R
r. wales
A few days ago I started getting strange entries in the security log on my
Primary Domain Controller. The entries are Event ID 674, which is Service
Ticket Renewal. That in itself is not strange, what is strange is that they
are recurring every 9hrs 50mins, for every machine and any User account in my
Active Directory that has authenticated with this server. Another strange
aspect is the fact that in the event description, while the user name is the
particular Machine or User, the client address is 127.0.0.1 not the actual ip
address of that machine or whatever machine the user would be logged into.
I restarted the server and they went away, until machines and users logged
on again the next morning, then they started showing up again 9hrs 50mins
later.
I understand the concept of the service ticket renewal, but why the proper
username but 127.0.0.1 client address?
Is this a sign of my server being compromised?!
Addiditonal info:
server is 2k3 sp2, fully patched
workstaions are logged off and shut down at the close of business.
Thanks in advance for any help you can give!!
Primary Domain Controller. The entries are Event ID 674, which is Service
Ticket Renewal. That in itself is not strange, what is strange is that they
are recurring every 9hrs 50mins, for every machine and any User account in my
Active Directory that has authenticated with this server. Another strange
aspect is the fact that in the event description, while the user name is the
particular Machine or User, the client address is 127.0.0.1 not the actual ip
address of that machine or whatever machine the user would be logged into.
I restarted the server and they went away, until machines and users logged
on again the next morning, then they started showing up again 9hrs 50mins
later.
I understand the concept of the service ticket renewal, but why the proper
username but 127.0.0.1 client address?
Is this a sign of my server being compromised?!
Addiditonal info:
server is 2k3 sp2, fully patched
workstaions are logged off and shut down at the close of business.
Thanks in advance for any help you can give!!