> where you changed passwords? So if you check the events, are
> they
> --->> pointing
> --->> --->> to users or computers?
> --->> --->>
> --->> --->> Did you look here:
> --->> --->> 675
> --->> --->>
> --->>
> http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&ph
> --->> ase=1
> --->> --->> 676
> --->> --->>
> --->>
> http://www.eventid.net/display.asp?eventid=676&eventno=668&source=Security&p
> --->> hase=1
> --->> --->> 681
> --->> --->>
> --->>
> http://www.eventid.net/display.asp?eventid=681&eventno=3&source=Security&pha
> --->> se=1
> --->> --->>
> --->> --->> Best regards
> --->> --->>
> --->> --->> Meinolf Weber
> --->> --->> Disclaimer: This posting is provided "AS IS" with no
> warranties, and
> --->> confers
> --->> --->> no rights.
> --->> --->> ** Please do NOT email, only reply to Newsgroups
> --->> --->> ** HELP us help YOU!!!
> http://www.blakjak.demon.co.uk/mul_crss.htm
> --->> --->>
> --->> --->> > I have a domain running in mixed mode which has two Server
> 2008 DCs
> --->> --->> > and a Server 2000 DC. The server 2000 DC holds the five FSMO
> roles.
> --->> --->> >
> --->> --->> > I am seeing a lot of Event ID 675,676 & 681 in the security
> logs
> --->> --->> > denoting authentication failures.
> --->> --->> >
> --->> --->> > I have trawled around on the Internet for hours, but have not
> found
> --->> --->> > any pointers to why these are happening.
> --->> --->> >
> --->> --->> > The DC is a virtual server which I am using to stage on my
> route to
> --->> --->> > running the domain as Server 2008 native. There are no
> corresponding
> --->> --->> > errors on the 2k8 DCs.
> --->> --->> >
> --->> --->>
> --->> --->>
> --->> --->>
> --->> --->
> --->>
> --->>
> --->
>
>