locked
Server 2008 Active Directory Write Conflict RRS feed

  • Question

  • I have a few errors like this one on a DC in my Active Directory 2008 environment. A few users have contacted me and said their accounts are also being locked out on a regular basis. Our department has combed through our environment and these users don't have any processes running with an old password. I've done some extensive searching online but the solutions only seem to apply to Server 2000 and 2003. I've run the normal battery of diagnostics and I don't get any errors outside what I found in the event viewer.


    Active Directory Domain Services encountered a write conflict when applying replicated changes to the following object.

     

    Object:

    "object name removed but it will list the object, OU, etc."

    Time in seconds:

    0

     

    Event log entries preceding this entry will indicate whether or not the update was accepted.

     

    A write conflict can be caused by simultaneous changes to the same object or simultaneous changes to other objects that have attributes referencing this object. This commonly occurs when the object represents a large group with many members, and the functional level of the forest is set to Windows 2000. This conflict triggered additional retries of the update. If the system appears slow, it could be because replication of these changes is occurring.

     

    User Action

    Use smaller groups for this operation or raise the functional level to Windows Server 2003.


    My domain functional level is 2008. Any help would be greatly appreciated.

    Thanks!

    Monday, March 15, 2010 3:11 PM

Answers

All replies

  • Howdie!

    Am 15.03.2010 16:11, schrieb scabby_al:
    > Object:
    >
    > "object name removed but it will list the object, OU, etc."
    >
    > Time in seconds:
    >
    > 0

    So I'd be interested in the object. What kind of object is that? Is that
    a user object? A group? Is that a large group? Some random object in AD
    you don't know what it's there for?

    Cheers,
    Florian

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    Monday, March 15, 2010 6:48 PM
  • Hello,

    please run dcdiag /v on the DCs to check for errors, also run repadmin /showrepl. If errors are shown please post the complete output here.

    Also check the following article about confocker which can cause account lockouts and some more:
    http://support.microsoft.com/kb/962007
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Bruce-Liu Monday, March 22, 2010 8:26 AM
    Tuesday, March 16, 2010 6:39 AM
  • Hi ,

    As Meinlof mentioned above this issue may happen if you have replication issues or lingering objects in one DC causing this conflict the other possibility as kind of dictionary attack casing the accounts to be looked out and you can enable debug logging to monitor the net login  services in one of your DCs that will help you to determine the source of that attack

    Please see the below link that will help you in case you have this attack

    http://blogs.technet.com/isablog/archive/2009/06/12/troubleshooting-authentication-issues-in-isa-server-using-net-logon-logging.aspx

    http://technet.microsoft.com/en-us/library/bb727057.aspx  (for replication issues)

    • Marked as answer by Bruce-Liu Monday, March 22, 2010 8:26 AM
    Tuesday, March 16, 2010 8:03 AM