Event ids 1030 & 1097 userenv on 2003 DC

Posted on 2006-11-01
Last Modified: 2007-12-19
Im posting this here in the hope someone has had this issue or knows a fix as I cant fathom out what is causing this and more importantly how to stop it.

We have a 2003 domain xp clients etc everything service packed right up.
All has being ticking over nicely until 11:47am this morning when the 2003 EXCHANGE server started for some odd reason spitting out every 5 mins event ID errors:

1030 Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

1097 Windows cannot find the machine account, The logon attempt failed.

Nothing what so ever has changed today, no service packs were installed automatically as I install them manually on the servers.

This exchange server is also a domain controller (dont ask) its not got any FSMO roles but it is a GC, all setup before I arrived. Its NOT a DHCP server or a DNS server it forwards its DNS from the main DNS server which has no errors.

We have 3 other DCs all ticking over nicely NONE of which have these event ID's in them, none of which have being rebooted for weeks.
NETLOGON service is started on all the DCs.

The only thing I noticed recently was that on all 4 DCs we were getting event id:

5772 netlogon
The session setup from the computer computername failed to authenticate. The name(s) of the account(s) referenced in the security database is computername$.  The following error occurred:
Access is denied.

None of the computers named exist anymore on the domain and have not existed for at least 6 months.
I renamed a couple of spare new clients to these phantom computers and joined them to the domain left them overnight and removed them from the domain etc.
Apart from that nothing what so ever has changed, incedently all 4 dcs are still showing the 5772 event.

Later today I will reboot the exchange and see if that has any effect.


Thanks for at least reading this one lads.
Question by:rpartington
  • 4
  • 4
  • 2
  • +1

Author Comment

ID: 17850506
Sorry just noticed a typo above
>>Its NOT a DHCP server or a DNS server it forwards its DNS from the main DNS server which has no errors.
Of course its DNS its a DC,
it has the main DNS serverS ip address which forwards out to the ISP as its preferred and its own static IP as its secondary.
It also has WINS set up as well.
All of which has being working perfectly for months
LVL 10

Expert Comment

ID: 17850514
might be related to SIDs..

I thing the computer's SID does not match in AD has for the computer account object. Normally happens when using Ghost..

Reset the computer account, then rejoin the computer to the domain.
LVL 10

Expert Comment

ID: 17850525
above response
Event ID: 5772 related to workstations normally
LVL 10

Expert Comment

ID: 17850545
are you running MOM by any chance to monitor AD..


Author Comment

ID: 17851010
No were not running MOM sean.
The 5772 is for work stations,

Sorry sean again its a typo it should of being event 5722 not 5772

The session setup from the computer computername failed to authenticate. The name(s) of the account(s) referenced in the security database is computername$.  The following error occurred:
Access is denied.
and also
The session setup from computer 1computername1 failed because the security database does not contain a trust account 'computername$' referenced by the specified computer.  
the event is being generated on the DCs.
However the phantom workstations have not being on the domain for at least 6 months, they were built manually not via ghost.

However this may not have any bearing what so ever in the main 2 events Im more concerned with ie
1030 & 1097 userenv
Its just that these 2 events were the last 2 changes Ive made in the last few weeks that I can put my finger on and say this was changed yesterday.
Whether they have caused the 1030 & 1097 is open to debate.

Thanks for at least firing some suggestions over I appreciate it.

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.


Expert Comment

ID: 17851564
A few questions for you:

1.  Has there ever been another Exchange server on the domain?  Even with the same name?

2.  Is the Exchange server on the same subnet as the PDC emulator?

3.  Does the Exchange server point to itself or one of the other DCs for DNS servers?

4.  Are there any entries in the event log for services start/stoppping about the time this started?  Did any backup jobs start/finish about that time?  Any other scheduled jobs like A/V scans?

5.  Is the Exchange server running any A/V, host intrusion detection, or firewall software?

Expert Comment

ID: 17851767
Let's also give DNS a quick check.

Execute the following from the command-line from any workstation:

nslookup <name of PDC Emulator> <IP Address of Exchange Server>
nslookup <name of RID Master> <IP Address of Exchange Server>

We'll also give AD a quick check.

Execute the following from the command-line and report any errors:

1.  DCDIAG /s:<Exchange Server> /test:netlogons
2.  DCDIAG /s:<Exchange Server> /test:KnowsOfRoleHolders
3.  DCDIAG /s:<Exchange Server> /test:FSMOCheck
4.  DCDIAG /s:<Exchange Server> /test:RidManager
5.  DCDIAG /s:<Exchange Server> /test:MachineAccount

DCDIAG can be found in the Server 2003 Support tools.  Se the following link for installation intructions if necessary:
LVL 10

Expert Comment

ID: 17856214

Author Comment

ID: 17856487
Thanks very much for the above lads I really appreciate it, you knopw the score when your the one that everyone looks to fix things and your stumped its a bit disconcerting, its not always the exact fix that you get on here its the ideas from suggestions that more often than not lead to you getting the problem solved.
Anyway I reset the resynced the ntp time server on this DC/Exchange server as I noticed that a (couple not all) of the events were showing a date of 20th nov 2006 obviously not possible when yesterday it was only the 1st nov 06, yet the clock etc was showing correct time and data.

Rebooted and low n behold since from last night till this morning the event logs are perfect re the events 1030 & 1097,
Ive got to admit Im not convinced, so I will monitor this for the next week just on the off chance it kicks off again.

I did also find a link on M/S which gives our EXACT scenario and event id and message.
Which Im posting here incase anyone else has these errors in the future along with the suggestions above.

I WILL post back either way as I cant believe it was that easy after all.


Author Comment

ID: 17896749
Over a week later and the event logs are free of the Event ids 1030 & 1097.
It appears that either resyncing the exchange/dc with the errors fixed the problem or the simple reboot of the server, cant be 100% which as I did them one after the other staright away.
The events 5722 - 5723 are still showing but thats another story

Accepted Solution

DarthMod earned 0 total points
ID: 18367974
PAQed with points refunded (500)

Community Support Moderator

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now