Hi,after a fresh standard install of Exchange 2007 SP1 on Windows Server 2008 64bit i get strange errors in the security event log. The entry occurs twice every minute. It must have something to do with the Exchange SearchIndexer ExSearch.exe because this is the calling process which generates this error and the error doesn't occur when this process is stopped. The process runs under the Local System account by default. At this point i've nothing done with Exchange, added no mailboxes, nothing except installed the Update Rollup 2(?) via Windows Update. All prequesites for Exchange 2007 were fullfilled before the installation. I have no idea how to solve this problem, no google result could help.Has anyone ANY idea how to solve this? Please help, i wanna get rid of this error message.Here is the full message (sry, i only have it in german):Fehler beim Anmelden eines Kontos.Antragsteller: Sicherheits-ID: SYSTEM Kontoname: MARCUSE$ Kontodomne: CRANKTHEORY Anmelde-ID: 0x3e7Anmeldetyp: 3Konto, fr das die Anmeldung fehlgeschlagen ist: Sicherheits-ID: NULL SID Kontoname: MARCUSE$ Kontodomne: Fehlerinformationen: Fehlerursache: Unbekannter Benutzername oder ungltiges Kennwort. Status: 0xc000006d Unterstatus:: 0xc0000064Prozessinformationen: Aufrufprozess-ID: 0x5c4 Aufrufprozessname: C:\Program Files\Microsoft\Exchange Server\Bin\Microsoft.Exchange.Search.ExSearch.exeNetzwerkinformationen: Arbeitsstationsname: MARCUSE Quellnetzwerkadresse: - Quellport: -Detaillierte Authentifizierungsinformationen: Anmeldeprozess: Advapi Authentifizierungspaket: Negotiate bertragene Dienste: - Paketname (nur NTLM): - Schlssellnge: 0Dieses Ereignis wird beim Erstellen einer Anmeldesitzung generiert. Es wird auf dem Computer generiert, auf den zugegriffen wurde.Die Antragstellerfelder geben das Konto auf dem lokalen System an, von dem die Anmeldung angefordert wurde. Dies ist meistens ein Dienst wie der Serverdienst oder ein lokaler Prozess wie "Winlogon.exe" oder "Services.exe".Das Anmeldetypfeld gibt den jeweiligen Anmeldetyp an. Die hufigsten Typen sind 2 (interaktiv) und 3 (Netzwerk).Die Felder fr die Prozessinformationen geben den Prozess und das Konto an, fr die die Anmeldung angefordert wurde.Die Netzwerkfelder geben die Quelle einer Remoteanmeldeanforderung an. Der Arbeitsstationsname ist nicht immer verfgbar und kann in manchen Fllen leer bleiben.Die Felder fr die Authentifizierungsinformationen enthalten detaillierte Informationen zu dieser speziellen Anmeldeanforderung. - Die bertragenen Dienste geben an, welche Zwischendienste an der Anmeldeanforderung beteiligt waren. - Der Paketname gibt das in den NTLM-Protokollen verwendete Unterprotokoll an. - Die Schlssellnge gibt die Lnge des generierten Sitzungsschlssels an. Wenn kein Sitzungsschlssel angefordert wurde, ist dieser Wert 0.

Hi, 1. First try to logon Exchange Server with another administrator. 2. Opened command prompt and ran servermanagercmd -query to see whether any error will be generated. 3. If is, below two files should be contain in folder c:\windows\system32\servermanager\cache. CbsUpdateInfo.binCbsUpdateState.bin Also you can checked server manager log in c:\windows\logs to check server manager log and CBS.log. BTW, please check whether any related event logged in Application log. Hope it helps. Xiu

Sorry, no help from me :-( since I have exactly the same problem. Fresh install of Server 2008 and Exchange 2007 SP1 and when checking the logs I find a few strangs messages.BeforeI go on configuring and installing additional stuf I want to either resolve or fully understand all warnings and errors in the eventlog. Search on internet came up with no real clues so far. The reply you got from Xiu makes no sense to me since the error is not related tot the user logged on but to the service ExSeach. Why is ithis service usingwatI assume to be a machine account (since it ends with '$') in the first place? Nowhere during installation you get an option to specify credentials for this (or any other) Exchange service. So why is it complaining, while other services are doing their thing in silence :-).

@Ron_M: Yeah this doesn't make sense to me, too...I also tried to run the ExSearch service under the Administrator account, but this doesn't help...Does no one know how to solve this?

Hi, I have set the lab to test this issue. machine1:windows server 2003(32-bit) - Domain Controller machine2:windows server 2008 (64-bit)-Exchange 2007 with sp1. Before I install update rollup 2 for Exchange 2007 sp1,I checked Event viewer, event 4625 was frequently logged in security log. Event detail is same as yours. But I downloaded rollup2 for Exchange 2007 sp1 and installed,then check event viewer,4625 disappeared. So now, please try to apply rollup2 for Exchange 2007 sp1. Update Rollup 2 for Exchange Server 2007 Service Pack 1 (KB948016) http://www.microsoft.com/downloads/details.aspx?FamilyId=99DA32E0-D9E3-4156-AABF-8369BF96E3E7&displaylang=en hope it helps. Xiu

Did this work for you guys? I have the rollup2 installed.I am getting the same audit failures, 2 every 30 seconds.

Installed Rollup2 but the log messages still appear.

Did some further digging in event logs and found some related messages. There are a lot of entries with event id 4634 indicating logoff of this <machinename>$ account at some point (Audit success). After that the logon error 'disappears' for 3 minutes, only to come back every 30 seconds after that.

I have noticed a similar trend.

Hi, Base on my further research,it has been logged as a bug(bug id:131983) for Exchange 2007 sp1. It will be solved in SP1 Rollup4. If you prefer, you could contact Microsoft Customer Service and Support (CSS) directly to try toobtain the fix. For a complete list of Microsoft Customer Service and Support (CSS) phone numbers and information about support costs, visit the following Microsoft Web site: http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS NOTE: Support calls for hotfix are free. Please do not worry. Even in some cases, contacting phone support may be a charged. However, if you are simply requesting a hotfix be sent to you and no other support then charges are usually refunded or waived. Hope it helps. Xiu

Hello we have the same problem, but Microsoft CSS will not support use. They want an KB nummer and then we get the fix. So could you tell me the kb article number. I didnt found it. Best Regards Sascha

Hi, As far as I know,hotfix has not been published and the bug would be solved in Rollup4. So if you can not get the hotfix from CSS,then it may under investigating. As this event will not affect the performance of Exchange, we can ignore it andwait for Rollup 4 to release. Any further update I will post here. Thanks for your understanding. Best regards, Xiu

Wow, nice to see that i'm not the only one who gets this error ... thanks for your researches and let's hope the hotfix will be released soon.Regards,Florian

Hi all,maybe I found the solution: On the same config as the first post is since i've changed:Local Security Policies / Security Options / Network Security: LAN Man auth level item to Send LM & NTLM - use NTLMv2 session security if negotiated (instead of NTLM only, which has been setup by SBS previously used in domain)This warning disaperad form logs. So no need to wait for RollUp4 (anyway I can't install even rollup 1 because of corrupted WinInstaller error 1306)Regards,Honza

Hi, I have tested it in my lab.The default setting on Network Security:Lan manager authentication level is "Send NTLMv2 response only" if I change it to Send LM & NTLM - use NTLMv2 session security if negotiated,event 4625 still be logged there. After that,we can find event 4648 in security log.It logged that logon task for process namedExSearch.exehas been sucessfully audit. So,Honza,please try toapply the latest update and then test it again. Thanks. Regards, Xiu

Brekeker's solution worked on my fresh install of Exchange 2007 SP1 (with rollup 2 applied) on a Windows 2008 x64. Thank you for sharing.

Hi Xiu, Ihave the same issue but what I also see is that the connection to the exchange server is lost every minute or so. In my case this is a live enviroment and some users see the message that the connection to the exchange server has been restored. This issue did not come up after the intial installation but now (1.5 months later) we are experiencing this problem. Enviroment is Windows 2008 (virtual) + Exchange 2007 SP1 Rollup 3 installed. Can you tell me when this Rollup 4 for SP1 will be released? Thank you.

I'm experiencing the same issue with Windows 2008 + Exchange 2007 SP1 Rollup 3. Come on Microsoft please release a fix.

Rollup 4 is now released, hopefully it resolves the issue. http://support.microsoft.com/?kbid=952580