Guest r. wales Posted May 28, 2008 Posted May 28, 2008 Every morning I review the logs on my DC's. On my PDC this morning I saw Security events logged through the night for our users and workstations. We shut down the workstations at the end of the day so no machines were actually on. The events I saw were event 674, Service Ticket Renewed. Samples provided below: -- entry for workstation/server Event Type: Success Audit Event Source: Security Event Category: Account Logon Event ID: 674 Date: 5/28/2008 Time: 5:05:54 AM User: NT AUTHORITY\SYSTEM Computer: <servername> Description: Service Ticket Renewed: User Name: <workstationname>$@<domainname> User Domain: <domainname> Service Name: krbtgt Service ID: <domain>\krbtgt Ticket Options: 0x2 Ticket Encryption Type: 0x17 Client Address: 127.0.0.1 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. -- entry for user Event Type: Success Audit Event Source: Security Event Category: Account Logon Event ID: 674 Date: 5/28/2008 Time: 4:59:56 AM User: NT AUTHORITY\SYSTEM Computer: <servername> Description: Service Ticket Renewed: User Name: <username>@<domainname> User Domain: <domainname> Service Name: krbtgt Service ID: <domain>\krbtgt Ticket Options: 0x2 Ticket Encryption Type: 0x17 Client Address: 127.0.0.1 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. I occasionally see one or two of these entries through the night. However, last night it appears that every one of my users and machines turns up at least once. The client address for all of the log entries is the local 127.0.0.1. Any suggestions as to why these are showing up now? Does this look like anything to be concerned about? The only changes made were the installation of CA Antivirus on Monday and log changes for an hour or so on Tuesday afternoon. Logon auditing was changed from -Failure- to -Success and Failure- for testing and then back to -Failure- only. Could this have triggered it? Server info: win2k3 standard sp2; fully patched Thanks in advance!
Guest r. wales Posted May 28, 2008 Posted May 28, 2008 RE: log questions UPDATE: All machine and *some* user account entries are repeating approximately every 9 hours and 50 minutes. These entries only seem to be occurring on one of three DC's. Why the local ip address? If a service is causing this, how can I find out which one? Used Process Explorer - nothing unusual; Used TCP View - a lot of LDAP traffic, but ohter than that all looks normal.
Recommended Posts