Main Domain Controller has locked me out

I tried to log into my main Domain Controller today. It has locked  me out . I know that the Domain Admin User name and Password has not changed.  I can log into two other DC's with the same password.

Background:  Recently we lost our ONLY domain controller. We brought an OLD Server 2003 up and dcpromo'ed it to a NEW domain_name.local. We had to recreate new user profiles and transfer all of our data. Once this was accomplished, user could limp along. We purchased a new server (Windows Server 2016). We elevated our Forest and Domain to 2003, then joined the new server to the domain. FISMO roles were moved to the new Server 2016. It was also running Internet Security, DHCP, DNS and Network backup software. We wiped/formatted the  server that crashed and reinstalled the Server 2008 software. Then DCPROMO'ed this server. Our intent was to demote the 2003 server, remove it from the network completely and then use the 2008 server as a secondary DC. The 2008 server proved to be intermittently unreliable (rebooting without cause) so I have not removed the 2003 server yet. Until we can get an additional NEW server, I have moved the FISMO roles BACK to the 2003 server. I will install DNS and DHCP on the old server and redirect the clients. Our  small network is getting far too complex to do this process again. I am going to reboot the 2016 server (hoping that it was an update that caused the problem).... Any other suggestions on how to try accessing this system?

I have tried using THREE Domain Admin accounts and NONE of them will allow me into the 2016 machine... BUT I have access to the 2003 & 2008 machines....
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dean ChafeeIT/InfoSec ManagerCommented:
Sucks for you  ;P
usually an account lockout has a time limit of 15 mins by default, so wait it out and try again. If there is something hitting the account (by brute force or legit attempts with wrong creds) then you wont get in until the attempts are located and stopped.

In this situation, I would isolate the server (unplug any network connections).

That will ensure that nothing is trying to get in from elsewhere using your credentials.

Naveen SharmaCommented:
Check that you don't have any locked remote desktop sessions using the admin account and the old password.

Do you have a backup device maybe using your old credentials?

Tablets/phones/laptops/etc maybe trying to connect to email, VPN, etc?

You might want to try this tool from Microsoft.

Account Lockout and Management Tools:

Few more informative articles may help you to troubleshoot this issue:

Just for testing, try to shut down one of the domain controllers and test if the lockout will happen again probably one DC locks account on another..
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Shaun VermaakTechnical SpecialistCommented:
Did your record the DS Recovery password? Start with F8 and login to DS Recovery mode then check the logs
Dubbi47Author Commented:
From physical location was able to access DC. Issue was replication errors and a bad switch port.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sara TeasdaleCommented:
You can use LockoutStatus.exe tool which is part of Account Lockout and Management tools to identify domain controller that are involved in lock-out user account.

You can refer to following links for information related to troubleshooting account lockout issue:
This 'solution' was posted after the author had already posted that they had solved the issue, and noted what they had done.

Closing the question and awarding yourself all the points seems completely out of order.

If anything, the question should be closed with the only answer being Dubbi47's as I don't think anyone else mentioned checking the switch (I came closest by suggesting physical isolation, and I am not claiming to have solved this).


I see no reason to delete this question - it was a valid question, with a valid solution, and should form part of the collective knowledge-base of EE and the internet.

It should be closed with Dubbi47's answer as the solution:

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.