> I haven't ever seen things just delete themselves out of the > directory. I have had sites complain that computers were > being mysteriously deleted on occasion though. In the cases I > investigated, the number of people who had the rights to do > the delete were excessive. I would indicate that they should > clean up who had the access to do it and the problems would > seemingly clear up. > > On your auditing comment. > > 1. Do you know for sure your auditing is configured tight > enough to catch a computer object deletion. I.E. If you > delete one, do you see the audit event (probably be an > account management category). > 2. Did you scan for the events on every DC and did you have > all security events available on every DC for the period of > time that you are SURE the computer account existed and it no > longer existed.
When i ckecked into event logs, i couldn't find any evidence of manual deletion from anyone. I have raised the security log size, to make sure that those events were not overwritten. And, i believe all audit things are correctly configured to catch account management events. Are you sure that the issue is not to be related to replication? Thanks > > > joe > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of J0mb > Sent: Friday, February 06, 2004 10:43 AM > To: [EMAIL PROTECTED] > Subject: R: [ActiveDir] computer account issues > > Michael, > > Admittely, WAN links are not extremely reliable and tend to > be dropped out at times. However, i can't explain how this > can be related to my problem. > Would you like to further explain this point please? > Can WAN links be related to my problem? Has it something to > do with replication? This what it happens: the client, all of > a sudden cannot authenticate anymore. We check on the DCs and > the computer account is gone...lost, as if someone deleted it > (but auditings show no sign of manual deletions from > privileged users). We have at least 2 DCs at each site and we > verified that each client will authenticate from a DC in its > local site. > Each site has its own DCs and i verified that each client > will authenticate from the correct DC in its own site. From > my point of view, it doesn't look like a WAN links issue. > > As for architectural changes: they can't be performed for a > number of reasons. Hovever i still wonder how this issue may > be related to WAN traffic. > > Thanks for your time > Alex. > > > > -----Messaggio originale----- > > Da: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Per conto di Michael > > Wassell > > Inviato: venerd� 6 febbraio 2004 16.25 > > A: [EMAIL PROTECTED] > > Oggetto: RE: [ActiveDir] computer account issues > > > > >From reading the detailed error messages it would seem that > > the workstations are timing out for one reason or another when > > synchronizing, you may want to research increasing timeout > values for > > network services (Browser service, Server service etc.). > Also, have > > you attempted to verify server communication via the WAN links to > > verify that there are no timeout issues occuring? Try > pinging with an > > -l switch to increase the ICMP data being sent with the -t > switch and > > watch for any timeouts or significant ping response time increases. > > > > Something you might want to consider is implementing > independent child > > domains for each of your sites. I believe it would significantly > > decrease your network traffic across your WAN links to > allow for more > > prioritized processing of network traffic to take place. However, > > that would likely be a large project so a more temporary solution > > would be to determine the cause of the current issue. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of J0mb > > Sent: Friday, February 06, 2004 10:00 AM > > To: [EMAIL PROTECTED] > > Subject: R: [ActiveDir] computer account issues > > > > thanks for reply and sorry for being unclear. > > The eventID 5723 as per my previous post is generated on the domain > > controller. > > These are the events generated on the client side: (please > note they > > were translated from a non-english system, hopefully they're clear > > enough: > > > > Source: LSASRV > > Category: SPNEGO > > EventID: 40961 > > Protection System could not establish a secured connection > with server > > cifs/dc.domain.local. No authentication protocol was available > > > > Source: NETLOGON > > Category: None > > EventID: 5721 > > Session installation on Windows NT or Windows 2000 domain > controller > > \\dc.domain.local was unsuccesful because domain controller has no > > computer account for the computer "computername" > > > > Source: W32time > > Category: none > > EventID: 18 > > NtpClient time provider was unable to establish a trust > relation from > > this machine to domain domain.local in order to syncronize time in > > protected mode. Trust relation between this workstation and the > > primary domain was unsuccesful (0x800706FD). > > > > One of the DCs has a SQL server to support a SMS 2.0 > installation but > > i can't figure any interactions with a client authentication. > > I am about to thoroughly read the Q article you suggested me. > > From a quick check, the only relevant policy i could find is > > "microsoft network server: > > digitally sign up communication if client agrees" set > ENABLED on the > > default DC policy. > > I have been working on this issue for a short time. People working > > here for longer says this might have happened exclusively > (or mainly) > > on winXP workstations, but take this as an unreliable piece of > > information. > > Please let me know if you need more detailed information. I > appreciate > > your support. > > Thanks!! > > > > > > > > > > > > > -----Messaggio originale----- > > > Da: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Per conto di Michael > > > Wassell > > > Inviato: venerd� 6 febbraio 2004 15.09 > > > A: [EMAIL PROTECTED] > > > Oggetto: RE: [ActiveDir] computer account issues > > > > > > A little bit unclear, but I have browsed through the Microsoft KB > > > regarding that event id and this article was a match. > > > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 > > > > > > Search in the page for "5723" (without quotes). It is under the > > > digitally sign communication (always) category. That may > > be a first > > > step to determining the cause? > > > > > > I also noticed that this error can be generated by SQL Server. > > > > > > Is this error being generated in the event log on the server? > > > Or on the machine itself? > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of J0mb > > > Sent: Friday, February 06, 2004 8:43 AM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] computer account issues > > > > > > good morning list, > > > > > > I am getting a weird problem lately. Our AD architecture is > > made of 1 > > > forest, 1 domain, 4 sites spanned through WAN links. There > > are approx. > > > 2500 nodes in the forest, there are 2 DCs at each site, a DC is > > > configured as GC at each site. > > > > > > Randomly, with no apparent recurrent pattern, we get the eventID > > > 5723(netlogon) error from some machines (i would say some > > 4-5 a day). > > > > > > ------------------ > > > > > > The session setup from the computer <computer name> > failed because > > > there is no trust account in the security database for this > > computer. > > > The name of the account referenced in the security database is > > > <computer name>$. > > > > > > The error code is 0xC000018B > > > > > > ------------------ > > > > > > The client is not able to authenticate to the DC anymore. > > The only (to > > > me) known resolution is to rejoin the machine to the domain. > > > > > > Would anyone suggest me a resolution, or correct steps for > > > troubleshooting? > > > > > > I've already checked on eventid.net, and looks like none of the > > > suggestion is relevant with my architecture. We're > running a native > > > mode windows 2000 domain. > > > > > > The error code states that the computer account has been > > deleted. How > > > can it this happen? How can i audit operation attempts on > computer > > > accounts? > > > > > > Thanks!! > > > > > > Alex > > > > > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
