I have a Windows Server 2008 SP2 Domain Controller that is logging about 400 to 500 audit events per second in the security log. I get repeated entries of: 4624 Logon 4634 Logoff 4672 Special Logon I clear the security event log, and after 10 seconds I have about 5,000 entries. Lsass.exe is constantly running at about 5% to 15% CPU. 4624 Logon: An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: SYSTEM Account Name: HSERVER$ Account Domain: HOPKINS Logon ID: 0x5689610 Logon GUID: {21ab2e6f-e096-18fd-7904-caa887330f25} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: fe80::84a0:133d:9782:3644 (This is my actual SERVER address) Source Port: 56303 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 4634 Logoff An account was logged off. Subject: Security ID: SYSTEM Account Name: HSERVER$ Account Domain: HOPKINS Logon ID: 0x568967a Logon Type: 3 I don’t think this is caused by any of my workstations. The output from a NETSTAT –AN has about 5000 entries as shown below… Proto Local Address Foreign Address State UDP 0.0.0.0:55428 *:* UDP 0.0.0.0:55429 *:* UDP 0.0.0.0:55430 *:* UDP 0.0.0.0:55431 *:* UDP 0.0.0.0:55432 *:* UDP 0.0.0.0:55433 *:* UDP 0.0.0.0:55434 *:* … UDP [::]:55481 *:* UDP [::]:55482 *:* UDP [::]:55483 *:* UDP [::]:55484 *:* UDP [::]:55485 *:* UDP [::]:55486 *:* UDP [::]:55487 *:* UDP [::]:55488 *:* UDP [::]:55489 *:* UDP [::]:55490 *:* UDP [::]:55491 *:* I don’t know what to do about this other than starting to shutdown services and keep checking till it stops. Thanks for any help or insight

If you have a ton of users this may be expected behaivior, you can tone it down by adjusting your local policy settings to only log events relevant to what you want. I would suggest logging failures, and not all successfuls, (unless you want to go all super security audit and maintain tons of large log files):P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.

Thanks Jason, Actually, I am supposed to be the paid professional... First time posting to the technet forums though. As far as users, we have maybe 10 users on the server. It is a domain controller, running file and print, along with antivirus and Backup Exec. I can easily log only failures, but that would only hide the problem that we are having. I may try to shutdown as many services as I can and see if it makes a difference.

Hi, Logon Type 3 means Network logon. This is common if you have shared files/printers. Other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. Currently, please check the firewall and security updates: 1. Make sure you have enabled a firewall on this DC. 2. Update the system with the latest security updates. 3. Does this DC have IIS installed? Meanwhile, please understand that it is not recommended to run file and printer, exchange server on Domain Controller. If the issue is urgent or you prefer a paid professional, please contact Microsoft Customer Support Service (CSS). To obtain the phone numbers for specific technology request, please refer to the website listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS If you are outside the US, please refer to http://support.microsoft.com for regional support phone numbers. Regards, Bruce

Thanks Bruce, If the Source Network Address is the ipv6 address of my server, would that rule out File and Print access from a workstation client? Maybe that is where I am getting confused. It would be great if it was caused by a workstation on the network. If there is a chance that a workstation on the local network is causing this via shared file or printer access, I will one by one disconnect my workstations from the network. That might give me an indication as to where the problem lies. As soon as the problem stops, I will see it right away. I understand how we should not have file and print or exchange for that matter on a DC. This is a small site, and we could not afford to install 2 servers. If I cannot resolve it via trial and error, then I will place a support call with Microsoft.

Jake, I am having this same issue. I am setup much like you are. Small amount of users and connected workstations, one printer. DC is hosting file and print and symantec AV server. It is like the DC is just lonely and wants to talk to itself. I have another network that is similarly, almost identically, setup and it does not have this problem. On the "broken" network I get 300+ events in a single minute vs. 53 in a ten minute window on the other network. Did you find a solution?

Shortly after posting this problem, we had moved 3 desktop computers to another location on another network. One or two of them were not running Professional, but the home version of XP or Vista. I believe that it may have been caused by one of these workstations, because I have not seen the problem since moving the 3 workstations off the network and to another location. I wish I could remember more, but October of last year seems like such a long time ago... If you were to shutdown all your workstations at night, do the events stop as well? I see you are getting 300+ per minute, which is still much less than the 5000 I was getting every 10 seconds. Perhaps by trial and error, shutting down workstations may give some indication to where the problem lies. Sorry I don't have anything more that can help you with this.