Sign in with
Sign up | Sign in
Your question

dns crash causes admin privilege accts to lock

Last response: in Windows 2000/NT
Share
June 22, 2004 12:48:21 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Please help.
My primary dns server had to be shutdown ungracefully this
morning. After bringing the server up, I tried to login
and found my account was locked. This has also happened
in the past.

I had to unlock all accounts belonging to the Domain
Admins group.

Any ideas???
Anonymous
June 23, 2004 3:10:55 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:1fcf201c45870$5857d870$a101280a@phx.gbl,
quigley <anonymous@discussions.microsoft.com> posted a question
Then Kevin replied below:
> Please help.
> My primary dns server had to be shutdown ungracefully this
> morning. After bringing the server up, I tried to login
> and found my account was locked. This has also happened
> in the past.
>
> I had to unlock all accounts belonging to the Domain
> Admins group.
>
> Any ideas???

Hacker?

Only the built in Administrator account cannot be locked out. That is why
you should rename the account.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
Anonymous
June 23, 2004 2:08:07 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Nope not a hacker.
A UNIX admin turned into a Windows admin by force.
The Administrator account did not get locked out.
Only other accounts belonging to the Admin Groups were
locked, but why??? Is the PDC dependent on DNS?
>-----Original Message-----
>In news:1fcf201c45870$5857d870$a101280a@phx.gbl,
>quigley <anonymous@discussions.microsoft.com> posted a
question
>Then Kevin replied below:
>> Please help.
>> My primary dns server had to be shutdown ungracefully
this
>> morning. After bringing the server up, I tried to login
>> and found my account was locked. This has also happened
>> in the past.
>>
>> I had to unlock all accounts belonging to the Domain
>> Admins group.
>>
>> Any ideas???
>
>Hacker?
>
>Only the built in Administrator account cannot be locked
out. That is why
>you should rename the account.
>
>
>--
>Best regards,
>Kevin D4 Dad Goodknecht Sr. [MVP]
>Hope This Helps
>============================
>--
>When responding to posts, please "Reply to Group" via
your
>newsreader so that others may learn and benefit from your
issue.
>To respond directly to me remove the nospam. from my
email.
>==========================================
> http://www.lonestaramerica.com/
>==========================================
>Use Outlook Express?... Get OE_Quotefix:
>It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
>==========================================
>Keep a back up of your OE settings and folders with
>OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
>==========================================
>
>
>.
>
Related resources
Can't find your answer ? Ask !
Anonymous
June 23, 2004 6:28:13 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:20c2501c45944$a7340930$a001280a@phx.gbl,
anonymous@discussions.microsoft.com <anonymous@discussions.microsoft.com>
posted a question
Then Kevin replied below:
> Nope not a hacker.
> A UNIX admin turned into a Windows admin by force.
> The Administrator account did not get locked out.
> Only other accounts belonging to the Admin Groups were
> locked, but why??? Is the PDC dependent on DNS?

Yes, Active Directory depends on DNS, all members and DCs must use the AD
DNS.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
Anonymous
June 24, 2004 3:32:23 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:20c2501c45944$a7340930$a001280a@phx.gbl,
anonymous@discussions.microsoft.com <anonymous@discussions.microsoft.com>
posted their thoughts, then I offered mine
> Nope not a hacker.
> A UNIX admin turned into a Windows admin by force.
> The Administrator account did not get locked out.
> Only other accounts belonging to the Admin Groups were
> locked, but why??? Is the PDC dependent on DNS?

Just to point out, there is no such thing as a PDC in AD.

As Kevin said, AD absolutely requires DNS. DNS stores all it's service and
resource locations in the form of those SRV records. That's how AD "finds"
itself and how the clients 'find' domain resources, such as a domaion
controller to authenticate logons, for instance (among other things). If the
machine is misconfigured to use the ISP's DNS or some other DNS, possibly
for some other reason, like Internet access, then that will cause *numerous*
issues as well. You must only use the DNS server that is hosting the AD zone
by all machines (DCs and clients). Configure a forwarder for efficient
Internet resolution.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
June 24, 2004 6:33:24 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Ok. Thanks for the clarification.
More info on my end. I'm still using Windows NT, hence
the reason for PDC. When the Primary DNS Server, which is
on W2K goes down, ALL user accounts in the Admin Groups
get locked out ... why? Are the domain controllers
dependent on this Primary DNS Server? Is there a way to
change this?
>-----Original Message-----
>In news:20c2501c45944$a7340930$a001280a@phx.gbl,
>anonymous@discussions.microsoft.com
<anonymous@discussions.microsoft.com>
>posted their thoughts, then I offered mine
>> Nope not a hacker.
>> A UNIX admin turned into a Windows admin by force.
>> The Administrator account did not get locked out.
>> Only other accounts belonging to the Admin Groups were
>> locked, but why??? Is the PDC dependent on DNS?
>
>Just to point out, there is no such thing as a PDC in AD.
>
>As Kevin said, AD absolutely requires DNS. DNS stores all
it's service and
>resource locations in the form of those SRV records.
That's how AD "finds"
>itself and how the clients 'find' domain resources, such
as a domaion
>controller to authenticate logons, for instance (among
other things). If the
>machine is misconfigured to use the ISP's DNS or some
other DNS, possibly
>for some other reason, like Internet access, then that
will cause *numerous*
>issues as well. You must only use the DNS server that is
hosting the AD zone
>by all machines (DCs and clients). Configure a forwarder
for efficient
>Internet resolution.
>
>--
>Regards,
>Ace
>
>Please direct all replies to the newsgroup so all can
benefit.
>This posting is provided "AS-IS" with no warranties and
confers no
>rights.
>
>Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
>Microsoft Windows MVP - Active Directory
>
>HAM AND EGGS: A day's work for a chicken; A lifetime
commitment for a
>pig. --
>=================================
>
>
>.
>
Anonymous
June 24, 2004 10:44:03 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:2133d01c45a32$e1433800$a401280a@phx.gbl,
quigley <anonymous@discussions.microsoft.com> posted their thoughts, then I
offered mine
> Ok. Thanks for the clarification.
> More info on my end. I'm still using Windows NT, hence
> the reason for PDC. When the Primary DNS Server, which is
> on W2K goes down, ALL user accounts in the Admin Groups
> get locked out ... why? Are the domain controllers
> dependent on this Primary DNS Server? Is there a way to
> change this?

I guess we were all assuming you had AD. Since you dont and you are still on
NT4 and do not have AD deployed as of yet, then DNS has nothing to do with
NT4's directory services.

Are there any event log errors?
Are there any policy in place, such as password policies and account lockout
policies?
Are there any other administrators or persons that uses the default
administrator account?
Do you have auditing configured? With this you can correlate lockout times
with whatever is happening at that moment in time.
Do you have a firewall in place?
Intrusion detection?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
!