Hello!
We have two Connection Broker servers using DNS round robin. Yesterday i saw that our RD host servers have alot of Audit Failure events (4625) in the Security log.
It looks like our CB servers are trying to logon with it's computer account to the RD Host. This happend multiple times per day and when it does it's looks like it's spamming login attempts, up to 10 times per second. Please take a look at the following look example:
Log Name: SecuritySource: Microsoft-Windows-Security-Auditing
Date: 2019-04-26 10:25:40
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: CB01.domain.net
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain:-
Logon ID: 0x0
Logon Type:3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: CB01
Account Domain:DOMAINNAME
Failure Information:
Failure Reason:Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID:0x0
Caller Process Name:-
Network Information:
Workstation Name:CB01
Source Network Address:172.21.XX.XX
Source Port: 52891
Detailed Authentication Information:
Logon Process:NtLmSsp
Authentication Package:NTLM
Transited Services:-
Package Name (NTLM only):-
Key Length: 0
Any suggestions?
Kind Regards,
Anthon