computer accounts are being deleted! 1

[penguinroundup]

so far this morning, I have had at least 5 Windows XP and 1 Windows 2000 computer completely LOSE their computer accounts in my domain for apparently no reason at all. This is what I get in my DC event logs for each machine:

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5723
Date: 9/26/2006
Time: 9:23:36 AM
User: N/A
Computer: DOMAINCONTROLLER
Description:
The session setup from computer 'COMPUTERNAME' failed because the security database does not contain a trust account 'COMPUTERNAME$' referenced by the specified computer.

USER ACTION
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem:

If 'COMPUTERNAME$' is a legitimate machine account for the computer 'COMPUTERNAME', then 'COMPUTERNAME' should be rejoined to the domain.

If 'COMPUTERNAME$' is a legitimate interdomain trust account, then the trust should be recreated.

Otherwise, assuming that 'COMPUTERNAME$' is not a legitimate account, the following action should be taken on 'COMPUTERNAME':

If 'COMPUTERNAME' is a Domain Controller, then the trust associated with 'COMPUTERNAME$' should be deleted.

If 'COMPUTERNAME' is not a Domain Controller, it should be disjoined from the domain.

For more information, see Help and Support Center at

Http://go.microsoft.com/fwlink/events.asp.

Data:
0000: 8b 01 00 c0 (0000: c000018b) ?..À

AND:

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5805
Date: 9/26/2006
Time: 9:26:23 AM
User: N/A
Computer: DOMAINCONTROLLER
Description:
The session setup from the computer COMPUTERNAME failed to authenticate. The following error occurred:
Access is denied.

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

Data:
0000: 22 00 00 c0 (0000: c0000022) "..À

Once I disjoin the computer from the domain and rejoin it all is fine (so far). The bizarre thing is that all these machines are in the same part of our office building, and we've had no reports of anybody else having this issue. Has anybody else ever had this happen?

 

[markdmac]

How many DCs do you have? I would look for replication errors in the event logs. I ran into this problem once and it can get ugly. I wrote an FAQ around the solution. faq96-4733

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[backbeat21]

We're having this same problem. I looked at your document and it seems to only indicate how to remove a bad DC. We did have one and have since removed it yet we're still having the problem. Is there anything else that you recommend?

 

[backbeat21]

Also, I should add that when we remove the PC from the domain and add it back it seems fine for a few reboots but then is unable to login again.

 

[Roadki11]

This probably doesnt apply but i will put it out there. I had an issue with user accounts automagically deleting themselves. This was on a Win2k3 standard server pre sp1, i installed sp1 and it resolved the problem. guess my question is what server you running and is it up2date?

RoadKi11

 

[backbeat21]

All the DCs are 2003 with the latest updates.

Another thing I should say is that we can look on one DC and the account is gone. If we look on another it's there.

 

[Roadki11]

Read this kb, it contains a lot of good info. wondering if you can undelete the computer object. also wondering if you have some sort of replication timing issue. kb says its for users but it you read down it applies to computer objects also.

http://support.microsoft.com/kb/840001/en-us

RoadKi11

 

[markdmac]

Another thing I should say is that we can look on one DC and the account is gone. If we look on another it's there.

This is exactly the issue that I was battling which prompted me to write that FAQ. You need to focus on the problem and not the symptom. The inability to login at the workstation due to the missing computer account is a symptom of the real problem which is the inability for your DCs to synchronize/replicate.

Take a look first at your DNS configuration. If that is messed up you will never resolve your issues.

DNS Settings:

Configure the server NIC to only list itself or other DCs, no ISP DNS gets configured on the NIC TCP/IP properties.

In DHCP, set the DNS scope option to only provide the IP of your local DNS server

For any statically configured IPs, make sure the DNS only lists local DNS servers and not ISP DNS.

In the DNS snap-in on the forwarders tab enter your ISP DNS.

Also take a look at the event logs on both DCs and compare them.

Run DCDIAG and NETDIAG on each server and correct any errors reported.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[jimthecanadian]

By any chance do you use ghost to image your pc's and if so do you make sure they all have unique SID's? I have seen people use ghost to setup a bunch of PC's and have some sililar results.

 

[backbeat21]

jimthecanadian: We do use Ghost and Altiris but we always run a SID changer to avoid this type of issue.

markdmac: I ended up finding the "bad" DC listed several places in DNS. I deleted all listings of it. Now I just have to wait and see if that resolves my problems. Thaks for your input.

 

[markdmac]

If you removed a DC make sure you run the script from my FAQ to ensure it is not stuck in AD anywhere too.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript