I have worked on many complicated account lockout issues, lockout event showing wrong source machine like caller computer name empty, workstation, Cisco, and some time it shows the domain controller name itself, some time workstation name in the lockout event does not exist in AD, in my earlier article (Account Lockout) have explained how to find the source of lockout without any tools, in this post I will explain in details how to find the exact correct offending system
Also Read: Active directory user attributes auditing using object Meta
Since we are using multiple applications with single sign on (SSO) and having different forest/Domain environment which complicate the simple lockout issue, no worries! For all the above issue almost same solution which help you to fix the issue
If lockout causing system not within Active Directory then you will see issue like this, and application like proxy server, messaging application like exchange server, Java application, UNIX system which is not directly connected to active directory services
Also Read: Lastlogon and Lastlogontimestamp attribute value in CSVDE output
Enable netlogon logging for account lockout on Source DC
First Enable netlogon logs on source DC and review the log on lockout time, you find the lockout system/server details with IP address
- Open CMD with Admin privilege (Command prompt)
- Run below command
- Nltest /DBFlag:2080FFFF
- And run below commands to restart netlogon Service
- net stop netlogon
- net start netlogon
Wait for next lockout and open %windir%\debug\netlogon.log to review the logs
Also Read: How to extract bulk object from AD with list of attributes (Part 1)
Further Analysis to trace the lockout system
Some time even netlogon logs point to different DC/server, in that case you have to enable Enable netlogon logs on that DC/server to find the source of lockout
In my experience, find the sample account lockout scenario
- Child Domain DC showing the root Domain DC
- Root Domain DC shows the Trusted Domain DC
- Trusted Domain DC shows different DC from Same Domain
- Again this DC shows exchange server
- Exchange server shows the handheld device IP
All you have to do trace the lockout system by enabling netlogon logs to reach the actual lockout system
Also Read: Windows Server Administrator Interview Questions and Answers
Related posts:
AD Slow Authentication and prompting for credentials again and again
Active directory Troubleshooting (Part1 – Diagnostics Logging)
Force DFS Replication/Force DFSR Members to Replicate on windows server 2008 and 2012
Replsummary showing unknown for largest delta on AD replication checks
Planning safe Decommission of Domain Controller (Decommission of Active Directory site) Without Impacting Users
In our case it was Network Policy Server.
lockoutstatus.exe identified the DC which had locked the account.
4740 events showed the Caller Computer Name to be blank.
Windows -> Security log on the NPS showed failed logon attempts with the same timestamp as the lockout.
Hi,
This worked for me. What is the default logging though. How do I set it nltest back to normal?
Nltest /DBFlag:2080FFFF
And run below commands to restart netlogon Service
net stop netlogon
net start netlogon
Thanks
Yes, need to disable logging after resolved the issues to avoid server performance issue
Disable logging by entering in CMD:
Nltest /DBFlag:0x0
Source: https://support.microsoft.com/en-us/help/109626/enabling-debug-logging-for-the-netlogon-service
Hi,
I should’ve clarified Windows 2012 R2 SP1 environment.
Jeff