Event ID 566 - Directory Service Access
in [Windows Servers]
|
From: Lee on 22 Mar 2010 13:31 We have been seen Audit failures for some time on both of our DC's. We are running Windows Server 2003 R2 SP2 on both DC. 2003 native domain and DNS integrated running on both DC's. Event Type: Failure Audit Event Source: Security Event Category: Directory Service Access Event ID: 566 Date: 22/03/2010 Time: 17:18:50 User: SUPPORT\<machine Account> Computer: <DC 1> Description: Object Operation: Object Server: DS Operation Type: Object Access Object Type: dnsNode Object Name: DC=28,DC=21.16.172.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=***,DC=co,DC=uk Handle ID: - Primary User Name: SERVER12$ Primary Domain: ***** Primary Logon ID: (0x0,0x3E7) Client User Name: **** Client Domain: SUPPORT Client Logon ID: (0x0,0x1F1CDD08) Accesses: Write Self Properties: --- Default property set dnsRecord dNSTombstoned dnsNode Additional Info: Additional Info2: Access Mask: 0x8 We are also seeing the following audit failures: Event Type: Failure Audit Event Source: Security Event Category: Directory Service Access Event ID: 566 Date: 22/03/2010 Time: 15:08:00 User: ***\VPCSCVMM2K8R2$ Computer: SERVER12 Description: Object Operation: Object Server: DS Operation Type: Object Access Object Type: computer Object Name: CN=VPCSCVMM2K8R2,OU=WSUS Computers,OU=Computers,OU=****,DC=****,DC=co,DC=uk Handle ID: - Primary User Name: SERVER12$ Primary Domain: **** Primary Logon ID: (0x0,0x3E7) Client User Name: VPCSCVMM2K8R2$ Client Domain: **** Client Logon ID: (0x0,0x1F0FF974) Accesses: Write Property Properties: --- Public Information servicePrincipalName computer Additional Info: Additional Info2: Access Mask: 0x20 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Hopefully someone can point us in the right direction.
From: Dusko Savatovic on 23 Mar 2010 04:27 The first one definitely comes from a server trying to write a DNS record. Check your DNS server that it has dynamic updates enabled. Also run scavenging that will remove stale, tombstoned records. The second one may also come from DNS. Is that server in a workgroup? If it is, it may not have permission to update its DNS record. "Lee" <Lee(a)discussions.microsoft.com> wrote in message news:4157F467-B07C-4200-8D34-ED10C381EEC1(a)microsoft.com... > We have been seen Audit failures for some time on both of our DC's. We are > running Windows Server 2003 R2 SP2 on both DC. 2003 native domain and DNS > integrated running on both DC's. > > Event Type: Failure Audit > Event Source: Security > Event Category: Directory Service Access > Event ID: 566 > Date: 22/03/2010 > Time: 17:18:50 > User: SUPPORT\<machine Account> > Computer: <DC 1> > Description: > Object Operation: > Object Server: DS > Operation Type: Object Access > Object Type: dnsNode > Object > Name: > DC=28,DC=21.16.172.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=***,DC=co,DC=uk > Handle ID: - > Primary User Name: SERVER12$ > Primary Domain: ***** > Primary Logon ID: (0x0,0x3E7) > Client User Name: **** > Client Domain: SUPPORT > Client Logon ID: (0x0,0x1F1CDD08) > Accesses: Write Self > > Properties: > --- > Default property set > dnsRecord > dNSTombstoned > dnsNode > > Additional Info: > Additional Info2: > Access Mask: 0x8 > > > We are also seeing the following audit failures: > > Event Type: Failure Audit > Event Source: Security > Event Category: Directory Service Access > Event ID: 566 > Date: 22/03/2010 > Time: 15:08:00 > User: ***\VPCSCVMM2K8R2$ > Computer: SERVER12 > Description: > Object Operation: > Object Server: DS > Operation Type: Object Access > Object Type: computer > Object Name: CN=VPCSCVMM2K8R2,OU=WSUS > Computers,OU=Computers,OU=****,DC=****,DC=co,DC=uk > Handle ID: - > Primary User Name: SERVER12$ > Primary Domain: **** > Primary Logon ID: (0x0,0x3E7) > Client User Name: VPCSCVMM2K8R2$ > Client Domain: **** > Client Logon ID: (0x0,0x1F0FF974) > Accesses: Write Property > > Properties: > --- > Public Information > servicePrincipalName > computer > > Additional Info: > Additional Info2: > Access Mask: 0x20 > > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > Hopefully someone can point us in the right direction. > > >
From: Ace Fekay [MVP-DS, MCT] on 24 Mar 2010 10:16 "Dusko Savatovic" <savatovic(a)nospam.gmail.com> wrote in message news:F29B5117-4EFD-4286-83C1-F384AB912E4E(a)microsoft.com... > The first one definitely comes from a server trying to write a DNS record. > Check your DNS server that it has dynamic updates enabled. Also run > scavenging that will remove stale, tombstoned records. > > The second one may also come from DNS. Is that server in a workgroup? If it > is, it may not have permission to update its DNS record. > It could also be something simple such as using an ISP, the router, or some other external DNS server (not the internal DC/DNS) set in the machine's IP properties. If the poster can provide us an unedited ipconfig /all, we can evaluate and point out any possible mis-configurations. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
|
Pages: 1 Prev: Mandatory Profiles Next: Memory Usage on Windows Server 2003 r2 |