Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Event ids 1030 & 1097 userenv on 2003 DC

Posted on 2006-11-01
Medium Priority
Last Modified: 2007-12-19
Im posting this here in the hope someone has had this issue or knows a fix as I cant fathom out what is causing this and more importantly how to stop it.

We have a 2003 domain xp clients etc everything service packed right up.
All has being ticking over nicely until 11:47am this morning when the 2003 EXCHANGE server started for some odd reason spitting out every 5 mins event ID errors:

1030 Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

1097 Windows cannot find the machine account, The logon attempt failed.

Nothing what so ever has changed today, no service packs were installed automatically as I install them manually on the servers.

This exchange server is also a domain controller (dont ask) its not got any FSMO roles but it is a GC, all setup before I arrived. Its NOT a DHCP server or a DNS server it forwards its DNS from the main DNS server which has no errors.

We have 3 other DCs all ticking over nicely NONE of which have these event ID's in them, none of which have being rebooted for weeks.
NETLOGON service is started on all the DCs.

The only thing I noticed recently was that on all 4 DCs we were getting event id:

5772 netlogon
The session setup from the computer computername failed to authenticate. The name(s) of the account(s) referenced in the security database is computername$.  The following error occurred:
Access is denied.

None of the computers named exist anymore on the domain and have not existed for at least 6 months.
I renamed a couple of spare new clients to these phantom computers and joined them to the domain left them overnight and removed them from the domain etc.
Apart from that nothing what so ever has changed, incedently all 4 dcs are still showing the 5772 event.

Later today I will reboot the exchange and see if that has any effect.


Thanks for at least reading this one lads.
Question by:rpartington
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1

Author Comment

ID: 17850506
Sorry just noticed a typo above
>>Its NOT a DHCP server or a DNS server it forwards its DNS from the main DNS server which has no errors.
Of course its DNS its a DC,
it has the main DNS serverS ip address which forwards out to the ISP as its preferred and its own static IP as its secondary.
It also has WINS set up as well.
All of which has being working perfectly for months
LVL 10

Expert Comment

by:Seelan Naidoo
ID: 17850514
might be related to SIDs..

I thing the computer's SID does not match in AD has for the computer account object. Normally happens when using Ghost..

Reset the computer account, then rejoin the computer to the domain.
LVL 10

Expert Comment

by:Seelan Naidoo
ID: 17850525
above response
Event ID: 5772 related to workstations normally
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

LVL 10

Expert Comment

by:Seelan Naidoo
ID: 17850545
are you running MOM by any chance to monitor AD..


Author Comment

ID: 17851010
No were not running MOM sean.
The 5772 is for work stations,

Sorry sean again its a typo it should of being event 5722 not 5772

The session setup from the computer computername failed to authenticate. The name(s) of the account(s) referenced in the security database is computername$.  The following error occurred:
Access is denied.
and also
The session setup from computer 1computername1 failed because the security database does not contain a trust account 'computername$' referenced by the specified computer.  
the event is being generated on the DCs.
However the phantom workstations have not being on the domain for at least 6 months, they were built manually not via ghost.

However this may not have any bearing what so ever in the main 2 events Im more concerned with ie
1030 & 1097 userenv
Its just that these 2 events were the last 2 changes Ive made in the last few weeks that I can put my finger on and say this was changed yesterday.
Whether they have caused the 1030 & 1097 is open to debate.

Thanks for at least firing some suggestions over I appreciate it.


Expert Comment

ID: 17851564
A few questions for you:

1.  Has there ever been another Exchange server on the domain?  Even with the same name?

2.  Is the Exchange server on the same subnet as the PDC emulator?

3.  Does the Exchange server point to itself or one of the other DCs for DNS servers?

4.  Are there any entries in the event log for services start/stoppping about the time this started?  Did any backup jobs start/finish about that time?  Any other scheduled jobs like A/V scans?

5.  Is the Exchange server running any A/V, host intrusion detection, or firewall software?

Expert Comment

ID: 17851767
Let's also give DNS a quick check.

Execute the following from the command-line from any workstation:

nslookup <name of PDC Emulator> <IP Address of Exchange Server>
nslookup <name of RID Master> <IP Address of Exchange Server>

We'll also give AD a quick check.

Execute the following from the command-line and report any errors:

1.  DCDIAG /s:<Exchange Server> /test:netlogons
2.  DCDIAG /s:<Exchange Server> /test:KnowsOfRoleHolders
3.  DCDIAG /s:<Exchange Server> /test:FSMOCheck
4.  DCDIAG /s:<Exchange Server> /test:RidManager
5.  DCDIAG /s:<Exchange Server> /test:MachineAccount

DCDIAG can be found in the Server 2003 Support tools.  Se the following link for installation intructions if necessary:
LVL 10

Expert Comment

by:Seelan Naidoo
ID: 17856214

Author Comment

ID: 17856487
Thanks very much for the above lads I really appreciate it, you knopw the score when your the one that everyone looks to fix things and your stumped its a bit disconcerting, its not always the exact fix that you get on here its the ideas from suggestions that more often than not lead to you getting the problem solved.
Anyway I reset the resynced the ntp time server on this DC/Exchange server as I noticed that a (couple not all) of the events were showing a date of 20th nov 2006 obviously not possible when yesterday it was only the 1st nov 06, yet the clock etc was showing correct time and data.

Rebooted and low n behold since from last night till this morning the event logs are perfect re the events 1030 & 1097,
Ive got to admit Im not convinced, so I will monitor this for the next week just on the off chance it kicks off again.

I did also find a link on M/S which gives our EXACT scenario and event id and message.
Which Im posting here incase anyone else has these errors in the future along with the suggestions above.

I WILL post back either way as I cant believe it was that easy after all.


Author Comment

ID: 17896749
Over a week later and the event logs are free of the Event ids 1030 & 1097.
It appears that either resyncing the exchange/dc with the errors fixed the problem or the simple reboot of the server, cant be 100% which as I did them one after the other staright away.
The events 5722 - 5723 are still showing but thats another story

Accepted Solution

DarthMod earned 0 total points
ID: 18367974
PAQed with points refunded (500)

Community Support Moderator

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question