Solved

Possible problem with AD2003 replication

Posted on 2010-09-15
3
322 Views
Last Modified: 2012-06-21
I hate when while solving one problem, you run into another but I was having an issue with a user being constantly being locked out. I employed a Microsoft tool called LockOutStatus which helped me solve that problem but may have uncovered another...

I have 3 Windows 2003 AD controllers and the LockOutStatus tool shows the bad password count on all three. For this particular user, the were all different. AD1 showed 7 bad passwords while AD2 showed 4 and AD3 showed 0. This lack of consistency bothers me with respect to replication.

The "Additional Account Info" tab in UAC shows 4 so it's reading from AD2 but is this normal or show all of these match?

How can I tell if I actually do have a replication problem?

Thanks
0
Comment
Question by:gwbmcse
3 Comments
 
LVL 34

Accepted Solution

by:
Seth Simmons earned 250 total points
ID: 33688178
You should look at your event logs, specifically directory service for any replication issues.

The fact that different domain controllers show different results for this is normal.  The client will authenticate with the first domain controller it can contact.  It just so happens that AD1 was contacted 7 times and AD2 4 times.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 33688201
That is fine, that attribute badPwdCount is not replicated, more info here (see the remarks section)

http://msdn.microsoft.com/en-us/library/ms675244(VS.85).aspx

Use repadmin  with the /showreps and /showrepl switches to get a quick overview of your replication.

Thanks

Mike
0
 
LVL 13

Expert Comment

by:Kini pradeep
ID: 33688991
For replication inconsistency check the Repadmin / showreps and it should show the last sucessful replication. as far as account lock out is concerned. Enable netlogon logging on the PDC and the other domain controllers. the logs should show the machine that is throwing the bad password count.

http://support.microsoft.com/kb/109626

0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question