Account Lockouts and 5711 Events on the PDC

ID: Q191828

The information in this article applies to:
  • Microsoft Windows NT Workstation version 4.0
  • Microsoft Windows NT Server, Enterprise Edition version 4.0
  • Microsoft Windows NT Server version 4.0, Terminal Server Edition
  • Microsoft BackOffice Server version 4.0
  • Microsoft Systems Management Server version 1.2

SYMPTOMS

The following events may fill up the System Log on the primary domain controller (PDC): 


   Event ID 5711 - Source: NETLOGON
   Description: The partial synchronization request from the server <BDC>
   completed successfully. X changes(s) has (have) been returned to the
   caller.

-or- 

   User accounts may be getting locked out sporadically.

-or- 

   The Lsass.exe process on the primary domain controller may be using
   high levels of CPU use.


CAUSE

A component of Systems Management Server called Climonnt.exe is trying to log on to the SMS shares on your network using an incorrect or expired password.

Normally, the CLIMONNT process will wake up one time every 24 hours and try to connect to the SMS shares on the network using the credentials of the currently logged-on user. The problem occurs when a user's password has been changed or has expired, but the user has not logged off. The problem can also occur if a user's password is changed on one computer but the user is logged on with the old password on at least one other computer.

In either scenario, the CLIMONNT process will awaken and try to connect to an SMS share using an old password. Since the password is incorrect, Windows NT will deny the connection. CLIMONNT then attempts to connect to other SMS shares that may be configured. It fails again. When all SMS shares have been tried unsuccessfully, CLIMONNT will pause for 60 seconds, and then start the entire process again, using the first SMS share. If an account lockout policy is in effect on the domain, the user's account will be locked out.

This problem can also cause the LSASS process on the Windows NT primary domain controller to spike.

For additional information, please see the following article in the Microsoft Knowledge Base:

ARTICLE-ID: Q184858
TITLE : SMS: CLIMON Consumes PDC LSASS Resources When Password Expired

Problem Detection

There are three ways to detect this problem.

User Manager for Domains

You can use User Manager for Domains to unlock a user account that has been locked. When the account is unlocked, wait 60 seconds, then reopen User Manager. If the user account is locked again, you may be experiencing the problem.

NOTE: This method will not detect expired password problems, only bad password attempts that then lock out the user account.

Checked Version of NETLOGON.DLL

Install the checked version of Netlogon.dll on your PDC according to the following article in the Microsoft Knowledge Base:

ARTICLE-ID: Q189541
TITLE : Using the Checked Netlogon.dll to Track Account Lockouts
When a Netlogon.log file has been produced, examine the file for the following lines: 

   08/01 08:12:26 [LOGON] SamLogon: Network logon of <DOMAIN>\<USERNAME>
   from \\<MACHINENAME> (via <DOMAIN CONTROLLER NAME>) Returns 0xC0000234

   08/01 08:14:42 [LOGON] SamLogon: Network logon of <DOMAIN>\<USERNAME>
   from \\<MACHINENAME> (via <DOMAIN CONTROLLER NAME>) Returns 0xC000006A

   08/01 08:12:26 [LOGON] SamLogon: Network logon of <DOMAIN>\<USERNAME>
   from \\<MACHINENAME> (via <DOMAIN CONTROLLER NAME>) Returns 0xC0000071

If any of the three lines above appears every 60 to 61 seconds for a given user, you may be experiencing the CLIMONNT problem.

Status 0xC0000234 means STATUS_ACCOUNT_LOCKED_OUT. Status 0xC0000071 means STATUS_PASSWORD_EXPIRED. Status 0xC000006A means STATUS_WRONG_PASSWORD.

Network Monitor

If you know of a client computer that you suspect may have the CLIMONNT problem, use Network Monitor to get a trace of all traffic going into and out of the client computer. Open Task Manager, and verify that the Climonnt.exe process is in memory. Look for the following two packets in the Network Monitor trace: 

   32 55.577 00609708A9D8 AA000400060C SMB C session setup & X, Username =
   <USERNAME>, and C tree connect & X, Share = \\SERVER\SMS_SHR <IP
   ADDRESS>

   33 55.605 AA000400060C 00609708A9D8 SMB R session setup & X - NT error,
   System, Error, Code = (113) STATUS_PASSWORD_EXPIRED <IP ADDRESS1> <IP
   ADDRESS2> IP

There may be multiple packets happening within one second, then you will see a pause for 60 to 61 seconds, and the packets will reoccur. When you recognize this pattern, use Task Manager to kill the Climonnt.exe process, and the pattern will stop.


RESOLUTION

To work around this problem, contact Microsoft Technical Support to obtain the following fix, or wait for the next Systems Management Server service pack. The hotfix should have the following timestamp: 


   04/22/98   08:18 PM        182KB      Climonnt.exe (Alpha)
   04/22/98   08:23 PM         80KB      Climonnt.exe (INTEL)

This update must be installed on all computers running Windows NT.

NOTE: This hotfix will be included in SMS 1.2 Service Pack 5, but is not included in SMS 1.2 Service Pack 4.


STATUS

Microsoft has confirmed this to be a problem in Systems Management Server version 1.2.

A supported fix is now available, but has not been fully regression- tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.

Additional query words: sms climon climonnt account lockouts lockout expired lsass

Keywords : kbnetwork kbbug4.00
Version : WINDOWS:4.0;WinNT:1.2,4.0
Platform : WINDOWS winnt
Issue type : kbbug


Last Reviewed: August 5, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.