Event ID 5721, Net Logon issue for restored DC.

Posted on 2004-04-12
Last Modified: 2007-12-19
I spent part of my Easter rebuilding a file and print server that suffered from hardware problems that have now been resolved.

Incidently this is the same box that I rebuilt two months ago....due to issues with the backup process.

After the hardware was fixed, the backup and restore processes work fault-lessly. The only issue I had was resetting the machine account on the restored DC....KB288167. (this is fine now)

However after more log checking, I get a warning message on startup in the log, event id 5721, for which kb 257623 refers to...

- may have to apply the following as well...
[though it looks to be for NT not 2000??];en-us;257734

Then possibly redo the following KB's 281485,256000,305837.. for a following repetitive event id of 1265 for KCC - which is a warning -
My  research indicated the event id  is ofr security templates for the DC group, I went to apply the following KB's:

1). 281485 Name Collision - nope not this...

2). 256000 Error messages after importing Basicdc.inf...
-and then-
305837 DNS.."invalid credentials" error messages on Domain controller..
- interesting the error log for this process is giving me an error 13, but this is where I hit a brick wall...

So if I need to resolve the event id 5721 as it is first, and event id  1265 depends upon it??

Not overly concerned yet, they are warnings and users can use the server - just further research and a fix or two during my next maintenaince window for this server.

 - well I know already how next weekend is panning out...

- Okay, has anyone done anything here with this type of problem before??

Any suggestions or comments would be most welcome please.


Question by:supag33k
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2

Author Comment

ID: 10811140
More information...

When I run netdiag it fails for the trust relationship test....

Trust relationship test.......failed
[Fatal] Secure channel to domain 'ourdomain' is broken.

which after searching means I'll try this...;en-us;216393



Author Comment

ID: 10811490
Again more information.....

1). Tried the above with Netdom reset and got....
"The secure channel from <servername> to <ourdomain> was not reset.
The security database on the server does not have a computer account for this workstation trust relationship (appears twice)
The command failed to complete successfully."

Also went to... ...for more information.

2). When I ran DCDIAG I got...
" server GUID DNS name could not be resolved to an IP Address. Check the DNS server, DHCP, Server name etc.
Although the GUID DNS name (as per above)couldnt be resolved, the the server name <> resolved to the IP Adress...."

Then obviously the server does not respond to the DS requests as part of the DCDIAG command.

so I think the main point is what to do with the DNS issue for the .msdc zone in the forward lookup zone??

-maybe I should up the points tally??


LVL 20

Expert Comment

ID: 10812247
Hi there,

Have you ensured that the zone is active directory integrated and can accept dynamic updates? Sounds like the GUID for the server hasn't been updated in dns after the rebuild,

Deb :))
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.


Author Comment

ID: 10875158
Well got the AD/DS working ...

Deb, please see points 1. and 3. ..if I can work the specifics or if you could supply the KB or howto I'll award the points!

1). After 3rd attempt over the weekend - when I realised what was wrong with the sysvol...
- Sysvol was restored as \winnt\sysvol\sysvol not winnt\sysvol..
I moved folders and copied the 'domain' folder to ''  etc etc, rebooted and everything worked, as the other DC's where at a later revision number....

(at least Backup Exec 9.1 restores the full system state - even if to a wrong location for sysvol - BE 8.6 - IMHO, does not restore System States correctly from the standard product, issues with DCOM for starters....)

This issue was found via re-reading a KB or three, also dcdiag, netdiag and nltest helped here.

Some other issue with the sysvol share that I am looking into on the restored DC as 'net share' does not list the sysvol folder yet it is participaing in the AD.
(interestingly the SOA and AD increments are higher than usual - will look at this in my next maintenance window)

2). Subsequently reset my machine accounts on all my DC's, it was KB 260575.

3). Still have a DNS issue with event id 5774 - but possibly due to the sysvol on the restored DC not being shared correctly as zone is AD integrated. (awaiting maintenance window)

4). NOTE: that in this type of situation all the dependant services - such as SQL, Exchange and Backup Exec etc etc have to have their account access re-verified otherwise you get errors for accessing stuff like selection lists and performing scheduled tasks (go to services, properties, log on, reset passwords for service.) - this was all done during the Easter break....phew

- only a few errors in the logs now, I will obviously get all this tightened down before updates (especially MS04-11) or further network changes.

Note that the event logs, white papers, this site (for the sysvol information) and the MS KB's all helped....and I got to avoid ADSIedit (yeechh)

cheers and thanks once again,


Author Comment

ID: 12460009
Well thanks for the comment I had resolved and forgotten this comment here.

The only 2 other points of interest was:

1. Has to reset the machine account for ther server (Netdom....)
2. Ended up using ADSIedit at a later stage when the DC was removed and re-added to the domain
as the DC object for this server did not remove itself correctly.

....Note that I did not get enough in the single reply to warrant an accepted answer though I would give a value of 75 points to Deb for an assisted answer.


LVL 20

Expert Comment

ID: 12461375

This one got past me for some reason so sorry about that supag33k - I don't have any objections to refund,

Deb :))

Accepted Solution

modulo earned 0 total points
ID: 14154019
PAQed with points refunded (125)

Community Support Moderator

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question