Symptoms
User accounts may get locked out in a mixed environment with Windows 2000-based domains and Microsoft Windows NT 4.0-based domains.
This issue can also occur when new user accounts are created and the user changes their password on initial logon. If the default account policy is configured for User Must Change Password at Next Logon, this can also occur. If the user connects to NT 4.0 or Windows 2000 servers immediately on login, the account can be locked out within seconds depending on the number of bad passwords allowed within Account Lockout threshold.
Cause
When a Windows 2000-based domain controller receives an NTLM authentication request, it tries to validate the password in its database. If it does not succeed, it increments the bad password count, and passes the request to the primary domain controller because the database may not be synchronized.
If the primary domain controller responds to the domain controller that forwarded the request with successful validation, the bad password count for the user on the domain controller should be reset to 0. However, the domain controller is not resetting the count to 0.
This problem may only be seen in the Windows 2000 environment because UAS replication does not occur as frequently as in the Windows NT 4.0 domain environment. User passwords between domain controllers may be out of synchronization for longer period of time. Also, the bad password count field is not replicated between the domain controllers.
The fix described in this article should be applied to all Windows 2000-based domain controllers to eliminate the issue described above.
Resolution
To resolve this problem, obtain the latest service pack for Windows 2000.
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
-----------------------------------------------------------------
7/17/2001 04:52p 5.0.2195.3870 501,520 Samsrv.dll (56-bit)
7/18/2001 05:55p 5.0.2195.3858 355,088 Advapi32.dll
7/18/2001 05:55p 5.0.2195.3649 135,440 Dnsapi.dll
7/18/2001 05:55p 5.0.2195.3649 94,992 Dnsrslvr.dll
7/18/2001 05:51p 5.0.2195.3870 519,440 Instlsa5.dll
7/18/2001 05:56p 5.0.2195.3817 142,608 Kdcsvc.dll
7/17/2001 05:08p 5.0.2195.3872 197,392 Kerberos.dll
6/26/2001 08:16p 5.0.2195.3781 69,456 Ksecdd.sys
7/17/2001 04:52p 5.0.2195.3870 501,520 Lsasrv.dll
7/17/2001 04:52p 5.0.2195.3870 33,552 Lsass.exe
7/18/2001 05:56p 5.0.2195.3776 306,448 Netapi32.dll
7/18/2001 05:56p 5.0.2195.3776 357,648 Netlogon.dll
7/18/2001 05:56p 5.0.2195.3868 909,072 Ntdsa.dll
7/18/2001 05:56p 5.0.2195.3848 382,224 Samsrv.dll
7/18/2001 05:56p 5.0.2195.3781 128,784 Scecli.dll
7/18/2001 05:55p 5.0.2195.3649 299,792 Scesrv.dll
7/18/2001 05:55p 5.0.2195.3649 48,400 W32time.dll
5/29/2001 09:26a 5.0.2195.3649 56,080 W32tm.exe
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
More Information
For additional information on how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:
296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot
