Domain controler Event id 566 Caused by SCE server.
I amusing system center essentals 2007 to do software deployments and patch management, we are forced to use the agent managed setup and manualy discover clients, i manage an OU in a larger domain, recently our domain administrators have come to us asking why our SCE server is generating a massive ammount of Failure audits on the domain controlerhere is an example of the error: Event Type: Failure Audit Event Source: Security Event Category: Directory Service Access Event ID: 566 Date: 10/20/2009 Time: 3:10:23 PM User: SSV\DVAFLOLYIS2$ Computer: SSVGCOLY09 Description: Object Operation: Object Server: DS Operation Type: Object Access Object Type: computer Object Name: CN=DVAWKRETZ064264,OU=Computers,OU=Retsil,OU=Locations,OU=DVA - Department of Veteran's Affairs,DC=ssv,DC=wa,DC=lcl Handle ID: - Primary User Name: SSVGCOLY09$ Primary Domain: SSV Primary Logon ID: (0x0,0x3E7) Client User Name: DVAFLOLYIS2$ Client Domain: SSV Client Logon ID: (0x0,0x59C78ED9) Accesses: Control Access Properties: --- computer Private Information msPKIRoamingTimeStamp msPKIDPAPIMasterKeys msPKIAccountCredentials msPKI-CredentialRoamingTokens Default property set msTPM-OwnerInformation unixUserPassword Additional Info: Additional Info2: Access Mask: 0x100
October 21st, 2009 8:26pm
Hi James, Based on research and experience, this Error 556 is actually not SCE problem but a Windows Server issue. I think you will get a better answer in the Windows Server news group since this forum is for System Center Essentials (SCE). Since we are seeing "Failure Audit" for attribute UnixUserPassword, this attribute comes with services for UNIX. In Windows 2003 R2,there is slight change in this attribute compared to Windows 2003 SP1, the value of "searchflag" in windows 2003 for this attribute is 0 and in 2003R2 it is 128. Value 128 means it is confidential attribute can only be viewed by Domain Administrator or any user member of Administrators group At the same time, here I also found some related information regarding Error 556 for your reference: Step 1: Change the value of "searchflag" from 128 to 0.(I still suggest we try this step again) On the Schema Master, open ADSIEdit: a. Verify that the SearchFlags properties in UnixUserPassword setting is set to 0. b. If it is not set to0 then please do this. c. Either force AD Replication (Specifically the Schema Partition) or wait for normal replication to occur. But if you wait do not continue until you see the changes on all domain controllers in the forest. If the Step 1 does not work, go on with Step 2. Step 2: Set Directory Service Access Auditing to no auditing to remove the audit entries from the security event log, so that Directory Services Access is not auditing for failures. For detailed explanation and steps, see: Audit directory service access http://technet2.microsoft.com/WindowsServer/en/Library/20068d03-6473-4e00-84d4-fb1c7cce57d21033.mspx?mfr=true However, if the issue persists after trying the above steps, please go to our Windows Server forum or Newsgroup for further support. You can find the Windows Server news group at: http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windows.server.general&cat=en_us_cd1f19d9-0b39-44ba-b33a-65f512405f85&lang=en&cr=us and http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windows.server.security&cat=en_us_731c1022-725d-486f-a72f-768946312aeb&lang=en&cr=us Hope this helps.
October 23rd, 2009 12:59pm