What specifically do you mean issue related to replication? If the object was properly created and that created object replicated around ok, replication shouldn't have anything to do with it unless someone deleted it and the delete properly replicated around.
If the create never replicated around then it would only be sitting on whatever boxes it was sitting on and chasing what boxes it isn't on should be pretty trivial and should have been caught out by whatever AD replication monitoring you have in place already. It isn't like if it can't replicate it to a couple of servers it will just say, ah what the heck, since I can't get it to those servers I will remove it from the rest that are replicating. So in response to do I think the issue could be related to replication I would say, is your replication working ok? If it isn't, it could be involved but it wouldn't delete the object automatically. If your replication is working ok, I would say, no replication is not involved. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J0mb Sent: Monday, February 09, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: R: [ActiveDir] computer account issues > I haven't ever seen things just delete themselves out of the > directory. I have had sites complain that computers were being > mysteriously deleted on occasion though. In the cases I investigated, > the number of people who had the rights to do the delete were > excessive. I would indicate that they should clean up who had the > access to do it and the problems would seemingly clear up. > > On your auditing comment. > > 1. Do you know for sure your auditing is configured tight enough to > catch a computer object deletion. I.E. If you delete one, do you see > the audit event (probably be an account management category). > 2. Did you scan for the events on every DC and did you have all > security events available on every DC for the period of time that you > are SURE the computer account existed and it no longer existed. When i ckecked into event logs, i couldn't find any evidence of manual deletion from anyone. I have raised the security log size, to make sure that those events were not overwritten. And, i believe all audit things are correctly configured to catch account management events. Are you sure that the issue is not to be related to replication? Thanks > > > joe > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of J0mb > Sent: Friday, February 06, 2004 10:43 AM > To: [EMAIL PROTECTED] > Subject: R: [ActiveDir] computer account issues > > Michael, > > Admittely, WAN links are not extremely reliable and tend to be dropped > out at times. However, i can't explain how this can be related to my > problem. > Would you like to further explain this point please? > Can WAN links be related to my problem? Has it something to do with > replication? This what it happens: the client, all of a sudden cannot > authenticate anymore. We check on the DCs and the computer account is > gone...lost, as if someone deleted it (but auditings show no sign of > manual deletions from privileged users). We have at least 2 DCs at > each site and we verified that each client will authenticate from a DC > in its local site. > Each site has its own DCs and i verified that each client will > authenticate from the correct DC in its own site. From my point of > view, it doesn't look like a WAN links issue. > > As for architectural changes: they can't be performed for a number of > reasons. Hovever i still wonder how this issue may be related to WAN > traffic. > > Thanks for your time > Alex. > > > > -----Messaggio originale----- > > Da: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Per conto di Michael > > Wassell > > Inviato: venerd� 6 febbraio 2004 16.25 > > A: [EMAIL PROTECTED] > > Oggetto: RE: [ActiveDir] computer account issues > > > > >From reading the detailed error messages it would seem that > > the workstations are timing out for one reason or another when > > synchronizing, you may want to research increasing timeout > values for > > network services (Browser service, Server service etc.). > Also, have > > you attempted to verify server communication via the WAN links to > > verify that there are no timeout issues occuring? Try > pinging with an > > -l switch to increase the ICMP data being sent with the -t > switch and > > watch for any timeouts or significant ping response time increases. > > > > Something you might want to consider is implementing > independent child > > domains for each of your sites. I believe it would significantly > > decrease your network traffic across your WAN links to > allow for more > > prioritized processing of network traffic to take place. However, > > that would likely be a large project so a more temporary solution > > would be to determine the cause of the current issue. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of J0mb > > Sent: Friday, February 06, 2004 10:00 AM > > To: [EMAIL PROTECTED] > > Subject: R: [ActiveDir] computer account issues > > > > thanks for reply and sorry for being unclear. > > The eventID 5723 as per my previous post is generated on the domain > > controller. > > These are the events generated on the client side: (please > note they > > were translated from a non-english system, hopefully they're clear > > enough: > > > > Source: LSASRV > > Category: SPNEGO > > EventID: 40961 > > Protection System could not establish a secured connection > with server > > cifs/dc.domain.local. No authentication protocol was available > > > > Source: NETLOGON > > Category: None > > EventID: 5721 > > Session installation on Windows NT or Windows 2000 domain > controller > > \\dc.domain.local was unsuccesful because domain controller has no > > computer account for the computer "computername" > > > > Source: W32time > > Category: none > > EventID: 18 > > NtpClient time provider was unable to establish a trust > relation from > > this machine to domain domain.local in order to syncronize time in > > protected mode. Trust relation between this workstation and the > > primary domain was unsuccesful (0x800706FD). > > > > One of the DCs has a SQL server to support a SMS 2.0 > installation but > > i can't figure any interactions with a client authentication. > > I am about to thoroughly read the Q article you suggested me. > > From a quick check, the only relevant policy i could find is > > "microsoft network server: > > digitally sign up communication if client agrees" set > ENABLED on the > > default DC policy. > > I have been working on this issue for a short time. People working > > here for longer says this might have happened exclusively > (or mainly) > > on winXP workstations, but take this as an unreliable piece of > > information. > > Please let me know if you need more detailed information. I > appreciate > > your support. > > Thanks!! > > > > > > > > > > > > > -----Messaggio originale----- > > > Da: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Per conto di Michael > > > Wassell > > > Inviato: venerd� 6 febbraio 2004 15.09 > > > A: [EMAIL PROTECTED] > > > Oggetto: RE: [ActiveDir] computer account issues > > > > > > A little bit unclear, but I have browsed through the Microsoft KB > > > regarding that event id and this article was a match. > > > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 > > > > > > Search in the page for "5723" (without quotes). It is under the > > > digitally sign communication (always) category. That may > > be a first > > > step to determining the cause? > > > > > > I also noticed that this error can be generated by SQL Server. > > > > > > Is this error being generated in the event log on the server? > > > Or on the machine itself? > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of J0mb > > > Sent: Friday, February 06, 2004 8:43 AM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] computer account issues > > > > > > good morning list, > > > > > > I am getting a weird problem lately. Our AD architecture is > > made of 1 > > > forest, 1 domain, 4 sites spanned through WAN links. There > > are approx. > > > 2500 nodes in the forest, there are 2 DCs at each site, a DC is > > > configured as GC at each site. > > > > > > Randomly, with no apparent recurrent pattern, we get the eventID > > > 5723(netlogon) error from some machines (i would say some > > 4-5 a day). > > > > > > ------------------ > > > > > > The session setup from the computer <computer name> > failed because > > > there is no trust account in the security database for this > > computer. > > > The name of the account referenced in the security database is > > > <computer name>$. > > > > > > The error code is 0xC000018B > > > > > > ------------------ > > > > > > The client is not able to authenticate to the DC anymore. > > The only (to > > > me) known resolution is to rejoin the machine to the domain. > > > > > > Would anyone suggest me a resolution, or correct steps for > > > troubleshooting? > > > > > > I've already checked on eventid.net, and looks like none of the > > > suggestion is relevant with my architecture. We're > running a native > > > mode windows 2000 domain. > > > > > > The error code states that the computer account has been > > deleted. How > > > can it this happen? How can i audit operation attempts on > computer > > > accounts? > > > > > > Thanks!! > > > > > > Alex > > > > > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
