We have a situation where a software application cannot be installed because the admin account used during installation gets locked out during prerequisite checks. After some investigation, we found the cause: The prerequisite check looks at remote registry settings of other servers by RPC call to the server’s IP address rather than its FQDN, and for some reason this causes authentication to fail and lock out the account.
We validated this by doing the following:
- When using regedit and attempting to connect to another AD server’s registry using the server’s FQDN, it connects without issue.
- When we attempt the same connection using the server’s IP address, it prompts for new credentials.
- All AD credentials will fail and eventually lockout the account being used, but using a Local Admin account has no problems.
We performed this test from other servers in the environment as well, but they had no issues with connecting and authenticating by IP. We compared NIC/DNS/WINS settings, but there was no notable difference. We’re at the point of cross-checking GPO settings, but we don’t expect to find anything.
We could obviously just use Local Admin accounts, but we want to understand why an RPC call using an IP address rather than the FQDN causes AD authentication to fail and lock out AD accounts. Any ideas?