Event ID 1128 and 1139 logged bo worksation user

Mishaua 721 Reputation points
2023-07-13T23:17:52.8333333+00:00

I am decommission a DC and have set the "Specify DC Locator DNS records not registered by the DCs" mnemonics to "LdapIpAddress Ldap LdapAtSite Pdc Gc GcAtSite GcIpAddress Kdc KdcAtSite Dc DcAtSite Rfc1510Kdc Rfc1510KdcAtSite GenericGc GenericGcAtSite Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd" and increased the Ldap logging level. I am seeing some entries in the Directory Services logs that show the source ip 127.0.0.1 but the user is a computer object from the domain. The Internal event states "Function ldap_modify entered" and "Function ldap_modify exited". In the security log there are events 4624 and 4662 that correspond to the time with impersonation events. So it seems like the DC is doing something to the computer object in the DNS zone? What would trigger this?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,665 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,863 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anonymous
    2023-07-13T23:45:16.7933333+00:00

    Not clear what you're wanting to do? If graceful demotion does not work then you can turn off the failed one, seize role (if necessary) to another healthy one.

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-operation-master-roles-in-ad-ds

    then do clean up to remove the remnants from active directory.

    Clean up Active Directory Domain Controller server metadata

    Step-By-Step: Manually Removing A Domain Controller Server

    --please don't forget to upvote and Accept as answer if the reply is helpful--


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.