Pasted in below is an error from the Security event logs on one of our servers. It shows event code 4776, which is a failed attempt to verify creds. The problem I am having is finding the source host generating the auth request. As you can see the source host field has ptx in it, which means nothing to me as there is no ptx host in our domain. I do remember that ptx was a device name for pseudo terms for some flavor of Unix. The question is how do I find the source of these events? How do I get the data to show the source IP of the host. If someone is going to reply use Wireshark or some such thing, we have a huge load on this box many pacckets per second. I have looked a few packets, but cannot find what I need. There must be some tool or something out there that will show the source IP of auth requests. I can't believe it's not there already. Any suggestions would be welcome. thanks in advance... Event Type: Failure Audit Event Source: Microsoft-Windows-Security-Auditing Event Category: (14336) Event ID: 4776 Date: 12/21/2011 Time: 8:17:55 AM User: N/A Computer: DC6.jacksonnational.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: PolyComConferencing@JNL_NT Source Workstation: ptx Error Code: 0xc0000064 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

1.This error code C0000064 & 4776 means that user name does not exists. Start your analysis with the user/logon account. 2. More on this error http://technet.microsoft.com/en-us/library/dd772679%28WS.10%29.aspx 3. Try it with different account 4. Test if this name in question is orphaned one (ntdsutil is your friend for killing orphaned DC and cleaning metadata) 5. For being sure, do the following: a. ipconfig /flushdns and ipconfig /registerdns b. Test heallth of AD with dcdiag c. Check if replication work properly Regards Milos