Intermittent problem logging into W2k8
Greetings
I'm trying to track down a problem logging into a Windows Server 2008 Standard 32 bit SP2. The problem is that from time to time, which *appears* to be at certain times of the day, we cannot connect with remote desktop. The server functions fine during
these periods - it is a public facing webserver - we can connect remotely using SQL Server Management Studio Express, but not with remote desktop. When trying to connect, I can see "securing remote connection" then "configuring remote connection" but
then it just comes back after a minute or so with "this computer cannot connect to the remote computer".
In the server logs, I can see the following in the security logs, though *not* at the times when we are trying to connect:
An account failed to log on.
Subject:
Security ID:
SYSTEM
Account Name:
xxxx$
Account Domain:
WORKGROUP
Logon ID:
0x3e7
Logon Type: 10
Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
administrator
Account Domain:
xxxx
Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xc000006d
Sub Status:
0xc0000064
Process Information:
Caller Process ID:
0x1bc
Caller Process Name:
C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name:
xxxx
Source Network Address:
0.0.0.0
Source Port:
0
And others similar, but with the following network info
Network Information:
Workstation Name:
xxxx
Source Network Address:
58.221.254.239
Source Port:
4336
note: xxxx above is the name of server computer name
however please further note that our Administrator account was renamed. From the IP address the second one above seems to be some kind of hack attempt, perhaps ? But why is the Workstation Name the server computer name ?
Also, around the times that we try to connect, there are these audit failures:
An account failed to log on.
Subject:
Security ID:
NULL SID
Account Name:
-
Account Domain:
-
Logon ID:
0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
abcd
Account Domain:
xxxx
Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xc000006d
Sub Status:
0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: efgh
Source Network Address: -
Source Port: -
Now, this last failure seems to be generated when one of the failed connections with remote desktop occur since the Workstation Name is the computer name of the laptop I can trying to connect from - but the account name is wrong - abcd is the name that
the Administrator account was renamed to a few weeks ago, but no longer, which is very odd, because when we attemp to connect with remote desktop we definitely specify the correct (current) account name. Moreover, these events are not generated for each connection
attempt *and* we don't *ever* change anything on the laptop - we just keep retrying after an hour or so and eventually we can connect. We think the problem only occurs during the same 6 (approx) hours of each day.
The laptop is running windows 7 and running remote desktop 6.1.7600
Any comment or advice would be most welcome.
Thanks
RL
July 24th, 2011 7:51pm
Any help or advice would be appreciated.
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2011 8:55pm