AD Accounts constantly being locked out

[Tanmar]

We have a 2000 server network, 1 PDC, 1 BDC. Last week we had numerous (15-20 possibly) accounts show as locked on us for no reason. The users were already logged into their systems. We reset them all, had a few troubles with a few where it took more than once to reset, but it worked...until this afternoon. Now we are having the same issue. Probably about 20 or so accounts (if not more) coming up as locked again. The audit logs are showing "Authentication Ticket Request Failed" and "Pre-authentication failed" entries all over the place.

This a known issue? Cant seem to find anything on it anywhere!

Thanks for any assistance!

 

[Roadki11]

Pulling this from a brain cell way in the back of my head but if i remember correctly i thought this was a server time issue, check the server times make sure they are accurate. If the time looks accurate run a dcdiag and netdiag report back any errors.



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[Tanmar]

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: StJohns1\PALYHZ1
Starting test: Connectivity
......................... PALYHZ1 passed test Connectivity

Doing primary tests

Testing server: StJohns1\PALYHZ1
Starting test: Replications
......................... PALYHZ1 passed test Replications
Starting test: NCSecDesc
......................... PALYHZ1 passed test NCSecDesc
Starting test: NetLogons
......................... PALYHZ1 passed test NetLogons
Starting test: Advertising
......................... PALYHZ1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... PALYHZ1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... PALYHZ1 passed test RidManager
Starting test: MachineAccount
......................... PALYHZ1 passed test MachineAccount
Starting test: Services
......................... PALYHZ1 passed test Services
Starting test: ObjectsReplicated
......................... PALYHZ1 passed test ObjectsReplicated
Starting test: frssysvol
......................... PALYHZ1 passed test frssysvol
Starting test: kccevent
......................... PALYHZ1 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC0002714
Time Generated: 12/05/2007 13:44:18
Event String: DCOM got error "%997" and was unable to logon
An Error Event occured. EventID: 0x0000041B
Time Generated: 12/05/2007 14:07:50
Event String: The DHCP/BINL service has determined that it is
An Error Event occured. EventID: 0x00000457
Time Generated: 12/05/2007 14:34:00
Event String: Driver EPSON Stylus Photo R800 required for
An Error Event occured. EventID: 0x00000452
Time Generated: 12/05/2007 14:34:00
Event String: The printer could not be installed.
......................... PALYHZ1 failed test systemlog

Running enterprise tests on : provair.com
Starting test: Intersite
......................... provair.com passed test Intersite
Starting test: FsmoCheck
......................... provair.com passed test FsmoCheck

 

[Tanmar]

And now we have found this (See attched)

[img]http://i5.photobucket.com/albums/y172/tanmar/PAL/Server/4.jpg[/img]

[img]http://i5.photobucket.com/albums/y172/tanmar/PAL/Server/3.jpg[/img]

[img]http://i5.photobucket.com/albums/y172/tanmar/PAL/Server/2.jpg[/img]

[img]http://i5.photobucket.com/albums/y172/tanmar/PAL/Server/1.jpg[/img]

 

[kmcferrin]

FWIW, there is not such thing as a PDC or BDC in Active Directory. The closest thing to it is the PDC Emulator FSMO role.

 

[kmills]

Tanmar,

Are your users having to change their passwords just before this happens?

I have encountered this problem when a user left themselves logged into one computer, then changed their domain password on another computer. That just kept locking out their account because the original machine kept trying to authenticate with the original password. Finding which machine they originally logged into (and left themselves logged in) can be a challenge!

I've also had this happen if they have some batch file that runs under their account. When the password changes, that batch file keeps trying to authenticate using the old password.

Good luck.

Kmills

 

[lhuegele]

This could also be caused by a virus/malware infection on machine(s) in your network, and also possible that you have an intrusion into your network and they are trying to hack some user accounts to gain access to your domain.

Good luck,

 

[Tanmar]

We have a DC as the time server, and all users get their time from this controller. We have several servers on the domain. These should be referencing the main server for the time as well, correct?

None of the users have tried to reset their passwords just before this happens. Have started scanning for virus and malware. Not sure what else it could be.

 

[markdmac]

Take a close look at your event logs and look for issues with AD synchronization. Your issue sounds to me like you have a DC that has kerberos issues and it likely not getting AD updates.

I had a similar issue and ended up writing an FAQ on the ordeal to resolve it: faq96-4733.

Do a quick check form EACH DC you have and execute NETDOM QUERY FSMO.

If all of your servers don't agree with who holds all the FSMO roles then you likely have the same issue as I had in my FAQ.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.