Solved

Possible problem with AD2003 replication

Posted on 2010-09-15
3
303 Views
Last Modified: 2012-06-21
I hate when while solving one problem, you run into another but I was having an issue with a user being constantly being locked out. I employed a Microsoft tool called LockOutStatus which helped me solve that problem but may have uncovered another...

I have 3 Windows 2003 AD controllers and the LockOutStatus tool shows the bad password count on all three. For this particular user, the were all different. AD1 showed 7 bad passwords while AD2 showed 4 and AD3 showed 0. This lack of consistency bothers me with respect to replication.

The "Additional Account Info" tab in UAC shows 4 so it's reading from AD2 but is this normal or show all of these match?

How can I tell if I actually do have a replication problem?

Thanks
0
Comment
Question by:gwbmcse
3 Comments
 
LVL 34

Accepted Solution

by:
Seth Simmons earned 250 total points
Comment Utility
You should look at your event logs, specifically directory service for any replication issues.

The fact that different domain controllers show different results for this is normal.  The client will authenticate with the first domain controller it can contact.  It just so happens that AD1 was contacted 7 times and AD2 4 times.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
Comment Utility
That is fine, that attribute badPwdCount is not replicated, more info here (see the remarks section)

http://msdn.microsoft.com/en-us/library/ms675244(VS.85).aspx

Use repadmin  with the /showreps and /showrepl switches to get a quick overview of your replication.

Thanks

Mike
0
 
LVL 13

Expert Comment

by:Kini pradeep
Comment Utility
For replication inconsistency check the Repadmin / showreps and it should show the last sucessful replication. as far as account lock out is concerned. Enable netlogon logging on the PDC and the other domain controllers. the logs should show the machine that is throwing the bad password count.

http://support.microsoft.com/kb/109626

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now