• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 357
  • Last Modified:

Possible problem with AD2003 replication

I hate when while solving one problem, you run into another but I was having an issue with a user being constantly being locked out. I employed a Microsoft tool called LockOutStatus which helped me solve that problem but may have uncovered another...

I have 3 Windows 2003 AD controllers and the LockOutStatus tool shows the bad password count on all three. For this particular user, the were all different. AD1 showed 7 bad passwords while AD2 showed 4 and AD3 showed 0. This lack of consistency bothers me with respect to replication.

The "Additional Account Info" tab in UAC shows 4 so it's reading from AD2 but is this normal or show all of these match?

How can I tell if I actually do have a replication problem?

Thanks
0
Mark Lewis
Asked:
Mark Lewis
2 Solutions
 
Seth SimmonsSr. Systems AdministratorCommented:
You should look at your event logs, specifically directory service for any replication issues.

The fact that different domain controllers show different results for this is normal.  The client will authenticate with the first domain controller it can contact.  It just so happens that AD1 was contacted 7 times and AD2 4 times.
0
 
Mike KlineCommented:
That is fine, that attribute badPwdCount is not replicated, more info here (see the remarks section)

http://msdn.microsoft.com/en-us/library/ms675244(VS.85).aspx

Use repadmin  with the /showreps and /showrepl switches to get a quick overview of your replication.

Thanks

Mike
0
 
Kini pradeepIT Technology Senior ConsultantCommented:
For replication inconsistency check the Repadmin / showreps and it should show the last sucessful replication. as far as account lock out is concerned. Enable netlogon logging on the PDC and the other domain controllers. the logs should show the machine that is throwing the bad password count.

http://support.microsoft.com/kb/109626

0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now