Domain controler Event id 566 Caused by SCE server.
I amusing system center essentals 2007 to do software deployments and patch management, we are forced to use the agent managed setup and manualy discover clients, i manage an OU in a larger domain, recently our domain administrators have come to us asking why our SCE server is generating a massive ammount of Failure audits on the domain controlerhere is an example of the error:
Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 10/20/2009
Time: 3:10:23 PM
User: SSV\DVAFLOLYIS2$
Computer: SSVGCOLY09
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: computer
Object Name: CN=DVAWKRETZ064264,OU=Computers,OU=Retsil,OU=Locations,OU=DVA - Department of Veteran's Affairs,DC=ssv,DC=wa,DC=lcl
Handle ID: -
Primary User Name: SSVGCOLY09$
Primary Domain: SSV
Primary Logon ID: (0x0,0x3E7)
Client User Name: DVAFLOLYIS2$
Client Domain: SSV
Client Logon ID: (0x0,0x59C78ED9)
Accesses: Control Access
Properties:
---
computer
Private Information
msPKIRoamingTimeStamp
msPKIDPAPIMasterKeys
msPKIAccountCredentials
msPKI-CredentialRoamingTokens
Default property set
msTPM-OwnerInformation
unixUserPassword
Additional Info:
Additional Info2:
Access Mask: 0x100
October 21st, 2009 8:26pm
Hi James,
Based on research and experience, this Error 556 is actually not SCE problem but a Windows Server issue. I think you will get a better answer in the Windows Server news group since this forum is for System Center Essentials (SCE).
Since we are seeing "Failure Audit" for attribute UnixUserPassword, this attribute comes with services for UNIX. In Windows 2003 R2,there is slight change in this attribute compared to Windows 2003 SP1, the value of "searchflag" in windows 2003 for this attribute is 0 and in 2003R2 it is 128. Value 128 means it is confidential attribute can only be viewed by Domain Administrator or any user member of Administrators group
At the same time, here I also found some related information regarding Error 556 for your reference:
Step 1: Change the value of "searchflag" from 128 to 0.(I still suggest we try this step again)
On the Schema Master, open ADSIEdit:
a. Verify that the SearchFlags properties in UnixUserPassword setting is set to 0.
b. If it is not set to0 then please do this.
c. Either force AD Replication (Specifically the Schema Partition) or wait for normal replication to occur. But if you wait do not continue until you see the changes on all domain controllers in the forest.
If the Step 1 does not work, go on with Step 2.
Step 2: Set Directory Service Access Auditing to no auditing to remove the audit entries from the security event log, so that Directory Services Access is not auditing
for failures.
For detailed explanation and steps, see:
Audit directory service access
http://technet2.microsoft.com/WindowsServer/en/Library/20068d03-6473-4e00-84d4-fb1c7cce57d21033.mspx?mfr=true
However, if the issue persists after trying the above steps, please go to our Windows Server forum or Newsgroup for further support. You can find the
Windows Server news group at:
http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windows.server.general&cat=en_us_cd1f19d9-0b39-44ba-b33a-65f512405f85&lang=en&cr=us
and
http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windows.server.security&cat=en_us_731c1022-725d-486f-a72f-768946312aeb&lang=en&cr=us
Hope this helps.
Free Windows Admin Tool Kit Click here and download it now
October 23rd, 2009 12:59pm