Monday, November 19, 2012

One thing that can cause an internal AD account lockout...

I consolidated a domain recently and moved the domain controller to use our primary domain instead of its own distinct domain (long story why it was setup this way to begin with). However, shortly after my user account started getting locked out periodically. The problem was that something was trying to login using olddomain\myaccount, but the olddomain domain didn't exist anymore. Since I have an account on newdomain named myaccount, it was locking that account out instead seeing multiple invalid logins for that username.

I first figured it had to do with a service running using the old credentials, but ruled that out quickly. The Windows security logs were less than helpful, besides allowing me to see the times of the login attempts. I then turned to Wireshark but didn't find anything useful. Now that I had no evidence of it coming over the network, I determined it must be happening on this newly migrated DC itself. I enabled Netlogon logging, which confirmed that something on the newly migrated DC was using my credentials, but what?

Then I finally ran across this post. I had completely forgotten that dynamic DNS in DHCP requires you to setup login credentials. Sure enough, this was the cause of my problem. It's not best practice to set it up the way I had, but regardless, that's the way it was. I changed the dynamic registration credentials and lo and behold, no more lockouts.