Announcement

Collapse
No announcement yet.

AD locks out all accounts

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD locks out all accounts

    Really hope someone can help with this. Since last Wednesday my domain has started to lock out all my user accounts at random intervals. It happened after i rebooted one of my DCs and 12294 SAM errors started appearing in my system log. It appears to happen at random though it seems to happen more during work hours. It lasted for 24 hours on Saturady/Sunday before locking all the accounts again on Monday.

    Can't think what is causing the lockouts, I have ruled out a virus as Microsoft mention in the knowledge base articles and nothing has changed on the domain apart from the reboot. Any help would be very much appreciated.

  • #2
    Can you post some event logs?
    The only think that have change since then was the reboot?
    What kind of Directory are we talking about? w2k? w2k3?
    Thanks
    MCSE w2k
    MCSA w2k - MCSA w2k MESSAGING
    MCDBA SQL2k

    Comment


    • #3
      I'm not able to post any logs right now. Basically the system log is full of:

      EventID 12294:
      The SAM database was unable to lockout the account of ? due to a resource
      error, such as a hard disk write failure (the specific error code is in the
      error data) . Accounts are locked after a certain number of bad passwords
      are provided so please consider resetting the password of the account
      mentioned above.

      The domain is not in the best of shape. It was originally an NT domain upgraded to Windows 2000 but is still in mixed mode. There are 3 DCs plus 1 NT4 BDC that is still connected. Two of the DCs co-own a cluster.

      Using an account lockout status tool provided by Microsoft it shows that the domain admin account has entered 284 bad passwords. Other accounts show a bad password count of 10.

      Comment


      • #4
        Take a peek at this post:

        Description of NTDS Replication Warning IDs 1083 and 1061, and SAM Error ID 12294 Because of an Active Directory Collision
        http://support.microsoft.com/default...b;en-us;306091

        I'll take a look around Event 12294 on a few sites...
        1 + 1 = 11 ... honest!

        Comment


        • #5
          See if this link help can help:

          http://www.eventid.net/display.asp?e...AM&phase=1
          MCSE w2k
          MCSA w2k - MCSA w2k MESSAGING
          MCDBA SQL2k

          Comment


          • #6
            Certainly looks like some kind of attack...
            1 + 1 = 11 ... honest!

            Comment


            • #7
              Have you recently changed the administrators password or something like that... this error can occour if a service is trying to start but the logon for it is wrong...

              Cheers
              1 + 1 = 11 ... honest!

              Comment


              • #8
                Thanks for the links, I have been working on the problem for a while now so I have pretty much ruled out everything on the links. If it is an attack I can't think where it is coming from, I have locked down the firewall and disabled Webmail, the bad password seem to be coming internally.

                I did find that the cluster service on the 2 DCs that run the cluster had an incorrect administrator password on reboot but I have made sure this isn't happening now and people are still getting locked out.

                No security changes have been made to the domain and I have already ruled out a virus.

                The active directory collision is a more likely problem. There was another domain in my forest and this has now been removed but I still see it showing up in DNS and the Active Directory Users and Computers snap-in (see it but cannot connect to it)

                Comment


                • #9
                  Was the domain from the forest removal clean or did it fail along the way? If so, did you clean up the meta-data in NTDS?
                  1 + 1 = 11 ... honest!

                  Comment


                  • #10
                    No the domain did not remove cleanly. I did a /forceremoval on the domain and then cleaned up the meta-data as well. It still shows up in DNS after a cleanup though.

                    Comment


                    • #11
                      You can manually remove DNS entries in the DNS MSC section...

                      ...I don't think tho that the DNS still having a record will cause this problem though. It's more like meta-data (which you've done)/the Site still exists in AD soemwhere.. or some kind of attack...

                      Sorry I'm not helping much...
                      1 + 1 = 11 ... honest!

                      Comment


                      • #12
                        Forgot to mention the events described in http://support.microsoft.com/default...b;en-us;306091 (Description of NTDS Replication Warning IDs 1083 and 1061, and SAM Error ID 12294 Because of an Active Directory Collision) do show up in the event log. I don't understand the solution however.

                        The more I think about all this the more I think it is linked to an Active Directory collision. The DC server reboot was the first reboot since the other domain had been installed.

                        Comment


                        • #13
                          Yes, that TechNet post only gives the symptoms, and not a resolution...

                          There is a page linked from that to this:

                          Error Message: The Replication System Encountered an Internal Error
                          http://support.microsoft.com/kb/285858/EN-US/

                          But this only gives info on turning on logging for the error when using DCPROMO... so probably isn't helpful...

                          I'll keep looking... need to go eat though...I'm ravenous!!!
                          1 + 1 = 11 ... honest!

                          Comment


                          • #14
                            Yeah, I know the feeling! Probably going to head home for some sleep but I'll check this thread later. Thanks for the help.

                            Comment


                            • #15
                              Does the lockout storm stop if you shutdown the DC that has been rebooted ?

                              I would also try to disable the replication on the DCs one by one to try to isolate the source.
                              Guy Teverovsky
                              "Smith & Wesson - the original point and click interface"

                              Comment

                              Working...
                              X