Comments on: Critical Error in Security Log http://itknowledgeexchange.techtarget.com/itanswers/critical-error-in-security-log/ Fri, 25 May 2012 12:18:34 +0000 http://wordpress.org/?v=2.6.2 By: FlyNavy http://itknowledgeexchange.techtarget.com/itanswers/critical-error-in-security-log/#comment-38901 FlyNavy Thu, 28 Dec 2006 17:51:35 +0000 #comment-38901 dwiebesick, thanks. During the SBS 2000 install, I used the wizards. Then I upgraded to SBS 2003. Then I completed a swing migration of hardware via the SBSMigrate procedure. There could be a lot of things changed in those 3 processes. From the numbers you quoted, I seem to have a relatively small number of reports. My 10 machines are averaging about 200 total per month. Thanks again for the help. dwiebesick, thanks. During the SBS 2000 install, I used the wizards. Then I upgraded to SBS 2003. Then I completed a swing migration of hardware via the SBSMigrate procedure. There could be a lot of things changed in those 3 processes. From the numbers you quoted, I seem to have a relatively small number of reports. My 10 machines are averaging about 200 total per month. Thanks again for the help.

]]> By: dwiebesick http://itknowledgeexchange.techtarget.com/itanswers/critical-error-in-security-log/#comment-38902 dwiebesick Thu, 28 Dec 2006 17:16:29 +0000 #comment-38902 I would start by asking; Did you use the setup wizards when you configured your SBS or did you set your server up based on your experience with plain-jane servers? Did you use the connectcomputer wizard to join your workstations to the SBS? If you feel confident that you set the SBS correctly with using the wizards, then I would follow Randy Franklin Smith?s recommendations from his website http://www.ultimatewindowssecurity.com/ where he states ?Kerberos tickets do expire, and servers cause most such events because they remain up for weeks and months at a time. To confirm that your numbers were normal, I compared them to the ticket expirations on a customer's network. That network is about a quarter the size of yours, and after quadrupling the number of ticket expirations logged on my customer's domain controllers (DCs) over roughly two months, I came up with 28,620. It's not practical to manually analyze the Windows Security log, and you don't have to treat each event in the log as an actionable item?there's lots of noise in the Security log that you must filter out. I think you can safely assume your failed event ID 673s are such noise.? Best regards dmw I would start by asking; Did you use the setup wizards when you configured your SBS or did you set your server up based on your experience with plain-jane servers? Did you use the connectcomputer wizard to join your workstations to the SBS?

If you feel confident that you set the SBS correctly with using the wizards, then I would follow Randy Franklin Smith?s recommendations from his website <a href="http://www.ultimatewindowssecurity.com/" rel="nofollow">http://www.ultimatewindowssecurity.com/</a> where he states ?Kerberos tickets do expire, and servers cause most such events because they remain up for weeks and months at a time. To confirm that your numbers were normal, I compared them to the ticket expirations on a customer’s network. That network is about a quarter the size of yours, and after quadrupling the number of ticket expirations logged on my customer’s domain controllers (DCs) over roughly two months, I came up with 28,620. It’s not practical to manually analyze the Windows Security log, and you don’t have to treat each event in the log as an actionable item?there’s lots of noise in the Security log that you must filter out. I think you can safely assume your failed event ID 673s are such noise.?

Best regards
dmw

]]> By: FlyNavy http://itknowledgeexchange.techtarget.com/itanswers/critical-error-in-security-log/#comment-38903 FlyNavy Thu, 28 Dec 2006 09:54:51 +0000 #comment-38903 shlomo58, Thanks for the response. I found the same article at Microsoft. I saw the time difference issue and made sure time was correct. I have less than 30 seconds difference at any 1 machine and the server. I have seen several articles that say just to ignore the error if the machine has access to the network resources it requires. I guess my bigger question is that since this is a domain policy, all machines should be set to the same ticket maximum life. Why are 3 machines giving several errors a day and the other 6 only getting a couple of errors per month? I am not at the network now, but I am assuming that this policy is set by default for the domain(not one of the ones that is disabled by default). shlomo58,
Thanks for the response. I found the same article at Microsoft. I saw the time difference issue and made sure time was correct. I have less than 30 seconds difference at any 1 machine and the server. I have seen several articles that say just to ignore the error if the machine has access to the network resources it requires.
I guess my bigger question is that since this is a domain policy, all machines should be set to the same ticket maximum life. Why are 3 machines giving several errors a day and the other 6 only getting a couple of errors per month? I am not at the network now, but I am assuming that this policy is set by default for the domain(not one of the ones that is disabled by default).

]]>