locked
Event ID 12294 - SAM database was unable to lockout account RRS feed

  • Question

  • Dear All,

    in our organization, we prepared a DC added to existing single-domain as Secondary DC. when i run dcdiag, it gives me below two failures.

    Starting test: DFSREvent

    There are warning or error events within the last 24 hours after the

    SYSVOL has been shared. Failing SYSVOL replication problems may cause

    Group Policy problems.

    ......................... DC02 failed test DFSREvent

    i understand this one because we did do a failover test last night which is within 24 hours, dc02 was offline for some time and then it was brought-up. i believe this should be cleared-up in 24 hours

    second item

    Starting test: SystemLog

    An error event occurred. EventID: 0x00003006

    Time Generated: 01/06/2016 10:23:38

    Event String:

    The SAM database was unable to lockout the account of <user account> due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

    ......................... DC02 failed test SystemLog

    the link between DC01 (PDC) and DC02 (SDC) is perfect. is there anything of AD settings causing this issue?

    How do i troubleshoot further?

    Appreciate your replies. Thank you.

    Wednesday, January 6, 2016 1:51 AM

Answers

All replies

  • Hi

     Error ID 12294 means there are numerous failure authentication events in security log due to incorrect credentials or could be a virus issue,

    Event ID: 12294 Woes
    http://blogs.technet.com/b/mempson/archive/2012/01/13/event-id-12294-woes.aspx

    Malicious Software Removal tool Virus to remove the Win32/Conficker malware family.
    http://support.microsoft.com/kb/962007

    Account Lockout Tools

    https://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx?f=255&mspperror=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Amy Wang_ Tuesday, February 2, 2016 7:18 AM
    • Marked as answer by Mahdi Tehrani Monday, February 8, 2016 2:25 AM
    Wednesday, January 6, 2016 8:15 AM
  • Hi Arif,

    For event ID 12294. If the domain controller received numerous failure authentication requests for the account in the same time (the common reason is worm virus or third-party software). Since the domain controller is busy to update the account lockout threshold, doesn't have enough disk resource to set the account as locked out, then generate the SAM 12294 events. When the domain controller has the enough resource, the account will be locked out if we configured Account Lockout policy. 

    i understand this one because we did do a failover test last night which is within 24 hours, dc02 was offline for some time and then it was brought-up. i believe this should be cleared-up in 24 hours

    >>>first of all, I suggest you to check the status of the SYSVOL and Netlogon shares by these actions below.

    1. On the Start menu, point to Administrative Tools, and then click Services.
    2. Verify that the DFS Replication service and the Netlogon service have a status of Started. If a service is stopped, click Restart.
    3. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue.
    4. To verify that the SYSVOL tree includes the sysvol and scripts shared folders, at the command prompt, type the following command, and then press ENTER:

    net share

      5.    Check the list to be sure that it includes %systemroot%\SYSVOL\sysvol\ (the SYSVOL share) and

            %systemroot%\SYSVOL\sysvol\<Domain Name>\SCRIPTS (the NETLOGON share), where <Domain Name>   is the domain of the new domain controller.

    1. Verify that the proper permissions are set for SYSVOL replication. At the command prompt, type the following command, and then press ENTER:

    dcdiag /test:netlogons

    For detailed information, you could refer to the article below.

    Check the Status of the SYSVOL and Netlogon Shares

    https://technet.microsoft.com/en-us/library/cc816833%28v=ws.10%29.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.





    • Edited by Jay Gu Wednesday, January 6, 2016 10:12 AM
    Wednesday, January 6, 2016 10:09 AM
  • thanks for your replies.

    Today when i ran dcdiag /test:netlogons, i found below:

    Directory Server Diagnosis
    Performing initial setup:
       Trying to find home server...
       Home Server = DC02
       * Identified AD Forest.
       Done gathering initial info.
    Doing initial required tests
       Testing server: Default-First-Site-Name\DC02
          Starting test: Connectivity
             ......................... DC02 passed test Connectivity
    Doing primary tests
       Testing server: Default-First-Site-Name\DC02
          Starting test: NetLogons
             ......................... DC02 passed test NetLogons
       Running partition tests on : DomainDnsZones
       Running partition tests on : ForestDnsZones
       Running partition tests on : Schema
       Running partition tests on : Configuration
       Running partition tests on : <domain name>
       Running enterprise tests on : <domain.com>

    so the previous error related to SYSVOL is now clear. but still has error related to account lockout. so i will check on malicious programs/viruses etc. but its very unlikely DC has any such issues, because we have FortiClient Anti-Virus with latest definitions. May be i can look into the individual accounts which are being triggered, its not all user-accounts but a few.

    Thursday, January 7, 2016 12:03 AM
  • Dear All,

    in our organization, we prepared a DC added to existing single-domain as Secondary DC. when i run dcdiag, it gives me below two failures.

    Starting test: DFSREvent

    There are warning or error events within the last 24 hours after the

    SYSVOL has been shared. Failing SYSVOL replication problems may cause

    Group Policy problems.

    ......................... DC02 failed test DFSREvent

    i understand this one because we did do a failover test last night which is within 24 hours, dc02 was offline for some time and then it was brought-up. i believe this should be cleared-up in 24 hours

    second item

    Starting test: SystemLog

    An error event occurred. EventID: 0x00003006

    Time Generated: 01/06/2016 10:23:38

    Event String:

    The SAM database was unable to lockout the account of <user account> due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

    ......................... DC02 failed test SystemLog

    the link between DC01 (PDC) and DC02 (SDC) is perfect. is there anything of AD settings causing this issue?

    How do i troubleshoot further?

    Appreciate your replies. Thank you.

    Hello, 

    Could you solve problem? I have same issue. SYSVOL Replication problem and Account Lockout issue.
    Monday, October 31, 2016 5:16 PM