Machine Account Lockout May Cause Problems on Primary Domain Controller

Article translations Article translations
Article ID: 260930 - View products that this article applies to.
This article was previously published under Q260930
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

Symptoms

Machine account logon attempts may not work between Windows 2000-based domain controllers. This behavior can occur if the machine account password is changed by the domain controller and enough unsuccessful attempts are made to log on to that account with the wrong password.

The machine account is much like a regular user account, but it is used by domain controllers to facilitate communication between other domain controllers and computers on the network. This account is usually in the form of computername$ and is not editable by the administrator.

If enough unsuccessful logon attempts are made by the server with the machine account, the account becomes disabled. Even after the correct password is finally used to log on to that account, the attempt does not succeed.

After this account has been disabled, there is no way in the Windows 2000 user interface to enable the account. It may also be difficult to tell if the account is actually disabled.

In the worst-case scenario, domain controllers could be prevented from replicating.

Cause

In Microsoft Windows NT 4.0, machine accounts are used only for secure channel setups, which ignore the lockout advisory. In Windows 2000, computers use Kereberos logons for the machine accounts, which do use the lockout settings.

Resolution

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack

Status

Microsoft has confirmed that this is a problem in Microsoft Windows 2000. This problem was first corrected in Windows 2000 Service Pack 1.

Properties

Article ID: 260930 - Last Review: October 26, 2013 - Revision: 4.0
Applies to
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbnosurvey kbarchive kbbug KB260930

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com