Administrator Account got locked out frequently

Dear;

we have 2 DC on our network both od them is W2k3 with SP2. I noticed the
following warning on the Directory service log:

Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1083
Date: 1/30/2008
Time: 4:54:05 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: ourDCName
Description:
Active Directory could not update the following object with changes received
from the domain controller at the following network address because Active
Directory was busy processing information.

Object:
CN=Administrator,CN=Users,DC=ourdomain
Network address:
3ce169e8-767c-4cff-b7f6-99f785f77fe3._msdcs.ourdomain

This operation will be tried again later.

also this event is logged in the same log:

Event Type: Information
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1955
Date: 1/30/2008
Time: 4:54:05 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: ourDCname
Description:
Active Directory encountered a write conflict when applying replicated
changes to the following object.

Object:
CN=Administrator,CN=Users,DC=ourdomain
Time in seconds:
0

Event log entries preceding this entry will indicate whether or not the
update was accepted.

A write conflict can be caused by simultaneous changes to the same object or
simultaneous changes to other objects that have attributes referencing this
object. This commonly occurs when the object represents a large group with
many members, and the functional level of the forest is set to Windows 2000.
This conflict triggered additional retries of the update. If the system
appears slow, it could be because replication of these changes is occurring.

User Action
Use smaller groups for this operation or raise the functional level to
Windows Server 2003.

the domain administrator account got locked out every day at random time.

I checked a lot of articles but couldn't solve this issue?

please help me...

Hello Fahad,

Have a look here:
http://www.eventid.net/display.asp?e...cation&phase=1

http://www.eventid.net/display.asp?e...cation&phase=1

Is the password changed from the account and maybe some services running
with the account, where the password is not changed?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Dear;
>
> we have 2 DC on our network both od them is W2k3 with SP2. I noticed
> the following warning on the Directory service log:
>
> Event Type: Warning
> Event Source: NTDS Replication
> Event Category: Replication
> Event ID: 1083
> Date: 1/30/2008
> Time: 4:54:05 PM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: ourDCName
> Description:
> Active Directory could not update the following object with changes
> received
> from the domain controller at the following network address because
> Active
> Directory was busy processing information.
> Object:
> CN=Administrator,CN=Users,DC=ourdomain
> Network address:
> 3ce169e8-767c-4cff-b7f6-99f785f77fe3._msdcs.ourdomain
> This operation will be tried again later.
>
> also this event is logged in the same log:
>
> Event Type: Information
> Event Source: NTDS Replication
> Event Category: Replication
> Event ID: 1955
> Date: 1/30/2008
> Time: 4:54:05 PM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: ourDCname
> Description:
> Active Directory encountered a write conflict when applying replicated
> changes to the following object.
> Object:
> CN=Administrator,CN=Users,DC=ourdomain
> Time in seconds:
> 0
> Event log entries preceding this entry will indicate whether or not
> the update was accepted.
>
> A write conflict can be caused by simultaneous changes to the same
> object or simultaneous changes to other objects that have attributes
> referencing this object. This commonly occurs when the object
> represents a large group with many members, and the functional level
> of the forest is set to Windows 2000. This conflict triggered
> additional retries of the update. If the system appears slow, it could
> be because replication of these changes is occurring.
>
> User Action Use smaller groups for this operation or raise the
> functional level to Windows Server 2003.
>
> the domain administrator account got locked out every day at random
> time.
>
> I checked a lot of articles but couldn't solve this issue?
>
> please help me...
>

thanks Meinolf

I tried all that procedure but no luck. I checked most of our servers to
make sure the admin account is not used as a service account but nothing
found.

in the security log of the DC, I found an event taking about the computer
causing the lockout for this account. I connected to this computer and
checked the services but I didn't found any service running under this
account. the event ID is 644 and the category is Account Management.

any idea to solve this issue...



"Meinolf Weber" wrote:

> Hello Fahad,
>
> Have a look here:
> http://www.eventid.net/display.asp?e...cation&phase=1
>
> http://www.eventid.net/display.asp?e...cation&phase=1
>
> Is the password changed from the account and maybe some services running
> with the account, where the password is not changed?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > Dear;
> >
> > we have 2 DC on our network both od them is W2k3 with SP2. I noticed
> > the following warning on the Directory service log:
> >
> > Event Type: Warning
> > Event Source: NTDS Replication
> > Event Category: Replication
> > Event ID: 1083
> > Date: 1/30/2008
> > Time: 4:54:05 PM
> > User: NT AUTHORITY\ANONYMOUS LOGON
> > Computer: ourDCName
> > Description:
> > Active Directory could not update the following object with changes
> > received
> > from the domain controller at the following network address because
> > Active
> > Directory was busy processing information.
> > Object:
> > CN=Administrator,CN=Users,DC=ourdomain
> > Network address:
> > 3ce169e8-767c-4cff-b7f6-99f785f77fe3._msdcs.ourdomain
> > This operation will be tried again later.
> >
> > also this event is logged in the same log:
> >
> > Event Type: Information
> > Event Source: NTDS Replication
> > Event Category: Replication
> > Event ID: 1955
> > Date: 1/30/2008
> > Time: 4:54:05 PM
> > User: NT AUTHORITY\ANONYMOUS LOGON
> > Computer: ourDCname
> > Description:
> > Active Directory encountered a write conflict when applying replicated
> > changes to the following object.
> > Object:
> > CN=Administrator,CN=Users,DC=ourdomain
> > Time in seconds:
> > 0
> > Event log entries preceding this entry will indicate whether or not
> > the update was accepted.
> >
> > A write conflict can be caused by simultaneous changes to the same
> > object or simultaneous changes to other objects that have attributes
> > referencing this object. This commonly occurs when the object
> > represents a large group with many members, and the functional level
> > of the forest is set to Windows 2000. This conflict triggered
> > additional retries of the update. If the system appears slow, it could
> > be because replication of these changes is occurring.
> >
> > User Action Use smaller groups for this operation or raise the
> > functional level to Windows Server 2003.
> >
> > the domain administrator account got locked out every day at random
> > time.
> >
> > I checked a lot of articles but couldn't solve this issue?
> >
> > please help me...
> >
>
>
>

On Feb 3, 1:38*am, Fahad <Fa...@discussions.microsoft.com> wrote:
> thanks Meinolf
>
> I tried all that procedure but no luck. I checked most of our servers to
> make sure the admin account is not used as a service account but nothing
> found.
>
> in the security log of the DC, I found an event taking about the computer
> causing the lockout for this account. I connected to this computer and
> checked the services but I didn't found any service running under this
> account. the event ID is 644 and the category is Account Management.
>
> any idea to solve this issue...
>
>
>
> "Meinolf Weber" wrote:
> > Hello Fahad,
>
> > Have a look here:
> >http://www.eventid.net/display.asp?e...=4301&source=N...
>
> >http://www.eventid.net/display.asp?e...=919&source=NT...
>
> > Is the password changed from the account and maybe some services running
> > with the account, where the password is not changed?
>
> > Best regards
>
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> > no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > > Dear;
>
> > > we have 2 DC on our network both od them is W2k3 with SP2. I noticed
> > > the following warning on the Directory service log:
>
> > > Event Type: * Warning
> > > Event Source: NTDS Replication
> > > Event Category: * * * Replication
> > > Event ID: * * 1083
> > > Date: * * * * 1/30/2008
> > > Time: * * * * 4:54:05 PM
> > > User: * * * * NT AUTHORITY\ANONYMOUS LOGON
> > > Computer: * * ourDCName
> > > Description:
> > > Active Directory could not update the following object with changes
> > > received
> > > from the domain controller at the following network address because
> > > Active
> > > Directory was busy processing information.
> > > Object:
> > > CN=Administrator,CN=Users,DC=ourdomain
> > > Network address:
> > > 3ce169e8-767c-4cff-b7f6-99f785f77fe3._msdcs.ourdomain
> > > This operation will be tried again later.
>
> > > also this event is logged in the same log:
>
> > > Event Type: * Information
> > > Event Source: NTDS Replication
> > > Event Category: * * * Replication
> > > Event ID: * * 1955
> > > Date: * * * * 1/30/2008
> > > Time: * * * * 4:54:05 PM
> > > User: * * * * NT AUTHORITY\ANONYMOUS LOGON
> > > Computer: * * ourDCname
> > > Description:
> > > Active Directory encountered a write conflict when applying replicated
> > > changes to the following object.
> > > Object:
> > > CN=Administrator,CN=Users,DC=ourdomain
> > > Time in seconds:
> > > 0
> > > Event log entries preceding this entry will indicate whether or not
> > > the update was accepted.
>
> > > A write conflict can be caused by simultaneous changes to the same
> > > object or simultaneous changes to other objects that have attributes
> > > referencing this object. This commonly occurs when the object
> > > represents a large group with many members, and the functional level
> > > of the forest is set to Windows 2000. This conflict triggered
> > > additional retries of the update. If the system appears slow, it could
> > > be because replication of these changes is occurring.
>
> > > User Action Use smaller groups for this operation or raise the
> > > functional level to Windows Server 2003.
>
> > > the domain administrator account got locked out every day at random
> > > time.
>
> > > I checked a lot of articles but couldn't solve this issue?
>
> > > please help me...- Hide quoted text -
>
> - Show quoted text -

Hi,

Below you will find some reasons how an account can be locked out:

Applications using cached credentials that are stale.
Stale service account passwords cached by the Service Control
Manager.
Stale logon credentials cached by Stored User Names and Passwords in
Control Panel.
Scheduled tasks and persistent drive mappings that have stale
credentials.
Disconnected Terminal Service sessions that use stale credentials.
Failure of Active Directory replication between domain controllers.
Users logging into two or more computers at once and changing their
password on one of them.
Any one of the above situations can trigger an account lockout
condition

Take a look at the following tools to help you find out why the
accounts are locking out.

Account Lockout and Management Tools
http://www.microsoft.com/downloads/d...displaylang=en

Account Lockout Tools
http://technet2.microsoft.com/Window....mspx?mfr=true

Good Luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com

use NETLOGON debug logging

Enabling debug logging for the Net Logon service
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
DBFlag = 0x2080FFFF (in: %windir%\debug\netlogon.log)


google for NETLOGON debug logging and you will find more info

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Fahad" <Fahad@discussions.microsoft.com> wrote in message
news:8FEDADC0-8564-492F-B7AB-7382EEF7BD27@microsoft.com...
> Dear;
>
> we have 2 DC on our network both od them is W2k3 with SP2. I noticed the
> following warning on the Directory service log:
>
> Event Type: Warning
> Event Source: NTDS Replication
> Event Category: Replication
> Event ID: 1083
> Date: 1/30/2008
> Time: 4:54:05 PM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: ourDCName
> Description:
> Active Directory could not update the following object with changes
> received
> from the domain controller at the following network address because Active
> Directory was busy processing information.
>
> Object:
> CN=Administrator,CN=Users,DC=ourdomain
> Network address:
> 3ce169e8-767c-4cff-b7f6-99f785f77fe3._msdcs.ourdomain
>
> This operation will be tried again later.
>
> also this event is logged in the same log:
>
> Event Type: Information
> Event Source: NTDS Replication
> Event Category: Replication
> Event ID: 1955
> Date: 1/30/2008
> Time: 4:54:05 PM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: ourDCname
> Description:
> Active Directory encountered a write conflict when applying replicated
> changes to the following object.
>
> Object:
> CN=Administrator,CN=Users,DC=ourdomain
> Time in seconds:
> 0
>
> Event log entries preceding this entry will indicate whether or not the
> update was accepted.
>
> A write conflict can be caused by simultaneous changes to the same object
> or
> simultaneous changes to other objects that have attributes referencing
> this
> object. This commonly occurs when the object represents a large group with
> many members, and the functional level of the forest is set to Windows
> 2000.
> This conflict triggered additional retries of the update. If the system
> appears slow, it could be because replication of these changes is
> occurring.
>
> User Action
> Use smaller groups for this operation or raise the functional level to
> Windows Server 2003.
>
> the domain administrator account got locked out every day at random time.
>
> I checked a lot of articles but couldn't solve this issue?
>
> please help me...
>
>