In our organisation (about 500 active users) we have 2 AD domain controllers both running windows server 2012r2. theres a file server on hyper-vm running on windows server 2022.
yesterday we started receiving complaints that file server became unusable due to the error "Additional connections to this remote computer are currently not possible because the number of connections has reached its limit." but the server's connections limit is set to about 16000
after sometime i noticed on main dc weird behavior in Event Viewer __ in section " windows journals > security". a few days ago it started littering with 4625 and 4634 events. some of these are successful, some are not. in feild "TargetUserName" it sometimes shows various our AD users, pc names followed by "$" sign, also sometimes it shows generic usernames such as "JOHN". LogonProcessName shows Kerberos and NtLmSsp. Heres a sample of a logon rejection 4625 event: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event__">- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2024-04-02T07:56:47.050749400Z" />
<EventRecordID>232578365</EventRecordID>
<Correlation />
<Execution ProcessID="664" ThreadID="3024" />
<Channel>Security</Channel>
<Computer>alpha.economy.lan</Computer>
<Security />
</System>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">HERRAJESWEB</Data>
<Data Name="TargetDomainName" />
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc0000064</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName" />
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
Heres an example of successful 4634 event:
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4634</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2024-04-02T07:56:46.832004600Z" />
<EventRecordID>232578364</EventRecordID>
<Correlation />
<Execution ProcessID="664" ThreadID="3488" />
<Channel>Security</Channel>
<Computer>alpha.economy.lan</Computer>
<Security />
</System>
<Data Name="TargetUserSid">S-1-5-21-920013730-1599901524-189505704-2641</Data>
<Data Name="TargetUserName">PRIEMDIR$</Data>
<Data Name="TargetDomainName">ECONOMY</Data>
<Data Name="TargetLogonId">0x12620a7</Data>
<Data Name="LogonType">3</Data>
</EventData>
</Event>
We tried catching a pc that might be the couse, but failed. it seems to be within the server room. is there anн possible way to track it down? thanks in advance for any possible kind of assistance in that regard