question

johnbraun-3667 avatar image
0 Votes"
johnbraun-3667 asked johnbraun-3667 commented

Computer accounts dissappearing in active directory

Hi, today I've had more phone calls from users that they can't sign in to computers. After entering a password a notification is displayed: The Security Database on the Server does not have a Computer Account for this Workstation Trust Relationship The problem can be solved, rejoin computer in to a domain. It is clear to me that it will probably not be possible to return all PCs to domain without rejoin, but I would be interested in at least the reason why it happened, or whether it can happen on other PCs as well. I checked on DC in ADUC, name of computer with this notification, and did not find him. Its disappeared. It is not even in deleted objects. The problem is that it doesn't live 5-10 pc but hundreds. On DCs in event logs I see problem IDs 5805 and 5723 (NETLOGON). The session setup from the computer KE03059 failed to authenticate. The following error occurred: Access is denied. or The session setup from computer 'XXXXX' failed because the security database does not contain a trust account 'XXXXX$' referenced by the specified computer. USER ACTION If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. If this is a Read-Only Domain Controller and 'XXXXX' is a legitimate machine account for the computer 'XXXX' then 'XXXXX' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller capable of servicing the request (for example a writable domain controller). Otherwise, the following steps may be taken to resolve this problem: If 'XXXXX$' is a legitimate machine account for the computer 'XXXXX', then 'XXXXX' should be rejoined to the domain. If 'XXXXX$' is a legitimate interdomain trust account, then the trust should be recreated. Otherwise, assuming that 'XXXXX$' is not a legitimate account, the following action should be taken on 'XXXXX': If 'XXXXXX' is a Domain Controller, then the trust associated with 'XXXXX$' should be deleted. If 'XXXXXX' is not a Domain Controller, it should be disjoined from the domain. It is interesting, that all this computer its from one locality(region). It sometimes happened that the pc lost trust relationship, but remained in AD. Can you please advise how to approach a possible reason why hapenned? Thanks

windows-active-directory
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Before going further , i would recommend you check if the DCs work well by the command :
Dcdiag /v >c:\dcdiag1.log
Repadmin /showrepl >C:\repl.txt
Repadmin /showreps * 

Best Regards,

0 Votes 0 ·

Hi,

Thanks for reply. DCdiag is without error, except for NETLOGON errors(computers that have disappeared ), and Repadmin /showrepl - all was successful, but Repadmin /showreps * - give me error: LDAP error 81 (Server Down) Win32 Err 58.

0 Votes 0 ·

Hi,
You can runt the command to get more details :
repadmin /showrepl * /csv (replication situation for all the DCs)
It is not suggested to upload here due to a security reason.
Best Regards,

0 Votes 0 ·
Show more comments

0 Answers