Solved

Event ID 5721, Net Logon issue for restored DC.

Posted on 2004-04-12
9
2,029 Views
Last Modified: 2007-12-19
I spent part of my Easter rebuilding a file and print server that suffered from hardware problems that have now been resolved.

Incidently this is the same box that I rebuilt two months ago....due to issues with the backup process.

After the hardware was fixed, the backup and restore processes work fault-lessly. The only issue I had was resetting the machine account on the restored DC....KB288167. (this is fine now)

However after more log checking, I get a warning message on startup in the log, event id 5721, for which kb 257623 refers to...

http://support.microsoft.com/defaul...Product=win2000

- may have to apply the following as well...
[though it looks to be for NT not 2000??]

http://support.microsoft.com/defaul...kb;en-us;257734

Then possibly redo the following KB's 281485,256000,305837.. for a following repetitive event id of 1265 for KCC - which is a warning -
My  research indicated the event id  is ofr security templates for the DC group, I went to apply the following KB's:

1). 281485 Name Collision - nope not this...

2). 256000 Error messages after importing Basicdc.inf...
-and then-
305837 DNS.."invalid credentials" error messages on Domain controller..
- interesting the error log for this process is giving me an error 13, but this is where I hit a brick wall...

So if I need to resolve the event id 5721 as it is first, and event id  1265 depends upon it??

Not overly concerned yet, they are warnings and users can use the server - just further research and a fix or two during my next maintenaince window for this server.

 - well I know already how next weekend is panning out...

- Okay, has anyone done anything here with this type of problem before??

Any suggestions or comments would be most welcome please.

cheers,

supag33k
0
Comment
Question by:supag33k
  • 4
  • 2
9 Comments
 

Author Comment

by:supag33k
ID: 10811140
More information...

When I run netdiag it fails for the trust relationship test....

Trust relationship test.......failed
[Fatal] Secure channel to domain 'ourdomain' is broken.
[Error_No_Trust_SAM_Account]

which after searching means I'll try this...

http://support.microsoft.com/default.aspx?scid=kb;en-us;216393

cheers,

supag33k
0
 

Author Comment

by:supag33k
ID: 10811490
Again more information.....

1). Tried the above with Netdom reset and got....
"The secure channel from <servername> to <ourdomain> was not reset.
The security database on the server does not have a computer account for this workstation trust relationship (appears twice)
The command failed to complete successfully."

Also went to...
http://www.tburke.net/info/suptools/topics/netdom_examples.htm ...for more information.

2). When I ran DCDIAG I got...
"2966a0c7-7126-474e-9ca1-f332bf9cdcf0.msdcs.ourdomain.com server GUID DNS name could not be resolved to an IP Address. Check the DNS server, DHCP, Server name etc.
Although the GUID DNS name (as per above)couldnt be resolved, the the server name <servername.ourdomain.com> resolved to the IP Adress...."

Then obviously the server does not respond to the DS requests as part of the DCDIAG command.

so I think the main point is what to do with the DNS issue for the .msdc zone in the forward lookup zone??

-maybe I should up the points tally??

cheers,

supa
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 10812247
Hi there,

Have you ensured that the zone is active directory integrated and can accept dynamic updates? Sounds like the GUID for the server hasn't been updated in dns after the rebuild,

Deb :))
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:supag33k
ID: 10875158
Well got the AD/DS working ...

Deb, please see points 1. and 3. ..if I can work the specifics or if you could supply the KB or howto I'll award the points!

1). After 3rd attempt over the weekend - when I realised what was wrong with the sysvol...
- Sysvol was restored as \winnt\sysvol\sysvol not winnt\sysvol..
I moved folders and copied the 'domain' folder to 'ourdomain.com'  etc etc, rebooted and everything worked, as the other DC's where at a later revision number....

(at least Backup Exec 9.1 restores the full system state - even if to a wrong location for sysvol - BE 8.6 - IMHO, does not restore System States correctly from the standard product, issues with DCOM for starters....)

This issue was found via re-reading a KB or three, also dcdiag, netdiag and nltest helped here.

Some other issue with the sysvol share that I am looking into on the restored DC as 'net share' does not list the sysvol folder yet it is participaing in the AD.
(interestingly the SOA and AD increments are higher than usual - will look at this in my next maintenance window)

2). Subsequently reset my machine accounts on all my DC's, it was KB 260575.

3). Still have a DNS issue with event id 5774 - but possibly due to the sysvol on the restored DC not being shared correctly as zone is AD integrated. (awaiting maintenance window)

4). NOTE: that in this type of situation all the dependant services - such as SQL, Exchange and Backup Exec etc etc have to have their account access re-verified otherwise you get errors for accessing stuff like selection lists and performing scheduled tasks (go to services, properties, log on, reset passwords for service.) - this was all done during the Easter break....phew

- only a few errors in the logs now, I will obviously get all this tightened down before updates (especially MS04-11) or further network changes.

Note that the event logs, white papers, this site (for the sysvol information) and the MS KB's all helped....and I got to avoid ADSIedit (yeechh)

cheers and thanks once again,

supa
0
 

Author Comment

by:supag33k
ID: 12460009
Well thanks for the comment I had resolved and forgotten this comment here.

The only 2 other points of interest was:

1. Has to reset the machine account for ther server (Netdom....)
2. Ended up using ADSIedit at a later stage when the DC was removed and re-added to the domain
as the DC object for this server did not remove itself correctly.

....Note that I did not get enough in the single reply to warrant an accepted answer though I would give a value of 75 points to Deb for an assisted answer.

cheers,

supag33k
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12461375
Hi

This one got past me for some reason so sorry about that supag33k - I don't have any objections to refund,

Deb :))
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 14154019
PAQed with points refunded (125)

modulo
Community Support Moderator
0

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now