I am seeing some event ID 1083's in the event log which says the foillowing.
I saw several events that pointed to my account but none to the other
account. I am thinking this is the issue.
SYMPTOMS
During Active Directory replication, you may receive the following warning
in the Directory Service event log on the domain controller:
Event ID : 1083
Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1083
Description:
Replication warning: The directory is busy. It couldn't update object CN=...
with changes made by directory GUID._msdcs.domain. Will try again later.
Back to the top
CAUSE
This issue may occur for the following reasons: • A change occurred that
triggers an urgent replication. For additional information, click the
following article number to view the article in the Microsoft Knowledge Base:
232690 Urgent replication triggers in Windows 2000
Or, a change that is made on multiple domain controllers is replicated very
quickly, especially for intra-site cases.
For additional information about intra-site cases, click the following
article number to view the article in the Microsoft Knowledge Base:
214678 How to modify the default intra-site domain controller replication
interval
These scenarios may occur when you change your password. The change is
forwarded to the primary domain controller (PDC) Emulator, and if the change
is in the same site, and the domain controller is busy, the change may
replicate back in. While the local directory service is still in the process
of writing the change, and therefore locks the object, the change is
replicating in also, and an error occurs. To verify this, type repadmin
/showmeta object distinguished name. Check the time stamp on the event
against the change time stamp of relevant attributes like unicodePwd or
lockoutTime. Typically, the latter attribute may already be cleared or be
changed again when you look it up some time after the event occurred (this
may depend on your lock-out policy). If the time stamp matches, you can
ignore the event.
• A duplicate object is present in Active Directory for the replication
partner of the local domain controller. When the local domain controller
receives the replication updates that contain duplicate objects from the
domain controller's replication partner, the local domain controller cannot
perform the updates on those objects, and therefore it logs a warning in the
directory service event log.
Herb Martin said:
I don't but am checking with the DBA to see if he does. I am also checking
each server we log into regularly via rdp and setting a disconnect after log
off policy.
I think that would be the other way around (but it
should NOT affect this issue-- either reconnecting
OR logging on anew both count as authentication
failure if you make a mistake.)
You can disconnect without logging off but not
loggoff without disconnecting.
I keep my (personal) RDP servers set to NEVER
logoff after disconnect -- practically never a problem.
This is UNSUITABLE for application mode Terminal
Server where each license needs to be released as soon
as practical.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
John McCoy said:
Thanks
Herb Martin said:
I have two accounts that get locked out fairly regularly, mine and the
DBA's.
We seem to notice it when we try to rdp into a server.
We are running a parent child domain here with Windows 2000 SP4 servers.
We
just changed the password policy here and thats when it seemed to start
happening.
Anyone have any ideas?
Which RDP client? Do you have your (old) password encoded
into the RDP client or any other software that might be robotically
re-trying...?
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks
C-ServerNameGoesHere