Windows security log - flooded with Error Code: 0xC0000371

Hi Everyone,

my Cisco Ironport E-mail gateway is connected with Windows AD Servers. Every time when new e-mail is comming in, Cisco Ironport trying to establish connection to one of our AD servers and checking if recipient e-mail address exist in the AD. If not e-mail is rejected. More or less this is how my system is integrated with AD. Few days ago Windows team told me that my system trying to open too many connections to AD and in the result Windows Security log is flooded (>6mln) with this kind of errors:

#################

LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=GLS0020.torp.mir TaskCategory=Credential Validation OpCode=Info RecordNumber=1363466953 Keywords=Audit Failure Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: TEC-LDAP-I-IRON1 Source Workstation: GLS0020 Error Code: 0xC0000371

#################

As I see in the AD client logs (Ironport LDAP logs), Ironport trying to establish 1 connection to AD Server, but AD rejecting it.After several tries connection is established. Some times connection is established after 2-10 tries and some times more than 1000.

########### Ironport ldap log

Mon Nov 26 15:36:16 2018 Debug: LDAP: (accept) Query (mail=sdfsdf@testdomain.de) to server InternLDAP (10.201.134.182,10.201.134.183:636)
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (20) Connection Error: [Errno 54] Connection reset by peer
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) this server marked DOWN
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (20) Connection interrupted (writer)
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (21) connecting to server
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (19) Connection Error: [Errno 54] Connection reset by peer
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) this server marked DOWN
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (19) Connection interrupted (writer)
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (20) connecting to server
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (20) connected to server
Mon Nov 26 15:36:16 2018 Debug: LDAP: Could not find a server to follow continuation: ldaps://ForestDnsZones.corp.dir/DC=ForestDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Query (mail=sdfsdf@testdomain.de) could not follow continuation: ldaps://ForestDnsZones.corp.dir/DC=ForestDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Could not find a server to follow continuation: ldaps://DomainDnsZones.corp.dir/DC=DomainDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Query (mail=sdfsdf@testdomain.de) could not follow continuation: ldaps://DomainDnsZones.corp.dir/DC=DomainDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Could not find a server to follow continuation: ldaps://corp.dir/CN=Configuration,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Query (mail=sdfsdf@testdomain.de) could not follow continuation: ldaps://corp.dir/CN=Configuration,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: (accept) Query (mail=sdfsdf@testdomain.de) lookup success, (10.201.134.183:636) returned 0 results
Mon Nov 26 15:36:16 2018 Info: LDAP: Bounce query InternLDAP.ldapaccept MID 136648 RID 0 address sdfsdf@testdomain.de
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (21) connected to server

########### Ironport ldap log

Is it normal that AD Server rejecting so many connections ?

I have asked Windows Team to enable debug mode for AD server, just to check if what is the reason, that AD rejecting 90% of connections ? They told me that is not possible, is it true? Is it realy not possible to check in Windows Servers why system rejecting connections ?

What is exacly means that error:

Error Code: 0xC0000371

Everytime when AD rejecting connection this error appear, what is mean ?

Thanks in advance for any support.

Cheers

Konrad