Event ids 1030 & 1097 userenv on 2003 DC

Posted on 2006-11-01
Medium Priority
Last Modified: 2007-12-19
Im posting this here in the hope someone has had this issue or knows a fix as I cant fathom out what is causing this and more importantly how to stop it.

We have a 2003 domain xp clients etc everything service packed right up.
All has being ticking over nicely until 11:47am this morning when the 2003 EXCHANGE server started for some odd reason spitting out every 5 mins event ID errors:

1030 Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

1097 Windows cannot find the machine account, The logon attempt failed.

Nothing what so ever has changed today, no service packs were installed automatically as I install them manually on the servers.

This exchange server is also a domain controller (dont ask) its not got any FSMO roles but it is a GC, all setup before I arrived. Its NOT a DHCP server or a DNS server it forwards its DNS from the main DNS server which has no errors.

We have 3 other DCs all ticking over nicely NONE of which have these event ID's in them, none of which have being rebooted for weeks.
NETLOGON service is started on all the DCs.

The only thing I noticed recently was that on all 4 DCs we were getting event id:

5772 netlogon
The session setup from the computer computername failed to authenticate. The name(s) of the account(s) referenced in the security database is computername$.  The following error occurred:
Access is denied.

None of the computers named exist anymore on the domain and have not existed for at least 6 months.
I renamed a couple of spare new clients to these phantom computers and joined them to the domain left them overnight and removed them from the domain etc.
Apart from that nothing what so ever has changed, incedently all 4 dcs are still showing the 5772 event.

Later today I will reboot the exchange and see if that has any effect.


Thanks for at least reading this one lads.
Question by:rpartington
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1

Author Comment

ID: 17850506
Sorry just noticed a typo above
>>Its NOT a DHCP server or a DNS server it forwards its DNS from the main DNS server which has no errors.
Of course its DNS its a DC,
it has the main DNS serverS ip address which forwards out to the ISP as its preferred and its own static IP as its secondary.
It also has WINS set up as well.
All of which has being working perfectly for months
LVL 10

Expert Comment

by:Seelan Naidoo
ID: 17850514
might be related to SIDs..

I thing the computer's SID does not match in AD has for the computer account object. Normally happens when using Ghost..

Reset the computer account, then rejoin the computer to the domain.
LVL 10

Expert Comment

by:Seelan Naidoo
ID: 17850525
above response
Event ID: 5772 related to workstations normally
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

LVL 10

Expert Comment

by:Seelan Naidoo
ID: 17850545
are you running MOM by any chance to monitor AD..


Author Comment

ID: 17851010
No were not running MOM sean.
The 5772 is for work stations,

Sorry sean again its a typo it should of being event 5722 not 5772

The session setup from the computer computername failed to authenticate. The name(s) of the account(s) referenced in the security database is computername$.  The following error occurred:
Access is denied.
and also
The session setup from computer 1computername1 failed because the security database does not contain a trust account 'computername$' referenced by the specified computer.  
the event is being generated on the DCs.
However the phantom workstations have not being on the domain for at least 6 months, they were built manually not via ghost.

However this may not have any bearing what so ever in the main 2 events Im more concerned with ie
1030 & 1097 userenv
Its just that these 2 events were the last 2 changes Ive made in the last few weeks that I can put my finger on and say this was changed yesterday.
Whether they have caused the 1030 & 1097 is open to debate.

Thanks for at least firing some suggestions over I appreciate it.


Expert Comment

ID: 17851564
A few questions for you:

1.  Has there ever been another Exchange server on the domain?  Even with the same name?

2.  Is the Exchange server on the same subnet as the PDC emulator?

3.  Does the Exchange server point to itself or one of the other DCs for DNS servers?

4.  Are there any entries in the event log for services start/stoppping about the time this started?  Did any backup jobs start/finish about that time?  Any other scheduled jobs like A/V scans?

5.  Is the Exchange server running any A/V, host intrusion detection, or firewall software?

Expert Comment

ID: 17851767
Let's also give DNS a quick check.

Execute the following from the command-line from any workstation:

nslookup <name of PDC Emulator> <IP Address of Exchange Server>
nslookup <name of RID Master> <IP Address of Exchange Server>

We'll also give AD a quick check.

Execute the following from the command-line and report any errors:

1.  DCDIAG /s:<Exchange Server> /test:netlogons
2.  DCDIAG /s:<Exchange Server> /test:KnowsOfRoleHolders
3.  DCDIAG /s:<Exchange Server> /test:FSMOCheck
4.  DCDIAG /s:<Exchange Server> /test:RidManager
5.  DCDIAG /s:<Exchange Server> /test:MachineAccount

DCDIAG can be found in the Server 2003 Support tools.  Se the following link for installation intructions if necessary:
LVL 10

Expert Comment

by:Seelan Naidoo
ID: 17856214

Author Comment

ID: 17856487
Thanks very much for the above lads I really appreciate it, you knopw the score when your the one that everyone looks to fix things and your stumped its a bit disconcerting, its not always the exact fix that you get on here its the ideas from suggestions that more often than not lead to you getting the problem solved.
Anyway I reset the resynced the ntp time server on this DC/Exchange server as I noticed that a (couple not all) of the events were showing a date of 20th nov 2006 obviously not possible when yesterday it was only the 1st nov 06, yet the clock etc was showing correct time and data.

Rebooted and low n behold since from last night till this morning the event logs are perfect re the events 1030 & 1097,
Ive got to admit Im not convinced, so I will monitor this for the next week just on the off chance it kicks off again.

I did also find a link on M/S which gives our EXACT scenario and event id and message.
Which Im posting here incase anyone else has these errors in the future along with the suggestions above.

I WILL post back either way as I cant believe it was that easy after all.


Author Comment

ID: 17896749
Over a week later and the event logs are free of the Event ids 1030 & 1097.
It appears that either resyncing the exchange/dc with the errors fixed the problem or the simple reboot of the server, cant be 100% which as I did them one after the other staright away.
The events 5722 - 5723 are still showing but thats another story

Accepted Solution

DarthMod earned 0 total points
ID: 18367974
PAQed with points refunded (500)

Community Support Moderator

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question