• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 137
  • Last Modified:

Main Domain Controller has locked me out

I tried to log into my main Domain Controller today. It has locked  me out . I know that the Domain Admin User name and Password has not changed.  I can log into two other DC's with the same password.

Background:  Recently we lost our ONLY domain controller. We brought an OLD Server 2003 up and dcpromo'ed it to a NEW domain_name.local. We had to recreate new user profiles and transfer all of our data. Once this was accomplished, user could limp along. We purchased a new server (Windows Server 2016). We elevated our Forest and Domain to 2003, then joined the new server to the domain. FISMO roles were moved to the new Server 2016. It was also running Internet Security, DHCP, DNS and Network backup software. We wiped/formatted the  server that crashed and reinstalled the Server 2008 software. Then DCPROMO'ed this server. Our intent was to demote the 2003 server, remove it from the network completely and then use the 2008 server as a secondary DC. The 2008 server proved to be intermittently unreliable (rebooting without cause) so I have not removed the 2003 server yet. Until we can get an additional NEW server, I have moved the FISMO roles BACK to the 2003 server. I will install DNS and DHCP on the old server and redirect the clients. Our  small network is getting far too complex to do this process again. I am going to reboot the 2016 server (hoping that it was an update that caused the problem).... Any other suggestions on how to try accessing this system?

I have tried using THREE Domain Admin accounts and NONE of them will allow me into the 2016 machine... BUT I have access to the 2003 & 2008 machines....
0
Dubbi47
Asked:
Dubbi47
1 Solution
 
Dean ChafeeIT/InfoSec ManagerCommented:
Sucks for you  ;P
usually an account lockout has a time limit of 15 mins by default, so wait it out and try again. If there is something hitting the account (by brute force or legit attempts with wrong creds) then you wont get in until the attempts are located and stopped.
0
 
AlanConsultantCommented:
Hi,

In this situation, I would isolate the server (unplug any network connections).

That will ensure that nothing is trying to get in from elsewhere using your credentials.


Alan.
0
 
Naveen SharmaCommented:
Check that you don't have any locked remote desktop sessions using the admin account and the old password.

Do you have a backup device maybe using your old credentials?

Tablets/phones/laptops/etc maybe trying to connect to email, VPN, etc?

You might want to try this tool from Microsoft.

Account Lockout and Management Tools: https://www.microsoft.com/en-in/download/details.aspx?id=18465

Few more informative articles may help you to troubleshoot this issue:

https://www.lepide.com/how-to/track-and-troubleshoot-user-account-lockouts-with-lepideauditor.html

https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html

Just for testing, try to shut down one of the domain controllers and test if the lockout will happen again probably one DC locks account on another..
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Shaun VermaakTechnical Specialist/DeveloperCommented:
Did your record the DS Recovery password? Start with F8 and login to DS Recovery mode then check the logs
0
 
Dubbi47Author Commented:
From physical location was able to access DC. Issue was replication errors and a bad switch port.
1
 
Sara TeasdaleCommented:
You can use LockoutStatus.exe tool which is part of Account Lockout and Management tools to identify domain controller that are involved in lock-out user account.

http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

You can refer to following links for information related to troubleshooting account lockout issue:

https://social.technet.microsoft.com/Forums/lync/en-US/4f72c4b1-343c-459a-b431-de24ea2d5136/windows-account-keeps-getting-locked-out?forum=winserverManagement

https://community.spiceworks.com/topic/488824-domain-admin-account-being-locked-out-by-secondary-domain-controller
0
 
AlanConsultantCommented:
This 'solution' was posted after the author had already posted that they had solved the issue, and noted what they had done.

Closing the question and awarding yourself all the points seems completely out of order.

If anything, the question should be closed with the only answer being Dubbi47's as I don't think anyone else mentioned checking the switch (I came closest by suggesting physical isolation, and I am not claiming to have solved this).

Alan.
0
 
AlanConsultantCommented:
Hi,

I see no reason to delete this question - it was a valid question, with a valid solution, and should form part of the collective knowledge-base of EE and the internet.

It should be closed with Dubbi47's answer as the solution:

https://www.experts-exchange.com/questions/29087409/Main-Domain-Controller-has-locked-me-out.html#a42491342


Alan.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now