[ActiveDir] NTDS Replication Problems

Tue, 15 Jun 2004 08:58:41 -0700


Here is something interesting, if anyone have any insight it would be greatly appreciated:

1) Yesterday we began receiving the following in our System Event Logs on our DCs:

Source: SAM
EventID: 12294
User: INT\Administrator
Computer: MIADINT01 <- this is one of our DC's

The SAM database was unable to lockout the account of á due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

2) Within the same timeframe I started seeing these errors within the Directory Service Event Log:

Source: NTDS Replication
EventID: 1083
User: Everyone
Computer: MIADINT01

Replication warning: The directory is busy. It couldn't update object CN=Administrator,CN=Users,DC=int,DC=dci,DC=discovery,DC=com with changes made by directory 06d69760-9822-4b9b-a48b-c194eb5c1477._msdcs.dci.discovery.com. Will try again later.

Around the same time, the domain admin for the INT domain reported that all of this user accounts were being locked out. Also, there are serious replication issues between the site where the server MIADINT01 resides and the rest of the domain. During troubleshooting, I turned off Anonymous Access to SAM Accts and Shares on the domain level policy and kicked of manual repliaction.

This leads me to beleive one of the following:

1) A hack attempt was being generated against the SAM database from an outside source. Interestly enought there is a group of computers that reside in the site where the DC's reside, and these systems cannot be patched and have AV installed. Once anonymous access was stopped the SAM/12294 errors subsided.

or

2) NTDS replication was in bad enough shape that accounts were being locked out (seems unlikely). Within our Miami site, we deleted NTDS replication objects that pointed to sites that Miami had trouble replicating to.


So, if anyone has any advice and/or just wants to comment on these, I would be interested in hearing from you.

Thanks,

Justin L.


Reply via email to