Announcement

Collapse
No announcement yet.

Account Lockout state inconsistent across domain controllers

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Account Lockout state inconsistent across domain controllers

    Hello everyone,

    Looking for a bit of help with a strange problem.

    I have four domain controllers. When an account is locked out (due to multiple invalid logons), two of the DCs correctly report it as locked (the checkbox next to "Account is locked out" is checked). I can then unlock the account by unchecking the checkbox.

    The other two DCs, for some reason, do NOT report the account as locked (the checkbox is grayed out). I used repladmin.exe to see if replication is working, and it is (there are no failures). I am a touch new at this, and searches haven't revealed much. Any ideas as to what could be causing this problem?

  • #2
    Re: Account Lockout state inconsistent across domain controllers

    Well I am the one that is going to go over the simple things, because that is what I do. One of the other guru's will have to help you if it gets complicated

    My first inclination would be to say that the replication is working but it hasn't replicated those changes YET. Sometimes it can take 15+ minutes to replicate certain things and just because one DC knows does not necessarily mean that others know.

    There is no reason that it should be not replicating one attribute. I would create a test account on one of the DC's that you know is not having this issue, lock it out and see what happens when it actually shows up on the other DCs.

    Hope this helps! It probably won't but hey...

    Also which OS are you using?
    Two things:
    1) If I wrote something wrong please please please let me know. I want to know ESPECIALLY if I am wrong.
    2) I have a tendency to write things that are misconstrued as being agressive or not so pleasant. That is not my intent.

    Comment


    • #3
      Re: Account Lockout state inconsistent across domain controllers

      Lockouts fall under urgent replication, but only to the sites where the PDC and originating DC are located. Other sites receive the update during normal replication.

      You can change this by enabling change-notification between sites.
      Last edited by Garen; 8th June 2010, 23:53.

      Comment


      • #4
        Re: Account Lockout state inconsistent across domain controllers

        Right on, that was exactly the issue.

        Thanks much.

        Comment

        Working...
        X