Announcement

Collapse
No announcement yet.

AD loses computer accounts occasionally

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD loses computer accounts occasionally

    When a customer's workstations cannot logon to the domain XYZ because of the error message "Cannot logon because the domain XYZ is not available", I get called out to fix it. I can, however, logon to the domain from the workstation using a domain Administrator account. When I look at the list of computer accounts in ADUC, I see this workstation's name PC4 is not listed.

    So I disjoin PC4 from the domain and rejoin it, then all is well, (apart from the expected user profile issues which I can sort out.)

    In the SBS 2003's event log I see this:
    Event log error ID 5133 Source NETLOGON

    The computer PC4 tried to connect to the server \\SERVER1 using the trust relationship established by the XYZ domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship."
    which puzzles me because the domain hasn't been reconfigured - this is a quiet office with only 6 PCs (XP Pro) trying to log on to a SBS2003 domain. No-one fiddles with the server, so I can blame No-one

    I have googled the error message and the advice given is generally to disjoin and rejoin the domain. However, the problem reoccurs, perhaps on the same PC, perhaps on a different PC, at random several days later. If I try to simply add a computer account in ADUC, the workstation still cannot logon so I need to fully disjoin and rejoin the domain. Unless I can use Netdom, which I have not tried, so do you think I can use Netdom.exe to simply add the computer name back into ADUC, then run netdom.exe and will this enable the PC to logon without the profile hassles that I have to do each time this happens?

    I also noticed when trying to do a System Sate backup using NTBackup that the backup report said that the System State could not be backed up because it could be corrupted or unavailable. Is there any advice on what to do about this? I think the two issues could be connected. The previous IT company didn't make any System State backups so I can't restore from an old one.

    Is there any wisdom on how to cure the problem of the computer account gettting "forgotten" in ADUC? Thank you for any advice you can give me.
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

  • #2
    Re: AD loses computer accounts occasionally

    Hello.

    The first think I come to think of is the time sync. Since it normally a 5 minute maximum time difference allowed for Kerberos to work.

    Nothing more in the logs?


    Patrik

    Comment


    • #3
      Re: AD loses computer accounts occasionally

      Thanks for that - good tip, I'll check the times and see what gives. In the logs I also saw a whole stream of DNS errors, saying that an IP packet destined for somedomainorother.com was directed to this server 192.168.0.200.

      somedomainorother.com was in the logs as being any of many domain names such as microsoft.com or grisoft.com or whatever. The trouble now is that these guys have no remote facilities setup yet, and I won't be visiting them for another week or so, (unless they have logon problems again!) so unfortunately I can't post the exact text of the DNS log error. But it was hapening every 5 to 10 minutes, then stopped for a few hours, then started happening again for another burst of errors.

      I did check the DNS setup and the A records and the CNAME records seemed OK.

      So thanks for your input about the time, and I'll see if I can use that tip to help matters when I next visit them. (I'll setup remote access to their server too!)
      Best wishes,
      PaulH.
      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

      Comment


      • #4
        Re: AD loses computer accounts occasionally

        Any chance the workstations are built from image without regeneration of new SID by running SYSPREP or newsid.exe ?
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: AD loses computer accounts occasionally

          Hi Guyt,

          Thanks for your thought - these aren't built form an image, they're a mix of Windows 2000 Pro PCs and XP Pro PCS that they bought "as-is" several years ago. Then they were joined to the domain, 2 years ago, and recently have this problem. The last IT company hardly ever did anything, let alone going to the trouble of creating images.

          But you have made me think of another thing - I need to find out if this reoccuring problem of AD losing the computer account happens on only the Windows 2000 PCs - so far, that's true, the XP workstations seem to be OK, so that may narrow it down a bit.
          Best wishes,
          PaulH.
          MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

          Comment

          Working...
          X