[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Account gets locked when trying to UNC path to a server

Posted on 2011-10-18
9
Medium Priority
?
1,633 Views
Last Modified: 2012-05-12
We are seeing a strange issue on our network. When we try to UNC path to a server, our account gets locked out.

We have a domain with one Server 2008 DC and one 2003 DC. UNC error
0
Comment
Question by:education-dynamics
  • 5
  • 4
9 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 36989079
Do you log into the workstation using your domain account, or an identically named local account on the workstation?

Are there any replication problems occurring between the DCs?

Is this occurring for one user, or for everyone?  (If a single user: did that user recently change their password?)

On a single UNC path, or any UNC?  (And if one UNC: is it one on the DC or a member server?)

Are the client machine(s) which is trying to access the UNC - Windows 7, Vista?  (I assume not XP from the border of the window...)

Anything relevant in the system or security event logs on the server(s) or client?
0
 

Author Comment

by:education-dynamics
ID: 36989211
My comments in italics


Do you log into the workstation using your domain account, or an identically named local account on the workstation? We are logging in with our own individual domain admin accounts

Are there any replication problems occurring between the DCs? none that we are aware of

Is this occurring for one user, or for everyone?  (If a single user: did that user recently change their password?) this is happening to all of us

On a single UNC path, or any UNC?  (And if one UNC: is it one on the DC or a member server?) only when we UNC path to the domain controllers. other servers work fine without locking our account

Are the client machine(s) which is trying to access the UNC - Windows 7, Vista?  (I assume not XP from the border of the window...) correct. all are windows7

Anything relevant in the system or security event logs on the server(s) or client? Event ID:      56
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SRVDC1
Description:
The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 10.79.7.3.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 36992238
Is there any consistent behaviour on accessing the UNC using servername or FQDN or IP?  (E.g. IP address sometimes works, servername and FQDN never works?)

The error message looks like it's another part of the symptom of the root problem.  I suspect the root problem may be an intermittent network problem.  If you can, lock down the network speed and duplex settings on each network card _and_ the switch ports.   (You shouldn't have one locked in, and the other using autonegotiate for example.  If you can avoid it... I'd advise against autonegotated as well.)  If you can, check the server interfaces and switch ports for errors.  

Once the network issues are resolved, one possible resulting problem on the servers would be that too many server password exchanges have been lost.  Microsoft has an knowledgebase article for resetting those as well.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:education-dynamics
ID: 37006706
Razmus - your 1st question made me realize another wrinkle....

We are in domain A. The domain controllers that we are experiencing this issue with are in Domain B. Both A and B domains are on the same LAN, so we use IP address to communicate between the two as these domains are not trusted.

This became an issue (as far as we can tell) when we upgraded domain A's DC to Server 2008. Domain A's other DC is still Server 2003. We have the same issue when UNC pathing to either DC in this domain.
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 1500 total points
ID: 37008153
I assume you have the same usernames in both domains?  Are the passwords sync'd between the domain, either by a process or manually?
And I assume it's the accounts in Domain B which are locking out.
I suspect what is happening is that the domain information isn't being specified when you attempt to connect via UNC...  it's presenting credentials for the Domain A user account to the Domain B DC... without any domain information.  Because the DC doesn't have local accounts, and assumes Domain B domain user accounts, it quickly locks out.  (A non-DC in Domain B wouldn't see a lockout because that computer would assume '<localcomputer>/<username>' credentials, which probably wouldn't find a match.)

If the local computer already has usable cached credentials into Domain B (via mapped drive, for example), you probably wouldn't see the lockout.  (Which is why I suspect it doesn't lock out 100% of the time.)

If you have auditing turned on for the DCs in Domain B - login failures, I suspect you'll see the bahaviour in the security logs on the Domain B DCs.
0
 

Author Comment

by:education-dynamics
ID: 37019758
No, we do not have the same credentials on both domains, and no they are not sync'd.

Correct, the accounts from domain B are the ones getting locked out.

I am going to try the netdom.exe solution and see if that works. I will post my results.
0
 

Author Comment

by:education-dynamics
ID: 37026304
NETDOM didn't do anything really. I think because we haven't had any password changes.

If I UNC path from a computer in Domain B to the domain controller in Domain A, it should prompt me for credentials since it does not recognize my credentials from Domain B. However, it doesn't. Instead it will lock out my Domain A credentials even though it doesn't even give me a chance to tell it what they are because it doesn't prompt for them.

Confused
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 37096602
Do you have any security logging turn on for Domain B?  I believe by default, nothing will show up in your security logs... you may want to make certain you have audit policies turned on... at least 'audit logon events' - failure, and 'audit account logon events' - failure.  Then in the DC you're hitting in Domain B, the security log may hold the answer to what is going wrong.
0
 

Author Comment

by:education-dynamics
ID: 37096761
Thanks, Razmus. I will look into that.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question