Forum Discussion
Domains administrator locked out
Dear all,
today, out of the blue, I started to receive hundreds of alert about our domains Administrator failed logon and account locked out.
We have 5 domains in the same forest and each DOMAIN\administrator account started to misbehave.
In the event viewer, under Security, I have plenty of 4776 ID events with the error 0xC000006A: looking on Microsoft KB, it means "Account logon with misspelled or bad password."
The problem is that these accounts are not used by anyone, neither by services or scheduled tasks.
I activated Netlogon on one of the domain controller, and I see several messages like this one:
05/08 13:54:01 [MISC] [7284] NetpDcAllocateCacheEntry: new entry 0x0000014E0630DBC0 -> DC:HostnameDC1 DnsDomName:mydomain.local Flags:0x3f3fd
05/08 13:54:01 [MISC] [7284] NetpDcDerefCacheEntry: destroying entry 0x0000014E0630DBC0
05/08 13:54:01 [MISC] [7284] DsGetDcName: results as follows: DCName:\\HostnameDC1.mydomain.local DCAddress:\\DC_IP_Address DCAddrType:0x1 DomainName:mydomain.local DnsForestName:mydomain.local Flags:0xe003f3fd DcSiteName:MyDomainSITE ClientSiteName:MyDomainSITE
05/08 13:54:01 [MISC] [7284] MyDomain: DsGetDcName function returns 0 (client PID=3096): Dom:MyDomain Acct:(null) Flags: NETBIOS RET_DNS
05/08 13:54:02 [LOGON] [7284] MyDomain: SamLogon: Transitive Network logon of MyDomain\Administrator from HostnameDC2 (via HostnameDC2) Entered
05/08 13:54:02 [LOGON] [7284] MyDomain: SamLogon: Transitive Network logon of MyDomain\Administrator from HostnameDC2 (via HostnameDC2) Returns 0xC000006A
05/08 13:54:02 [MISC] [5396] MyDomain: DsGetDcName function called: client PID=3096, Dom:MyDomain Acct:(null) Flags: NETBIOS RET_DNS
05/08 13:54:02 [MISC] [5396] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c1fffff1
05/08 13:54:02 [MAILSLOT] [5396] Received ping from HostnameDC1(HostnameDC1.mydomain.local) mydomain.local. (null) on <Local>
05/08 13:54:02 [MAILSLOT] [5396] MyDomain: Ping response 'Sam Logon Response Ex' (null) to \\HostnameDC1 Site: MyDomainSITE on <Local>
05/08 13:54:02 [MISC] [5396] NetpDcAllocateCacheEntry: new entry 0x0000014E05056CC0 -> DC:HostnameDC1 DnsDomName:mydomain.local Flags:0x3f3fd
05/08 13:54:02 [MISC] [5396] NetpDcDerefCacheEntry: destroying entry 0x0000014E05056CC0
For me it's really hard to understand why this is happening and why it started.
Unfortunately Netlogon is not helping me: is there any other tool that I can use to figure out the issue?
Regards,
Cristian
- This is just an update for explaining what was the issue.
We realized that the issue was due to brute force attacks on all our firewalls.
These attempts also used the account "administrator" and this leaded to account lock-out due too many attempts.
So we configured a limit on consecutive attempts and a lockout time before retrying... it's not a full fix, but it limited a lot the issue.
1 Reply
- This is just an update for explaining what was the issue.
We realized that the issue was due to brute force attacks on all our firewalls.
These attempts also used the account "administrator" and this leaded to account lock-out due too many attempts.
So we configured a limit on consecutive attempts and a lockout time before retrying... it's not a full fix, but it limited a lot the issue.