2003 VPN server in NT4 domain

[Jason]

Brief Network Topology:
4 subnets - 192.168.100, 101, 102, 103
DC in each subnet with PDC in 100 subnet
2003 VPN member server is in 100 subnet
The GPO is set to lock accounts after 5 incorrect tries. The trouble I
am having is that the first user who tries to VPN in gets locked after
one attempt, even if the logon info is correct. Once the first person
tries to log on via VPN, everyone else gets in with no problems. The
System log on the VPN server has, literally, hundreds of 21089 events
followed by one 20049 event for every attempted VPN logon that fails.
The first five 21089 events state that the domain\username couldn't
logon because the username or password is incorrect. However, the user
never even gets a second chance to try logging on so why does the
server have 5 entries for incorrect username/password? The next
hundred 21089 events state the domain\username couldn't be
authenticated because the account is locked. The 20049 event states
that the user (just says user not the actual user's account) connected
to port xxxx but was disconnected because authentication did not
complete in required time.
For the latest instance of this problem I noticed that a DC that is not
in same subnet as VPN server has exact same events in System log at
same time as in VPN server's log.
Is this a known issue between 2003 member server and NT4 DCs? Is it
possible that ther error is occuring because the VPN server is trying
to authenticate users to a DC not on its subnet?

 

[Robert L [MS-MVP]]

We have seen some case like this when you have 2003 on NT domain or upgrade from NT. these two links may help,

Event ID 20049 Event ID 20049 - An invalid request was sent to the admin support thread for Remote ... Analysis: If you receive VPN Error 619, Event ID 20049 or 20073, ...
www.chicagotech.net/casestudy/Evenid20049.htm


Event ID 20049 and Error 768 Event ID 20049 - An invalid request was sent to the admin support thread for Remote Access Service, possibly from a down level admin tool. ...
www.chicagotech.net/Q&A/vpn42.htm



Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Brief Network Topology:
4 subnets - 192.168.100, 101, 102, 103
DC in each subnet with PDC in 100 subnet
2003 VPN member server is in 100 subnet
The GPO is set to lock accounts after 5 incorrect tries. The trouble I
am having is that the first user who tries to VPN in gets locked after
one attempt, even if the logon info is correct. Once the first person
tries to log on via VPN, everyone else gets in with no problems. The
System log on the VPN server has, literally, hundreds of 21089 events
followed by one 20049 event for every attempted VPN logon that fails.
The first five 21089 events state that the domain\username couldn't
logon because the username or password is incorrect. However, the user
never even gets a second chance to try logging on so why does the
server have 5 entries for incorrect username/password? The next
hundred 21089 events state the domain\username couldn't be
authenticated because the account is locked. The 20049 event states
that the user (just says user not the actual user's account) connected
to port xxxx but was disconnected because authentication did not
complete in required time.
For the latest instance of this problem I noticed that a DC that is not
in same subnet as VPN server has exact same events in System log at
same time as in VPN server's log.
Is this a known issue between 2003 member server and NT4 DCs? Is it
possible that ther error is occuring because the VPN server is trying
to authenticate users to a DC not on its subnet?