Problem solve Get help with specific problems with your technologies, process and projects.

Why do our AD user accounts frequently become locked out?

Problem: Almost all AD User accounts become "locked-out" about once a day (and sometimes more) simultaneously....

This seems to occur during high traffic times of the day such as in the morning, after lunch and at the end of the day, but also happens frequently over the weekend.

General Info:

-Our network has two sites (a "home" and "remote" site). For the most part, accounts in the remote site do not become locked out.

-We have 2 DCs in the home site, one at the remote site. We have 144kbps IDSL Internet access out at the remote location. We run a VPN using Sonicwall firewalls between locations with a single domain.

-The domain is in Mixed mode no NT BDCs, some Windows 9X machines.

-In the Domain Security Policy and Account lockout policy, all settings are set to "not defined."

-The Network Infrastructure is not in very good shape at either location. Work group hubs are daisy chained off of other hubs.

Info from logs on main AD server (PDC emulator server, host all other Operations Masters as well, DNS, DHCP):

-Directory Service Log has the following errors/ warnings: Warning 1083 "The Directory is busy. Couldn't update object"

-DNS Log has the following errors/ warnings:

-Warning 409: "The DNS server list of restricted interfaces contains IP addresses that are not configured for use at this server."

-Warning 5504: The DNS server encountered an invalid domain name in packet from or Invalid domain name.

-Error 4004: Unable to complete directory service enumeration

-Error 6702: DNS server has updated its own A record. Tried to update peers through dynamic update. Error occurred updating replication partners. If DNS server does not have peers ignore.

-Replication Log has the following Errors/ Warnings:

-Warning 13508: Having difficulty replicating. (Replication of Directory Services has trouble between DC at remote site and DCs at the main site. Probably due to a slow connection out at the remote site 144kpbs IDSL). Replication set to run only during off hours. FRS has trouble replicating between DCs at the Home site as well.

-Warning 13509: Replication successful

-Warning 1803: Replication warning. Directory is busy. It couldn't update object.

This looks like one of two things – 1)The most likely one, is that replication is not occurring correctly. The systems' times may be off (anything more than a couple of minutes will disable much functionality). Use the Windows 2000/03 Resource kit tool called ReplMon to help diagnose the issue. 2) Someone has built another domain with the same name as your domain on the network. This could have been someone building a test lab or erroneously answering questions while promoting a DC.


Dig Deeper on Microsoft Active Directory