This file server was first a 2003 x32 bit file server and started having this problem.
I spawned a new VM with Server 2008 R2 x64 and started sharing my files from that server and gave that server the same name as the old.
The problem exists on the new server as well. UPDATE - I changed the name of the server to FS2 and rebooted but no change. The excessive 1624/1634 messages continue.

The server is sharing files but is not a printer server. No features are installed and only the FILE SERVER role is installed.
THe server is running McAfee HBSS client software.
The server is logging 192MEG a day of 1624/1634 errors. The problem is that all these connections are coming from workstations and servers in other OUs. THe other OUs are in other parts of the world. THe OU's all have their own AD
controller. The share on my File Server are for only local users and users from other OU's would not be able to access them. The connects usually last less than 1 minute. When I look at MANAGE OPEN FILES I only see connections
from my users. When I go to MANAGE OPEN SESSIONS I see dozens of connections - most are 5 minutes or less but some are 30-40 minutes. This started about 2 months ago and I have not been able to equate this to any GPO change, Patch install or software
install. This server does not use WINS.

Any ideas would be appreciated.

There is an amazing pack of free network admin tools. click here to download it

Hello

Thank you for your question.
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

Thank you for your understanding and support.TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

Need to support users over the internet? click here try our remote control online beta

Hello

Thank you for your question.
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

Thank you for your understanding and support.TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

There is an amazing pack of free network admin tools. click here to download it

Hi,
coud you please post an example of the 1624 and 1634 event? Thanks.
Regards,
Denny Zhou
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Need to support users over the internet? click here try our remote control online beta

Hi,
coud you please post an example of the 1624 and 1634 event? Thanks.
Regards,
Denny Zhou
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

There is an amazing pack of free network admin tools. click here to download it

No problem.
Just want everyone to know that I have opened a ticket with Microsoft on this.
Per company policy I am very restricted on what info I am limited to what information I can give out.
I know that will limit the assistance I receive but my hands are tied. :-(

Need to support users over the internet? click here try our remote control online beta

No problem.
Just want everyone to know that I have opened a ticket with Microsoft on this.
Per company policy I am very restricted on what info I am limited to what information I can give out.
I know that will limit the assistance I receive but my hands are tied. :-(

There is an amazing pack of free network admin tools. click here to download it

I will try to get it to you in shortly. I will have to sanitize it someone per my organizations policy... Sorry if that hamper your efforts to assist me.

Need to support users over the internet? click here try our remote control online beta

I will try to get it to you in shortly. I will have to sanitize it someone per my organizations policy... Sorry if that hamper your efforts to assist me.

There is an amazing pack of free network admin tools. click here to download it

Below is the items that are logging about 30 times a second. My Security logs fills up in less than 24 hours - it is 192meg.


LOG ON EVENT

An account was successfully logged on.

Subject:

Security ID:
NULL SID

Account Name:
-

Account Domain:
-

Logon ID:
0x0

Logon Type:
3

New Logon:

Security ID:
ABCD\WORKSTATIONWS163$

Account Name:
WORKSTATIONWS163$

Account Domain:
TCSC

Logon ID:
0x4e8949b

Logon GUID:
{e9af44a5-1abc-2b5a-0f3c-bec1a4776229}

Process Information:

Process ID:
0x0

Process Name:
-

Network Information:

Workstation Name:


Source Network Address: XXX.XXX.XXX.163

Source Port:
3147

Detailed Authentication Information:

Logon Process:
Kerberos

Authentication Package: Kerberos

Transited Services:
-

Package Name (NTLM only):
-

Key Length:
0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service,
or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested




LOGOUT EVENT

An account was logged off.

Subject:

Security ID:
ABCD\WORKSTATIONWS163$

Account Name:
WORKSTATIONWS163$

Account Domain:
TCSC

Logon ID:
0x4eb1bed

Logon Type:
3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots
on the same computer.

Need to support users over the internet? click here try our remote control online beta

Below is the items that are logging about 30 times a second. My Security logs fills up in less than 24 hours - it is 192meg.


LOG ON EVENT

An account was successfully logged on.

Subject:

Security ID:
NULL SID

Account Name:
-

Account Domain:
-

Logon ID:
0x0

Logon Type:
3

New Logon:

Security ID:
ABCD\WORKSTATIONWS163$

Account Name:
WORKSTATIONWS163$

Account Domain:
TCSC

Logon ID:
0x4e8949b

Logon GUID:
{e9af44a5-1abc-2b5a-0f3c-bec1a4776229}

Process Information:

Process ID:
0x0

Process Name:
-

Network Information:

Workstation Name:


Source Network Address: XXX.XXX.XXX.163

Source Port:
3147

Detailed Authentication Information:

Logon Process:
Kerberos

Authentication Package: Kerberos

Transited Services:
-

Package Name (NTLM only):
-

Key Length:
0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service,
or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested




LOGOUT EVENT

An account was logged off.

Subject:

Security ID:
ABCD\WORKSTATIONWS163$

Account Name:
WORKSTATIONWS163$

Account Domain:
TCSC

Logon ID:
0x4eb1bed

Logon Type:
3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots
on the same computer.

There is an amazing pack of free network admin tools. click here to download it

ADDITIONAL INFORMATION

The only non-microsoft software on the server is JAVA, Activeclient 6.2(lastest patches) and a program that pops up a acceptable use banner screen - this program is not network aware.

There is an amazing pack of free network admin tools. click here to download it

ADDITIONAL INFORMATION

The only non-microsoft software on the server is JAVA, Activeclient 6.2(lastest patches) and a program that pops up a acceptable use banner screen - this program is not network aware.

There is an amazing pack of free network admin tools. click here to download it

Something very important I forgot to add - all the connections going to my server are going to my FS1 port 445

Need to support users over the internet? click here try our remote control online beta

Something very important I forgot to add - all the connections going to my server are going to my FS1 port 445

There is an amazing pack of free network admin tools. click here to download it

Hi,
Since the server is a file server, it is possible that the remote users may be able to access your resources. The port 445 indicates it is a SMB access, which is a protocal used to access network share.
Regards,
DennyPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

There is an amazing pack of free network admin tools. click here to download it

Hi,
Since the server is a file server, it is possible that the remote users may be able to access your resources. The port 445 indicates it is a SMB access, which is a protocal used to access network share.
Regards,
DennyPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Need to support users over the internet? click here try our remote control online beta

Hi,
Since the server is a file server, it is possible that the remote users may be able to access your resources. The port 445 indicates it is a SMB access, which is a protocal used to access network share.
Regards,
DennyPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

There is an amazing pack of free network admin tools. click here to download it