Domain Accounts Locked Automatically (Network Steve Forum)

Domain Accounts Locked Automatically

Hi,

I have three windows server 2012 r2 domain controller on three different subnets and window 8.1 , windows 7 clients.

Frequently users domain lock automatically or thier sessions with domain controller losses automatically (RANDOM) due to which when they open internet explorer for internet (PROXY SERVER - TMG) they asked to provide authentication. i checked event viewer and found following logs.

Event ID : 4776

The computer attempted to validate the credentials for an account.

Authentication Package:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    abcd.zyx
Source Workstation:   FNC-AHSAN
Error Code:   0xC0000071

Event ID : 4771

Kerberos pre-authentication failed.

Account Information:
   Security ID:       CSAPLHO\hasnain.abbas
   Account Name:       hasnain.abbas

Service Information:
   Service Name:       krbtgt/CSAPLHO.PK

Network Information:
   Client Address:       ::ffff:10.1.0.47
   Client Port:       2751

Additional Information:
   Ticket Options:       0x40810010
   Failure Code:       0x12
   Pre-Authentication Type:   2

Certificate Information:
   Certificate Issuer Name:
   Certificate Serial Number:
   Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

I restarted all domain controllers but still not able to find any solution , pls help and advise.

January 31st, 2015 9:43am

Hi Osama,

Did you check the replication status between domain controllers? Run the command "repadmin /showrepl" , "dcdiag /test:DNS" and post us the result here.

Thanks,

Umesh.S.K

Free Windows Admin Tool Kit Click here and download it now

January 31st, 2015 12:09pm

I would recommend checking that your DCs are in a healthy state and that your AD replication is fine using dcdiag and repadmin commands. You can also refer to the recommendations I shared in this Wiki: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx

Also, you can refer to that to troubleshoot Account Lockouts: https://dirteam.com/paul/2012/04/23/user-account-lockout-troubleshooting/

EventCombMT can be used to collect the events: https://support.microsoft.com/kb/824209?wa=wsignin1.0

February 1st, 2015 12:00pm

This error message doesn't tell us more than the account is locked out. So go through the basics of account lockout troubleshooting:

Troubleshooting Account Lockout https://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

If you still cannot figure out what is going on after this, keep us posted.

Free Windows Admin Tool Kit Click here and download it now

February 1st, 2015 9:15pm

Replication Seems to be work fine here are results

Repadmin: running command /showrepl against full DC localhost

CSAPLHO\HO-DC

DSA Options: IS_GC 

Site Options: (none)

DSA object GUID: 3823f54e-4f02-4df0-9531-041e5f930b88

DSA invocationID: 8e802778-b249-41af-91e2-651e2457194a



==== INBOUND NEIGHBORS ======================================



DC=csaplho,DC=pk

    CSAPLHO\HO-ADC via RPC

        DSA object GUID: 310f3e45-92f9-4494-bd93-dcf7ad28c0fb

        Last attempt @ 2015-02-02 15:01:26 was successful.

    COADC\ADC-CO-DOMAIN via RPC

        DSA object GUID: b1280194-b6b0-4be6-9543-6c71e4ffb46b

        Last attempt @ 2015-02-02 15:06:19 was successful.

    JRN\CSJRN-ADC via RPC

        DSA object GUID: 2e52c60b-496b-4a25-88ef-e66eb0650ce4

        Last attempt @ 2015-02-02 15:06:23 was successful.

    NRA\CSNRA-ADC via RPC

        DSA object GUID: cac7c492-4288-4610-a94d-dc738a68523c

        Last attempt @ 2015-02-02 15:06:23 was successful.



CN=Configuration,DC=csaplho,DC=pk

    CSAPLHO\HO-ADC via RPC

        DSA object GUID: 310f3e45-92f9-4494-bd93-dcf7ad28c0fb

        Last attempt @ 2015-02-02 14:51:19 was successful.

    COADC\ADC-CO-DOMAIN via RPC

        DSA object GUID: b1280194-b6b0-4be6-9543-6c71e4ffb46b

        Last attempt @ 2015-02-02 15:06:20 was successful.

    JRN\CSJRN-ADC via RPC

        DSA object GUID: 2e52c60b-496b-4a25-88ef-e66eb0650ce4

        Last attempt @ 2015-02-02 15:06:21 was successful.

    NRA\CSNRA-ADC via RPC

        DSA object GUID: cac7c492-4288-4610-a94d-dc738a68523c

        Last attempt @ 2015-02-02 15:06:22 was successful.



CN=Schema,CN=Configuration,DC=csaplho,DC=pk

    CSAPLHO\HO-ADC via RPC

        DSA object GUID: 310f3e45-92f9-4494-bd93-dcf7ad28c0fb

        Last attempt @ 2015-02-02 14:51:19 was successful.

    COADC\ADC-CO-DOMAIN via RPC

        DSA object GUID: b1280194-b6b0-4be6-9543-6c71e4ffb46b

        Last attempt @ 2015-02-02 15:06:22 was successful.

    JRN\CSJRN-ADC via RPC

        DSA object GUID: 2e52c60b-496b-4a25-88ef-e66eb0650ce4

        Last attempt @ 2015-02-02 15:06:22 was successful.

    NRA\CSNRA-ADC via RPC

        DSA object GUID: cac7c492-4288-4610-a94d-dc738a68523c

        Last attempt @ 2015-02-02 15:06:23 was successful.



DC=ForestDnsZones,DC=csaplho,DC=pk

    CSAPLHO\HO-ADC via RPC

        DSA object GUID: 310f3e45-92f9-4494-bd93-dcf7ad28c0fb

        Last attempt @ 2015-02-02 14:54:30 was successful.

    NRA\CSNRA-ADC via RPC

        DSA object GUID: cac7c492-4288-4610-a94d-dc738a68523c

        Last attempt @ 2015-02-02 15:06:23 was successful.

    COADC\ADC-CO-DOMAIN via RPC

        DSA object GUID: b1280194-b6b0-4be6-9543-6c71e4ffb46b

        Last attempt @ 2015-02-02 15:06:23 was successful.

    JRN\CSJRN-ADC via RPC

        DSA object GUID: 2e52c60b-496b-4a25-88ef-e66eb0650ce4

        Last attempt @ 2015-02-02 15:06:23 was successful.



DC=DomainDnsZones,DC=csaplho,DC=pk

    CSAPLHO\HO-ADC via RPC

        DSA object GUID: 310f3e45-92f9-4494-bd93-dcf7ad28c0fb

        Last attempt @ 2015-02-02 14:54:33 was successful.

    NRA\CSNRA-ADC via RPC

        DSA object GUID: cac7c492-4288-4610-a94d-dc738a68523c

        Last attempt @ 2015-02-02 15:06:23 was successful.

    COADC\ADC-CO-DOMAIN via RPC

        DSA object GUID: b1280194-b6b0-4be6-9543-6c71e4ffb46b

        Last attempt @ 2015-02-02 15:06:23 was successful.

    JRN\CSJRN-ADC via RPC

        DSA object GUID: 2e52c60b-496b-4a25-88ef-e66eb0650ce4

        Last attempt @ 2015-02-02 15:06:23 was successful.

February 2nd, 2015 5:16am

Here are DNS Diag

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = HO-DC

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: CSAPLHO\HO-DC

      Starting test: Connectivity

         ......................... HO-DC passed test Connectivity



Doing primary tests

   
   Testing server: CSAPLHO\HO-DC

   
      Starting test: DNS

         

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... HO-DC passed test DNS

   
   Running partition tests on : DomainDnsZones

   
   Running partition tests on : ForestDnsZones

   
   Running partition tests on : Schema

   
   Running partition tests on : Configuration

   
   Running partition tests on : csaplho

   
   Running enterprise tests on : csaplho.pk

      Starting test: DNS

         Test results for domain controllers:

            
            DC: HO-DC.csaplho.pk

            Domain: csaplho.pk

            

                  
               TEST: Delegations (Del)
                  Error: DNS server: csaples.csapl.pk. IP:<Unavailable>

                  [Missing glue A record]

         
         Summary of DNS test results:

         
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: csaplho.pk

               HO-DC                        PASS PASS PASS FAIL PASS PASS n/a  
         
         ......................... csaplho.pk failed test DNS

Free Windows Admin Tool Kit Click here and download it now

February 2nd, 2015 5:17am

Hi Osama,

TEST: Delegations (Del)
Error:DNS server:csaples.csapl.pk.IP:<Unavailable>

Can you fix this issue by adding glue A record for the above DNS server? Then run the below commands.

repadmin /syncall

Thanks,

Umesh.S.K

February 2nd, 2015 6:19am

Well, cleaning and optimizing are definitely something to do on a regular basis. But what does this delegation would have to do with the account lockout. I am a bit lost in this post :/

Free Windows Admin Tool Kit Click here and download it now

February 2nd, 2015 1:59pm

Hi Umesh,

I am also agree with Pierre Audonnet

But i Cleaned below are results

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = HO-DC

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: CSAPLHO\HO-DC

      Starting test: Connectivity

         ......................... HO-DC passed test Connectivity



Doing primary tests

   
   Testing server: CSAPLHO\HO-DC

   
      Starting test: DNS

         

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... HO-DC passed test DNS

   
   Running partition tests on : DomainDnsZones

   
   Running partition tests on : ForestDnsZones

   
   Running partition tests on : Schema

   
   Running partition tests on : Configuration

   
   Running partition tests on : csaplho

   
   Running enterprise tests on : csaplho.pk

      Starting test: DNS

         ......................... csaplho.pk passed test DNS

February 3rd, 2015 3:32am

Hi Osama,

I was trying to ensure replication is not causing any effect on account lockout problem.That is the only reason I was stressing to fix any replication issues. So far, replication looks fine. We can find no issues with DNS as well. Your dcdiag confirms the same. Now, regarding account lockout issues,

I have three windows server 2012 r2 domain controller on three different subnets and window 8.1 , windows 7 clients.

Are users on all subnets have this issue? Or does it occurr at specific site? When you say sessions losses automatically, you mean their RDP session gets disconnected? or what is the error users see? Does user gets "your account is locked" when they logon to their machines?

They need to provide credential only to access internet? Can you check if your TMG server does not have problem communicating with nearest domain controller?

Please run the below command from few of the user's machine and post the result.

nltest /sc_query:<domainname>

nltest /dsgetsite

nltest /dclist:<domainname>

Thanks,

Umesh.S.K

Free Windows Admin Tool Kit Click here and download it now

February 3rd, 2015 3:56am

Hi Osama,

Any update on the issue?

Thanks,

Umesh.S.K

February 8th, 2015 12:13pm

Apologies for not replying

no we have three sites all connected with layer-2 connectivity

user just ask for authentication during browsing internet from TMG Server.

Free Windows Admin Tool Kit Click here and download it now

March 18th, 2015 10:25am

Hi Osama,

Can you check these link?

https://support.microsoft.com/en-us/kb/886996?wa=wsignin1.0

Thanks,

Umesh.S.K

March 18th, 2015 2:12pm

Hi Osama,

It is been many days. Any update on the issue? Were you able to resolve the issue? Please let us know if you need further assistance.

Thanks,

Umesh.S.K

Free Windows Admin Tool Kit Click here and download it now

April 3rd, 2015 1:58am

This topic is archived. No further replies will be accepted.