I'm seeing a lot of ID 4624 Events (Logon Type 3) on a domain controller (Windows Server 2012) and I'm wondering what those events want to to tell me.
I've read that 4624 Type 3 events on a domain controller say that there was a network logon on the AD domain but I don't understand what Source Network Address means. Is it where the login came from or is it the target where the user wants to login?
The source network address would be the address the request originated from, but that could be local host or a means by which the source information isn't included.
You may have come across it already but the following includes plenty of detail along with some useful auditing approaches:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
Hope that helps
Validate PTR records and Bind the Site to a Subnet
If you would like to see a network address in the log events there are two things you can do to remediate.
1. In the DNS server, validate that you have a reverse lookup zone. If not, create one with the network address of your hosts subnet.
2. Open Active Directory Sites and Services. Drill down through 'Sites > Subnets'. Validate a subnet is created with the network address CIDR for the subnet and that it is bound to the site that exists within that subnet (the one your DC is in).
3. On the DC, open an admin cmd prompt and type 'ipconfig /registerdns'
You should now see the PTR record for your DC is the new DNS Reverse Lookup Zone. If you have additional subnets with hosts in them, create reverse lookup zones for those hosts.
The 'ID 4624 Events (Logon Type 3)' information event should now show the subnet. The type 3 event is when the client accesses the netlogon and/or sysvol shares for logon scripts or group policy enumeration and application.
