Event 4625 logs continuously in PDC

Question

Hello Team,

One of our 2 domain controllers have this security event logged continuously.

The forest and domain functional level is 2016.

Microsoft Windows security auditing. Event id 4625

Audit Failure

An account failed to log on.

Subject:

Security ID: NULL SID

Account Name: -

Account Domain: -

Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: StatesDC01$

Account Domain: Statesmen.com

Failure Information:

Failure Reason: An Error occured during Logon.

Status: 0xC000006D

Sub Status: 0x0

Process Information:

Caller Process ID: 0x0

Caller Process Name: -

Network Information:

Workstation Name: StatesDC01

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process:

Authentication Package: NTLM

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

• System
• Provider

[ Name] Microsoft-Windows-Security-Auditing

[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}

EventID 4625

Version 0

Level 0

Task 12544

Opcode 0

Keywords 0x8010000000000000

• TimeCreated

[ SystemTime] 2025-02-12T12:36:07.8544759Z

EventRecordID 235207029996

• Correlation

[ ActivityID] {af0850f5-7d33-0003-3351-08af337ddb01}

• Execution

[ ProcessID] 672

[ ThreadID] 876

Channel Security

Computer StatesDC01.Statesmen.com

Security

• EventData

SubjectUserSid S-1-0-0

SubjectUserName -

SubjectDomainName -

SubjectLogonId 0x0

TargetUserSid S-1-0-0

TargetUserName StatesDC01$

TargetDomainName Statesmen

Status 0xc000006d

FailureReason %%2304

SubStatus 0x0

LogonType 3

LogonProcessName

AuthenticationPackageName NTLM

WorkstationName StatesDC01

TransmittedServices -

LmPackageName -

KeyLength 0

ProcessId 0x0

ProcessName -

IpAddress -

IpPort -

The event logged on only FSMO role holder DC. The secure channel is broken when this DC authenticates to itself. If the roles are moved to the other available DC(StatesDC02), the secure channel shown broken there too and the secure channel is fine on the previous DC(StatesDC01). Then events starts logging in the second DC which holds the FSMO roles. Please let me know how to remediate this. There is no recent changes done in the environment.

Tried steps-

1- Time sync is fine

2- Replication is working fine

3- DNS is fine

4- SPNs are below. Please check.

setspn -L statedDC01

Registered ServicePrincipalNames for CN=statedDC01,OU=Domain Controllers,DC=States,DC=com:

GC/statedDC01.States.com

RPC/155eda5e-43dc-46cc-8ade-5608bf619bbf._msdcs.States.com

ldap/statedDC01/STATES

ldap/155eda5e-43dc-46cc-8ade-5608bf619bbf._msdcs.States.com

ldap/statedDC01.States.com/STATES

ldap/statedDC01

ldap/statedDC01.states.com

ldap/statedDC01.states.com/DomainDnsZones.states.com

ldap/statedDC01.states.com/ForestDnsZones.states.com

E3514235-4B06-11D1-AB04-00C04FC2DCD2/155eda5e-43dc-46cc-8ade-5608bf619bbf/states.com

DNS/statedDC01.states.com

HOST/statedDC01/STATES

HOST/statedDC01.states.com/STATES

exchangeAB/statedDC01

exchangeAB/statedDC01.states.com

HOST/statedDC01.states.com

WSMAN/statedDC01

WSMAN/statedDC01.states.com

Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/statedDC01.states.com

TERMSRV/statedDC01

TERMSRV/statedDC01.states.com

NtfSvc/155eda5e-43dc-46cc-8ade-5608bf619bbf

RestrictedKrbHost/statedDC01

RestrictedKrbHost/statedDC01.states.com

HOST/statedDC01.states.com

5- Tried resetting the domain computer password and repairing securechannel. But the issue persists on FSMO holder DC.

All the above details are related to PDC.

I am adding some more warning events to help understand it more deeper.

Event ID 6037 in PDC

The program svchost.exe, with the assigned process ID 3228, could not authenticate locally by using the target name HOST/.. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.

Try a different target name.

Event ID 36886 in PDC

No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

The SSPI client process is %2 (PID: %1).

Event ID 3096 in PDC

The primary Domain Controller for this domain could not be located.

I am posting this in Windows Server, please move to any other appropriate session if needed.Hello Team,

One of our 2 domain controllers have this security event logged continuously.

The forest and domain functional level is 2016.

Microsoft Windows security auditing. Event id 4625

Audit Failure

An account failed to log on.

Subject:

Security ID: NULL SID

Account Name: -

Account Domain: -

Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: StatesDC01$

Account Domain: Statesmen.com

Failure Information:

Failure Reason: An Error occured during Logon.

Status: 0xC000006D

Sub Status: 0x0

Process Information:

Caller Process ID: 0x0

Caller Process Name: -

Network Information:

Workstation Name: StatesDC01

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process:

Authentication Package: NTLM

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

• System
• Provider

[ Name] Microsoft-Windows-Security-Auditing

[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}

EventID 4625

Version 0

Level 0

Task 12544

Opcode 0

Keywords 0x8010000000000000

• TimeCreated

[ SystemTime] 2025-02-12T12:36:07.8544759Z

EventRecordID 235207029996

• Correlation

[ ActivityID] {af0850f5-7d33-0003-3351-08af337ddb01}

• Execution

[ ProcessID] 672

[ ThreadID] 876

Channel Security

Computer StatesDC01.Statesmen.com

Security

• EventData

SubjectUserSid S-1-0-0

SubjectUserName -

SubjectDomainName -

SubjectLogonId 0x0

TargetUserSid S-1-0-0

TargetUserName StatesDC01$

TargetDomainName Statesmen

Status 0xc000006d

FailureReason %%2304

SubStatus 0x0

LogonType 3

LogonProcessName

AuthenticationPackageName NTLM

WorkstationName StatesDC01

TransmittedServices -

LmPackageName -

KeyLength 0

ProcessId 0x0

ProcessName -

IpAddress -

IpPort -

The event logged on only FSMO role holder DC. The secure channel is broken when this DC authenticates to itself. If the roles are moved to the other available DC(StatesDC02), the secure channel shown broken there too and the secure channel is fine on the previous DC(StatesDC01). Then events starts logging in the second DC which holds the FSMO roles. Please let me know how to remediate this. There is no recent changes done in the environment.

I moved the PDC roles to another DC. Then the events started logged in that server.

Tried steps-

1- Time sync is fine

2- Replication is working fine

3- DNS is fine

4- SPNs are below. Please check.

setspn -L statedDC01

Registered ServicePrincipalNames for CN=statedDC01,OU=Domain Controllers,DC=States,DC=com:

GC/statedDC01.States.com

RPC/155eda5e-43dc-46cc-8ade-5608bf619bbf._msdcs.States.com

ldap/statedDC01/STATES

ldap/155eda5e-43dc-46cc-8ade-5608bf619bbf._msdcs.States.com

ldap/statedDC01.States.com/STATES

ldap/statedDC01

ldap/statedDC01.states.com

ldap/statedDC01.states.com/DomainDnsZones.states.com

ldap/statedDC01.states.com/ForestDnsZones.states.com

E3514235-4B06-11D1-AB04-00C04FC2DCD2/155eda5e-43dc-46cc-8ade-5608bf619bbf/states.com

DNS/statedDC01.states.com

HOST/statedDC01/STATES

HOST/statedDC01.states.com/STATES

exchangeAB/statedDC01

exchangeAB/statedDC01.states.com

HOST/statedDC01.states.com

WSMAN/statedDC01

WSMAN/statedDC01.states.com

Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/statedDC01.states.com

TERMSRV/statedDC01

TERMSRV/statedDC01.states.com

NtfSvc/155eda5e-43dc-46cc-8ade-5608bf619bbf

RestrictedKrbHost/statedDC01

RestrictedKrbHost/statedDC01.states.com

HOST/statedDC01.states.com

5- Tried resetting the domain computer password and repairing securechannel. But the issue persists on FSMO holder DC.

All the above details are related to PDC.

I am adding some more warning events to help understand it more deeper.

Event ID 6037 in PDC

The program svchost.exe, with the assigned process ID 3228, could not authenticate locally by using the target name HOST/.. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.

Try a different target name.

Event ID 36886 in PDC

No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

The SSPI client process is %2 (PID: %1).

Event ID 3096 in PDC

The primary Domain Controller for this domain could not be located.

Please do check and let me know what could be the issue.

Answer 1

Hello MasTer,

Thank you for posting in Q&A forum.

For Event ID 6037 in PDC, you can check SPN like **HOST/...**on machine properties (below).

Troubleshooting steps you can try:

1. Verify DNS and Computer Name Configuration

Check that the computer’s DNS names are correctly configured.

Ensure that any aliases or CNAME records in DNS correspond properly to the actual computer name.

2. Check Service Configuration

Identify which service running under svchost.exe is causing the event. (Tools like Process Explorer or reviewing the services hosted by a particular svchost.exe instance might help.)

Ensure that its configuration (especially if it uses a specific account) has the correct SPNs registered.

3. SPN (Service Principal Name) Issues

If your environment uses Kerberos authentication, SPNs come into play. An invalid or misconfigured SPN can cause such failures. Use the command “setspn -L <account>” or “setspn -L <computername>” to verify the SPNs.

For Event ID 36886 in PDC,

Did you use any certificate for SSL connection?
Or did you make any changes recently on this DC? For example, change the name of Domain Controller.
If you do not have CA (Certification Authority) role installed and do not use any certificate for SSL connection, you can ignore it.

Here is similar thread for your reference.

https://learn.microsoft.com/en-us/answers/questions/327711/windows-2019-server-id-36886

https://learn.microsoft.com/en-us/archive/msdn-technet-forums/37b6d902-7ef8-4573-ab0b-f9ec0b69f3f1

For Event ID 3096 in PDC, you can try to reset secure channel password/DC machine password to see if it helps.

For example:

On PDC, run netdom resetpwd /s:DCname /ud:mydomain\administrator /pd:*

Steps:

[https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/use-netdom-reset-domain-controller-password

](https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/use-netdom-reset-domain-controller-password

)

Please run Dcdiag /v on this DC to check its health again.**
**
And check AD replication again by running commands below on PDC (although you mentioned they are OK).

repadmin /showrepl >C:\rep1.txt

repadmin /replsum >C:\rep2.txt

repadmin /showrepl * /csv >c:\repsum.csv

Note: Please have all the backup data before you make any changes.

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

This was already checked in the beginning. Please see the screenshot below.

Please let me know if this is related to the event 4625