>From reading the detailed error messages it would seem that the workstations are >timing out for one reason or another when synchronizing, you may want to research >increasing timeout values for network services (Browser service, Server service >etc.). Also, have you attempted to verify server communication via the WAN links to >verify that there are no timeout issues occuring? Try pinging with an -l switch to >increase the ICMP data being sent with the -t switch and watch for any timeouts or >significant ping response time increases.
Something you might want to consider is implementing independent child domains for each of your sites. I believe it would significantly decrease your network traffic across your WAN links to allow for more prioritized processing of network traffic to take place. However, that would likely be a large project so a more temporary solution would be to determine the cause of the current issue. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J0mb Sent: Friday, February 06, 2004 10:00 AM To: [EMAIL PROTECTED] Subject: R: [ActiveDir] computer account issues thanks for reply and sorry for being unclear. The eventID 5723 as per my previous post is generated on the domain controller. These are the events generated on the client side: (please note they were translated from a non-english system, hopefully they're clear enough: Source: LSASRV Category: SPNEGO EventID: 40961 Protection System could not establish a secured connection with server cifs/dc.domain.local. No authentication protocol was available Source: NETLOGON Category: None EventID: 5721 Session installation on Windows NT or Windows 2000 domain controller \\dc.domain.local was unsuccesful because domain controller has no computer account for the computer "computername" Source: W32time Category: none EventID: 18 NtpClient time provider was unable to establish a trust relation from this machine to domain domain.local in order to syncronize time in protected mode. Trust relation between this workstation and the primary domain was unsuccesful (0x800706FD). One of the DCs has a SQL server to support a SMS 2.0 installation but i can't figure any interactions with a client authentication. I am about to thoroughly read the Q article you suggested me. From a quick check, the only relevant policy i could find is "microsoft network server: digitally sign up communication if client agrees" set ENABLED on the default DC policy. I have been working on this issue for a short time. People working here for longer says this might have happened exclusively (or mainly) on winXP workstations, but take this as an unreliable piece of information. Please let me know if you need more detailed information. I appreciate your support. Thanks!! > -----Messaggio originale----- > Da: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Per conto di Michael > Wassell > Inviato: venerd� 6 febbraio 2004 15.09 > A: [EMAIL PROTECTED] > Oggetto: RE: [ActiveDir] computer account issues > > A little bit unclear, but I have browsed through the Microsoft KB > regarding that event id and this article was a match. > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 > > Search in the page for "5723" (without quotes). It is under the > digitally sign communication (always) category. That may be a first > step to determining the cause? > > I also noticed that this error can be generated by SQL Server. > > Is this error being generated in the event log on the server? > Or on the machine itself? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of J0mb > Sent: Friday, February 06, 2004 8:43 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] computer account issues > > good morning list, > > I am getting a weird problem lately. Our AD architecture is made of 1 > forest, 1 domain, 4 sites spanned through WAN links. There are approx. > 2500 nodes in the forest, there are 2 DCs at each site, a DC is > configured as GC at each site. > > Randomly, with no apparent recurrent pattern, we get the eventID > 5723(netlogon) error from some machines (i would say some 4-5 a day). > > ------------------ > > The session setup from the computer <computer name> failed because > there is no trust account in the security database for this computer. > The name of the account referenced in the security database is > <computer name>$. > > The error code is 0xC000018B > > ------------------ > > The client is not able to authenticate to the DC anymore. The only (to > me) known resolution is to rejoin the machine to the domain. > > Would anyone suggest me a resolution, or correct steps for > troubleshooting? > > I've already checked on eventid.net, and looks like none of the > suggestion is relevant with my architecture. We're running a native > mode windows 2000 domain. > > The error code states that the computer account has been deleted. How > can it this happen? How can i audit operation attempts on computer > accounts? > > Thanks!! > > Alex > > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
