Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Possible problem with AD2003 replication

Posted on 2010-09-15
3
Medium Priority
?
355 Views
Last Modified: 2012-06-21
I hate when while solving one problem, you run into another but I was having an issue with a user being constantly being locked out. I employed a Microsoft tool called LockOutStatus which helped me solve that problem but may have uncovered another...

I have 3 Windows 2003 AD controllers and the LockOutStatus tool shows the bad password count on all three. For this particular user, the were all different. AD1 showed 7 bad passwords while AD2 showed 4 and AD3 showed 0. This lack of consistency bothers me with respect to replication.

The "Additional Account Info" tab in UAC shows 4 so it's reading from AD2 but is this normal or show all of these match?

How can I tell if I actually do have a replication problem?

Thanks
0
Comment
Question by:Mark Lewis
3 Comments
 
LVL 36

Accepted Solution

by:
Seth Simmons earned 1000 total points
ID: 33688178
You should look at your event logs, specifically directory service for any replication issues.

The fact that different domain controllers show different results for this is normal.  The client will authenticate with the first domain controller it can contact.  It just so happens that AD1 was contacted 7 times and AD2 4 times.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1000 total points
ID: 33688201
That is fine, that attribute badPwdCount is not replicated, more info here (see the remarks section)

http://msdn.microsoft.com/en-us/library/ms675244(VS.85).aspx

Use repadmin  with the /showreps and /showrepl switches to get a quick overview of your replication.

Thanks

Mike
0
 
LVL 13

Expert Comment

by:Kini pradeep
ID: 33688991
For replication inconsistency check the Repadmin / showreps and it should show the last sucessful replication. as far as account lock out is concerned. Enable netlogon logging on the PDC and the other domain controllers. the logs should show the machine that is throwing the bad password count.

http://support.microsoft.com/kb/109626

0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question