I've seen this many times and it does seem to relate to the PDC emulator
not knowing about the machine... I don't know the exact process behind it
but it does seem that the DC's in the site that you are adding the computer
object and the PDC emulator must know about the new object.
I never used to allow the admins on remote sites to create accounts via the
'join domain' option on the wks. I used to see your error all the time on a
reboot. I eventually gave them the right to 'add wks to the domain' and all
was ok.
I'd be interested to see your findings/others experiences as I am looking
to restrict the right to create new computer accounts back to the central
HQ.
BR
Robert Rutherford
+44 (0)1305 208232
+44 (0)7970 122362
"Rick Kingslan"
<[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>
Sent by: cc:
[EMAIL PROTECTED] Subject: RE: [ActiveDir] Computer
Account in its Primary Domain is Missing
tivedir.org
11/10/2003 21:43
Please respond to
ActiveDir
I've run into this exact error message in one case (well, two - you've
confirmed that the object does exist, so I'll discount that).
If I image a PC and apply the image to another PC and fail to run, say
SIDWalker to create a random object SID for the computer object - I see
this
error.
So, if you're using any type of imaging software to duplicate setups, look
to a SID changing tool (free one available from WinTernals called NewSID -
http://www.sysinternals.com/ntw2k/source/newsid.shtml) to mod the SID and
avoid the problem.
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of FDiskThePC
Sent: Saturday, October 11, 2003 9:42 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Computer Account in its Primary Domain is Missing
At least once a week, an admin in our company will successfully join a
computer (NT 4.0, Win2K, WinXP) to our AD domain, and upon reboot receives
"the computer account in its primary domain is missing" error message. We
assume this happens because we have two DC's in every site, the five minute
intrasite replication hasn't happened, and the newly added computer is
simply authenticating with the other DC.
But even when we wait fifteen minutes and then reboot again, we still get
the error message. Our techs have been using the take to workgroup, re-add
to domain method until it's successful.
One time I actually verified the existence of the computer account on both
local DC's at a particular site, and yet the computer could still not login
to the domain. Using replmon, I forced a sync of the domain partition from
one of the local DC's out to every other DC in our environment.
Immediately
the workstation could login.
What gives? Does every DC or a particular DC (PDC
Emulator?) need to know about newly added computer accounts before they can
be used? Do I need to train our techs to pre-populate computer accounts
with ADUC and sync the domain before using them? A similar complaint is
that sometimes the computer account simply disappears, but I haven't seen
that yet personally.
Any advice would be much appreciated. Thanks.
-Rick Dayton
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
**********************************************************************
This E-mail and any files transmitted with it are in
commercial confidence and intended solely for the use of
the individual or entity to whom they are addressed.
If you have received this E-mail in error please notify the
Administrator by E-mail ([EMAIL PROTECTED]).
Any views or opinions expressed are solely those of the
author and do not necessarily represent those of
DEK International., or its affiliates.
**********************************************************************
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.dek.com
**********************************************************************
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
