«

I'm reading along in the 70-290 book and there's an exercise that tells me
to enable the Audit Accounts Logon Events and the Audit Logon Events
policies in the Default Domain Controller Policy area. After that, they
wanted me to try to log in with the wrong password on an account and then to
come back on as Administrator and check out the Security Log in Event
Viewer. I did all this but I noticed that it does not record any invalid
logon attempts. It did, however, show the successful ones. I have verified
that the policies are configured to audit both successes and failures.

Out of curiousity, I went into the Default Domain Policy and enabled the
same audit policies in there. When I viewed the Security Logs, I could see
invalid logon attempts. Could the book be wrong or is there something I'm
not understanding in a real scenario? I just have one computer setup with
Windows Server 2003 for lab exercises. I was trying to generate invalid
logins from the console. It's not networked to anything at the moment. Would
it have worked if it were not a PDC on a one-computer network? Would it have
been different if I tried to logon from a workstation?

That brings me to another question if anyone has the time. I noticed that
there seems to be an excessive pause when making some choices in Active
Directory. I'm assuming the computer is trying to talk to something on the
network that isn't there and timing out. Any idea what would be causing
this?

Thanks!

"Tyler Cobb" <> wrote in message
news:C2X_e.4645$...
> I'm reading along in the 70-290 book and there's an exercise that tells me
> to enable the Audit Accounts Logon Events and the Audit Logon Events
> policies in the Default Domain Controller Policy area. After that, they
> wanted me to try to log in with the wrong password on an account and then
> to
> come back on as Administrator and check out the Security Log in Event
> Viewer. I did all this but I noticed that it does not record any invalid
> logon attempts. It did, however, show the successful ones. I have verified
> that the policies are configured to audit both successes and failures.

If this is showing the successful ones, are you sure you just didn't check
success and not check the failure box?



>
> Out of curiousity, I went into the Default Domain Policy and enabled the
> same audit policies in there. When I viewed the Security Logs, I could see
> invalid logon attempts. Could the book be wrong or is there something I'm
> not understanding in a real scenario? I just have one computer setup with
> Windows Server 2003 for lab exercises. I was trying to generate invalid
> logins from the console. It's not networked to anything at the moment.
> Would
> it have worked if it were not a PDC on a one-computer network? Would it
> have
> been different if I tried to logon from a workstation?
>
> That brings me to another question if anyone has the time. I noticed that
> there seems to be an excessive pause when making some choices in Active
> Directory. I'm assuming the computer is trying to talk to something on the
> network that isn't there and timing out. Any idea what would be causing
> this?
>
> Thanks!
>

Or, if there's mor that one DC, did you set auditing and check the viewer on
the others?

.....kurt

"lowdes" <> wrote in message
news:gKY_e.101541$...
>
> "Tyler Cobb" <> wrote in message
> news:C2X_e.4645$...
>> I'm reading along in the 70-290 book and there's an exercise that tells
>> me
>> to enable the Audit Accounts Logon Events and the Audit Logon Events
>> policies in the Default Domain Controller Policy area. After that, they
>> wanted me to try to log in with the wrong password on an account and then
>> to
>> come back on as Administrator and check out the Security Log in Event
>> Viewer. I did all this but I noticed that it does not record any invalid
>> logon attempts. It did, however, show the successful ones. I have
>> verified
>> that the policies are configured to audit both successes and failures.
>
> If this is showing the successful ones, are you sure you just didn't check
> success and not check the failure box?
>
>
>
>>
>> Out of curiousity, I went into the Default Domain Policy and enabled the
>> same audit policies in there. When I viewed the Security Logs, I could
>> see
>> invalid logon attempts. Could the book be wrong or is there something I'm
>> not understanding in a real scenario? I just have one computer setup with
>> Windows Server 2003 for lab exercises. I was trying to generate invalid
>> logins from the console. It's not networked to anything at the moment.
>> Would
>> it have worked if it were not a PDC on a one-computer network? Would it
>> have
>> been different if I tried to logon from a workstation?
>>
>> That brings me to another question if anyone has the time. I noticed that
>> there seems to be an excessive pause when making some choices in Active
>> Directory. I'm assuming the computer is trying to talk to something on
>> the
>> network that isn't there and timing out. Any idea what would be causing
>> this?
>>
>> Thanks!
>>
>
>

"lowdes" <> wrote in message
news:gKY_e.101541$...
> If this is showing the successful ones, are you sure you just didn't check
> success and not check the failure box?

Yes, as previously mentioned in the original post, I double-checked myself.
It's showing domain successes but not workstation success/failures. Thanks,
though.

"Kurt" <> wrote in message
news:...
> Or, if there's mor that one DC, did you set auditing and check the viewer
> on the others?
>
> ....kurt

As I noted in the original post, the lab is simply one PDC. No other
computers are involved or even available. But, thank you for your time.

You need to make sure that auditing of "account logon" events is enabled in
for both success and failure in Domain Controller Security Policy. It sounds
like it was set to undefined for at least failure if enabling it in Domain
Security Policy got it to work. You will find the Resultant Set of Policy
mmc snapin on the domain controller in logging mode helpful to find out what
Group Policy settings are applied to the computer and it should show the GPO
that is applying a particular setting. It would make do difference if you
were logging on from a domain workstation as all domain user accounts are
authenticated by a domain controller and a logon failure to the domain
should generate a failed "account logon" event in the security log of the
domain controller used for authentication. Since you seem to be experiencing
problems and time lags I would verify that dns is correct in that your only
domain controller points ONLY to itself as it's preferred dns server by it's
static IP address as shown via ipconfig /all. Then check the system,
application, etc, logs for anything that may be related and run the support
tools netdiag, dcdiag, and gpotool on your domain controller to see if a
problem is found. The support tools are on the install disk in the
support/tools folder where you need to run the setup program there. ---
Steve


"Tyler Cobb" <> wrote in message
news:C2X_e.4645$...
> I'm reading along in the 70-290 book and there's an exercise that tells me
> to enable the Audit Accounts Logon Events and the Audit Logon Events
> policies in the Default Domain Controller Policy area. After that, they
> wanted me to try to log in with the wrong password on an account and then
> to
> come back on as Administrator and check out the Security Log in Event
> Viewer. I did all this but I noticed that it does not record any invalid
> logon attempts. It did, however, show the successful ones. I have verified
> that the policies are configured to audit both successes and failures.
>
> Out of curiousity, I went into the Default Domain Policy and enabled the
> same audit policies in there. When I viewed the Security Logs, I could see
> invalid logon attempts. Could the book be wrong or is there something I'm
> not understanding in a real scenario? I just have one computer setup with
> Windows Server 2003 for lab exercises. I was trying to generate invalid
> logins from the console. It's not networked to anything at the moment.
> Would
> it have worked if it were not a PDC on a one-computer network? Would it
> have
> been different if I tried to logon from a workstation?
>
> That brings me to another question if anyone has the time. I noticed that
> there seems to be an excessive pause when making some choices in Active
> Directory. I'm assuming the computer is trying to talk to something on the
> network that isn't there and timing out. Any idea what would be causing
> this?
>
> Thanks!
>

In article <ecKO#>, n9rou@nospam-
comcast.net says...
> You need to make sure that auditing of "account logon" events is enabled in
> for both success and failure in Domain Controller Security Policy. It sounds
> like it was set to undefined for at least failure if enabling it in Domain
> Security Policy got it to work. You will find the Resultant Set of Policy
> mmc snapin on the domain controller in logging mode helpful to find out what
> Group Policy settings are applied to the computer and it should show the GPO
> that is applying a particular setting. It would make do difference if you
> were logging on from a domain workstation as all domain user accounts are
> authenticated by a domain controller and a logon failure to the domain
> should generate a failed "account logon" event in the security log of the
> domain controller used for authentication. Since you seem to be experiencing
> problems and time lags I would verify that dns is correct in that your only
> domain controller points ONLY to itself as it's preferred dns server by it's
> static IP address as shown via ipconfig /all. Then check the system,
> application, etc, logs for anything that may be related and run the support
> tools netdiag, dcdiag, and gpotool on your domain controller to see if a
> problem is found. The support tools are on the install disk in the
> support/tools folder where you need to run the setup program there. ---
> Steve

Yeah, I had verified that it was not undefined or obviously
misconfigured prior to writing my original post. Very strange, I know.
I'm still at a loss for that one. However, the DNS issue was something
that I needed to look at. Windows Server 2003 had installed DNS services
by default and I had just never got around to configuring them. Not that
there is really anything to configure DNS for as I am just on a single
PDC that isn't on a network, nor has there been a chapter about how to
configure DNS during my studies so far. I glanced over the DNS
configuration and, luckily for me, it turned out to be pretty self-
explanitory. Once I setup DNS the annoying pauses between Active
Directory operations vanished. Thanks for the suggestion! You were right
on!