Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Win2k3 AD Problem? Not Logging events.

Status
Not open for further replies.
Hoomgar

Hoomgar

MIS
Aug 30, 2004
15
US
We have a Windows Server 2003 server farm used for Terminal services/Citrix. On the authentication side of things/AD we are having a new issue. We audit user logins and disable accounts after three unsuccessful logon attempts. The process works fine on all four of our application servers but only two of them will log it in the event logs. All four servers have their event log and audit settings setup identically. As a matter of fact, we use global policy to dish that out.

Our servers are 01, 02, 03 and 04 for example. If users enter a wrong password three times in succession it will lock their account out. This works on all four servers. But only servers 03 and 04 will log it. 01 and 02 do not log it. This is coupled then with some other issues.

We monitor the event logs for these event ID's so that administrative staff receive an email alert when an account lockout occurs. The problem is we only get alerts from users who happen to lock out on 03 and 04. Since 01 and 02 do not log it the monitor has no event ID to pull and report.

The other issue then that I am sure is related is that since there is no logging of the events on 01 and 02 it appears that AD or global policy is not notified then either. I say this because we have the policy setup to automatically re-enable th users account after two hours. This works for users who locked out on 03 and 04 but users who locked out on 01 and 02 will remain locked indefinitely until they are unlocked administratively.

Any Server 2k3/AD gurus out there care to take a stab at this? We would really appreciate the help.

Mark


Mark
CCEA
 
Sort by date Sort by votes
I have more info on this I just noticed this morning. It appears all four app servers are sick. On 01 and 02 it logs all Success Audits and no failures. On 03 and 04 it logs all Failure Audits and no Success Audits.

Mark
CCEA
 
Upvote 0 Downvote
Any Win2k3 or AD gurus care to take a stab at this? Any information is greatly appreciated.

Mark
CCEA
 
Upvote 0 Downvote
Seems like no one wants to touch this with a 10 foot pole, me either really. I will ask though if your sure that GPOs are getting applied. Maybe RSoP on all 4. What about any policies on the user end, any odd conflicts sort of thing.


FRCP
(my side business)
 
Upvote 0 Downvote
Thanks. Yes GPOs are applying, that is what is weird? The policy to lock the user out works just fine. It doesn't log in the event log though? And then it is like AD has no record of it because the part of the policy that is supposed to unlock it then does not work. I've never used RSoP and don't know how to go about doing that.

Mark
CCEA
 
Upvote 0 Downvote
Found it. Somehow, don't ask me how, the Domain Controller Policy became unlinked from the Domain Controllers object in the GPO. Fixed.

Mark
CCEA
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
970
suncit
suncit
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
1K
gbaughma
gbaughma
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
756
microsGuy16
microsGuy16
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
442
DrB0b
DrB0b
dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
1K
mangentle
mangentle

Part and Inventory Search

Sponsor

Back
Top