Guest r. wales Posted May 30, 2008 Posted May 30, 2008 A few days ago I started getting strange entries in the security log on my Primary Domain Controller. The entries are Event ID 674, which is Service Ticket Renewal. That in itself is not strange, what is strange is that they are recurring every 9hrs 50mins, for every machine and any User account in my Active Directory that has authenticated with this server. Another strange aspect is the fact that in the event description, while the user name is the particular Machine or User, the client address is 127.0.0.1 not the actual ip address of that machine or whatever machine the user would be logged into. I restarted the server and they went away, until machines and users logged on again the next morning, then they started showing up again 9hrs 50mins later. I understand the concept of the service ticket renewal, but why the proper username but 127.0.0.1 client address? Is this a sign of my server being compromised?! Addiditonal info: server is 2k3 sp2, fully patched workstaions are logged off and shut down at the close of business. Thanks in advance for any help you can give!! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.