Re: Account lockouts help

From: Jon LaBarge (jonlabarge_at_comcast.net)
Date: 09/14/05

  • Next message: Roger Abell [MVP]: "Re: anti-spyware vs antivirus vs firewall" 
    Date: Wed, 14 Sep 2005 11:50:00 -0700

    So this is what I got on the 2003 box:

    Kerberos Test failed:

    [FATAL] Kerberos does not have a ticket for host/%2003 server FQDN%

    Now what?

    Jon

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:OamZZUVuFHA.3660@tk2msftngp13.phx.gbl...
    > There should not be a problem with kerberos between a Windows 2000 domain
    > computer and a Windows 2003 domain controller in a normal configuration
    > with time and dns configured correctly. If the Windows firewall is enabled
    > on the Windows 2003 domain controller or ipsec policies are implemented
    > that involve communications between domain computers and domain
    > controllers authentication problems can occur. Since you are having
    > problems I would suggest that you run the support tool netdiag on domain
    > computers where users are logging on from that are having problems and run
    > the support tools netdiag, dcdiag, and gpotool on your domain controllers
    > or at least the pdc fsmo and your domain controller where you are seeing
    > all these events recorded. These tools check a lot of things including
    > the all important dns, communications between domain controllers,
    > integrity of computer account/secure channel, and replication of Group
    > Policy objects. Support tools are on the operating system install disk in
    > the support/tools folder. Also check the link below to make sure your dns
    > is configured correctly for the domain. -- Steve
    >
    > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
    >
    > "Jon LaBarge" <jonlabarge@comcast.net> wrote in message
    > news:O8KBCJVuFHA.3756@tk2msftngp13.phx.gbl...
    >> Steven,
    >> Also, I just noticed that the lockout is also causing a Event ID 677
    >> (kerberos authentication) audit failure in the DC E/V (about 5 events per
    >> second). Is there a problem with kerberos communicating from a 2003
    >> server to a 2000 server like there was with NT?
    >>
    >> Jon
    >>
    >> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    >> news:%23aBsreLuFHA.3424@tk2msftngp13.phx.gbl...
    >>> Generally that means that they may still be logged onto another computer
    >>> with old credentials [ possibly via Terminal Server?] or that they are
    >>> using old credentials for a Scheduled Task, persistent mapped drive, or
    >>> have old "stored credentials" on a Windows XP Pro computer. If you have
    >>> enabled auditing of "account logon" events and account management in
    >>> Domain Controller Security Policy and have auditing of "logon events"
    >>> enabled for domain computers you can usually track down what computer is
    >>> causing the lockout and proceed from there. The free Event Comb utility
    >>> from MS makes it easy to search domain controllers and domain computers
    >>> for specific events and text strings such as user names. The link below
    >>> may help and the excellent white paper on account passwords and policies
    >>> has a lot of good info. FYI Microsoft recommends no less then ten bad
    >>> attempts as a lockout threshold if you use account lockout as a single
    >>> bad logon event can trigger multiple bad logon attempts on the domain
    >>> controllers. --- Steve
    >>>
    >>> http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
    >>>
    >>>
    >>> "Jon LaBarge" <jonlabarge@comcast.net> wrote in message
    >>> news:%23wLQ%23iKuFHA.600@TK2MSFTNGP10.phx.gbl...
    >>>> We have a few users in our org that continually get locked out. Every 5
    >>>> minutes, their accounts go into the lockout state. They are locked down
    >>>> by a GPO but only for folder redirection. Any ideas???
    >>>>
    >>>> Thx.
    >>>>
    >>>> Jon
    >>>>
    >>>
    >>>
    >>
    >>
    >
    >

  • Next message: Roger Abell [MVP]: "Re: anti-spyware vs antivirus vs firewall"

    Relevant Pages

    • Re: NTLM and Kerberos
      ... I would have to open port 88 to my Domain Controller? ... How would IE know which server is the Domain Controller (my home computer is ... Kerberos requires the user to obtain a Kerberos Service Ticket for the ... even attempt Kerberos authentication for sites in the Internet zone. ...
      (microsoft.public.inetserver.iis.security)
    • Re: adding 2003 to 2000 domain , ERROR: Failed to transfer the schema FSMO role: 52
      ... I would suggest that you install the Support Tools onto all of your existing ... would use first to remove an orphaned Domain Controller. ... WIN2000 Server): ...
      (microsoft.public.win2000.active_directory)
    • Re: NT4 BDC Upgrade to Windows 2000 DC
      ... install the Support Tools from the latest Service Pack CD or via download ... The Support Tools on the original Server CD-Media are ... The upgrade process will never check that the two names ... since this is a domain controller you ...
      (microsoft.public.win2000.active_directory)
    • Re: AD problem after DC rename?
      ... Did you run after the process of demoting and renaming the support tools also and give time for replication to all DC's of the changes, before going on with the next steps? ... Are all DC's also Global catalog server? ... Windows cannot connect to the new domain for the following reason: ... If you are trying to connect to a domain controller running Windows ...
      (microsoft.public.windows.server.active_directory)
    • Re: kerberos problem
      ... i already disabled that domain controller group policy option. ... Since I am getting this Kerberos error on the mac... ... It also doesn't let me authenticate with Entourage to the same server. ... I CAN connect using Remote Desktop Connection from the Mac which does not seem to use Kerberos when connecting. ...
      (microsoft.public.win2000.security)
    • Quantcast