AD Login Issues 'lockouts'

Hello All,

Hopefully there will be a little light shed on an issue a client is having, we at not a MS shop per say but figured I'd reach out to the community to see if anyone had any ideas to their issue.

From the information I've gathered from others they have a Primary DC that lives on a 2k8 host, and a secondary on a 2k12 host. (I believe this may be an issue alone with syncing pending where roles live?)

This is what they tell us they are experiencing;

In the past couple of weeks they have been getting AD lockouts on user accounts.
It seems to be the same accounts but in a random pattern. If the user is logged in already they only notice a problem when they try to access a network file while the account is locked. If it unlocks before they try then they never know about the problem. If they are locked and try to login they get the normal account locked message.

From my understanding they have tried to shutdown the secondary controller for an interim but the results were the same.

I haven't been able to get many logs to this point, so just looking for any light bulbs really to steer them. This is the only snip I've seen to this point as I've been part of drive by questions.

Log from last user lockout

A Kerberos service ticket was requested.

 Account Information:

                Account Name:                     user@domain.com
                Account Domain:                 domain.COM
                Logon GUID:                          {00000000-0000-0000-0000-000000000000}

 Service Information:

                Service Name:                       ldap/Server1.domain.com
                Service ID:                              NULL SID

 Network Information:

                Client Address:                      ::ffff:200.200.200.117
                Client Port:                             54745

 Additional Information:

                Ticket Options:                      0x40810000
                Ticket Encryption Type:       0xffffffff
                Failure Code:                         0x12
                Transited Services:                -

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

Thanks!