I am trying to troubleshoot a logon failure we are receiving (DC running Windows 2008 R2). This weekend we started getting the following message: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 09/23/2010 11:16:06 AM Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: mydomaincontroller.domain.com Description: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: JohnDoe Account Domain: HLC Failure Information: Failure Reason: An Error occured during Logon. Status: 0xc00002ee Sub Status: 0x0 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 I've tried capturing packets with Wireshark to see if I can see what's generating the traffic but haven't had any luck. Based on the fact that the "Network Information" is blank I'm thinking that this is some local process on the server that's causing the issue. I've looked at services but the user is only on a couple of services and they're running fine.

Hi, To better understand the issue, please help confirm the following: · Is the Account Name in all 4625 events the same? · Do you mean that JohnDoe is a service account? What services is this account used to start? If possible, please restart the services and check if 1) the event is generated; 2) there is any warning related to the service generated. · How often is the event generated on the DC? Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, How's everything going? Is there any update on the issue? If there is anything unclear, please do not hesitate to respond back.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Sorry I haven't replied on this issue as I was out of the office last week. The account name on all events is the same. It was happening every couple of minutes. We tried restarting the services (and even disabled them for a period) to see if the service was generating the messages. We found that with the service disabled the messages still happened. We have this same user specified as a user on services on all of our servers and this one was the only one reporting the error. After looking into this and trying everything we could think of we ended up rebooting the server. At this time the errors appear to have stopped. Thanks.

Hi, Thanks for your update. If the issue disappears after you restarted the server, a possible cause could be invalid cached credential. Please do not hesitate to post in our forum if you need further assistance in the future. Have a nice day.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.