This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 55.00000000000001%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMF%3C/text%3E%3C/svg%3E)
Attempting to log on to the primary domain controller with my domain admin account, I get the error:
"The referenced account is currently locked out and may not be logged on to."
I can log on to the same server with another domain admin user. That same account has no problem logging on to other servers. When I check the account in active directory users and computers, it is NOT locked out. That same account has no problem logging on to other servers.
I am getting an event 4771 followed by a 4625.
That same account has no problem logging on to other servers. Other accounts have no problem on the PDC.
I am unable to determine the problem. As I stated, the account is NOT actually locked out.
PDC and SDC are Server 2019
Exchange 2013 is on Server 2012R2
All three servers are still being configured on a Windows 10 Pro host and will be migrated to a Hyper-V Server 2019 host after configuration and testing are completed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Console or remote logon? You could have a new one stood up very quickly which is what I'd suggest when unexplained issues happen on a domain controller. It really isn't worth spending time on.
--please don't forget to upvote and Accept as answer if the reply is helpful--
I am still connecting to the virtual machine server from the Hyper-V Manager. I call that local, but I must uncheck the enhanced session to bypass the RDS block, even though I no longer have RDS. Refer to https://learn.microsoft.com/en-us/answers/questions/806825/unable-to-log-onto-new-virtual-domain-server-deskt.html?childToView=808144#comment-808144,
"The phrase "have a new one stood up very quickly" makes no sense. Was that a typo?
The statement "It really isn't worth spending time on." baffles me. Are we system administrators identifying and fixing problems, or do we just rebuild the domain from scratch whenever a problem crops up? My philosophy is System Administration is not a voodoo art form. We identify problems, isolate the cause, propose a solution, test the solution, and look for unforeseen side effects, before moving on.
The statement "It really isn't worth spending time on." baffles me.
One offs like this are not worth the trouble given you can have a new one stood up in 40 mins or so. No, it was not a typo. Nothing is lost.
I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 46%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
If you found events 4771 and 4625 in security logs, it means that account is used on other machine in your network, that try to authorize trough this domain controller, that's why you are able to login to other servers on your network in the near same time. Try to find out the source of requests in security log, then check that machine with the following:
Stale credentials for Windows Service accounts.
Stale credentials used to run Scheduled tasks.
Multiple Citrix XenApp or Remote Desktop Services sessions open when a user initiates a password change.
Users logged into multiple computers when initiating a password change.
Disconnected Citrix XenApp or Remote Desktop Services sessions that are not configured to timeout.
Administrative Remote Desktop Connections to Windows servers left disconnected.
Applications with their own credential stores that authenticate against Active Directory with stale credentials.
Please click the below link to understand more about logon Failure which leads to Account lockout: