Solved

Event ids 1030 & 1097 userenv on 2003 DC

Posted on 2006-11-01
12
3,108 Views
Last Modified: 2007-12-19
Im posting this here in the hope someone has had this issue or knows a fix as I cant fathom out what is causing this and more importantly how to stop it.

We have a 2003 domain xp clients etc everything service packed right up.
All has being ticking over nicely until 11:47am this morning when the 2003 EXCHANGE server started for some odd reason spitting out every 5 mins event ID errors:

1030 Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

1097 Windows cannot find the machine account, The logon attempt failed.
******************************************************

Nothing what so ever has changed today, no service packs were installed automatically as I install them manually on the servers.

This exchange server is also a domain controller (dont ask) its not got any FSMO roles but it is a GC, all setup before I arrived. Its NOT a DHCP server or a DNS server it forwards its DNS from the main DNS server which has no errors.

We have 3 other DCs all ticking over nicely NONE of which have these event ID's in them, none of which have being rebooted for weeks.
NETLOGON service is started on all the DCs.

The only thing I noticed recently was that on all 4 DCs we were getting event id:

5772 netlogon
The session setup from the computer computername failed to authenticate. The name(s) of the account(s) referenced in the security database is computername$.  The following error occurred:
Access is denied.

None of the computers named exist anymore on the domain and have not existed for at least 6 months.
I renamed a couple of spare new clients to these phantom computers and joined them to the domain left them overnight and removed them from the domain etc.
Apart from that nothing what so ever has changed, incedently all 4 dcs are still showing the 5772 event.

Later today I will reboot the exchange and see if that has any effect.

ANY IDEAS GREATLY APPRECIATED AS IVE GOT TO HOLD MY HANDS UP AND ADMIT THIS ONE HAS GOT ME AT THE MOMENT.

Thanks for at least reading this one lads.
0
Comment
Question by:rpartington
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 9

Author Comment

by:rpartington
ID: 17850506
Sorry just noticed a typo above
>>Its NOT a DHCP server or a DNS server it forwards its DNS from the main DNS server which has no errors.
<<<
Of course its DNS its a DC,
it has the main DNS serverS ip address which forwards out to the ISP as its preferred and its own static IP as its secondary.
It also has WINS set up as well.
All of which has being working perfectly for months
0
 
LVL 10

Expert Comment

by:SeanUK777
ID: 17850514
might be related to SIDs..

I thing the computer's SID does not match in AD has for the computer account object. Normally happens when using Ghost..

Reset the computer account, then rejoin the computer to the domain.
0
 
LVL 10

Expert Comment

by:SeanUK777
ID: 17850525
above response
Event ID: 5772 related to workstations normally
0
 
LVL 10

Expert Comment

by:SeanUK777
ID: 17850545
are you running MOM by any chance to monitor AD..

0
 
LVL 9

Author Comment

by:rpartington
ID: 17851010
No were not running MOM sean.
The 5772 is for work stations,

Sorry sean again its a typo it should of being event 5722 not 5772

The session setup from the computer computername failed to authenticate. The name(s) of the account(s) referenced in the security database is computername$.  The following error occurred:
Access is denied.
and also
5723
The session setup from computer 1computername1 failed because the security database does not contain a trust account 'computername$' referenced by the specified computer.  
***********************************************
the event is being generated on the DCs.
However the phantom workstations have not being on the domain for at least 6 months, they were built manually not via ghost.

However this may not have any bearing what so ever in the main 2 events Im more concerned with ie
1030 & 1097 userenv
Its just that these 2 events were the last 2 changes Ive made in the last few weeks that I can put my finger on and say this was changed yesterday.
Whether they have caused the 1030 & 1097 is open to debate.

Thanks for at least firing some suggestions over I appreciate it.

0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 7

Expert Comment

by:CharliePete00
ID: 17851564
A few questions for you:

1.  Has there ever been another Exchange server on the domain?  Even with the same name?

2.  Is the Exchange server on the same subnet as the PDC emulator?

3.  Does the Exchange server point to itself or one of the other DCs for DNS servers?

4.  Are there any entries in the event log for services start/stoppping about the time this started?  Did any backup jobs start/finish about that time?  Any other scheduled jobs like A/V scans?

5.  Is the Exchange server running any A/V, host intrusion detection, or firewall software?
0
 
LVL 7

Expert Comment

by:CharliePete00
ID: 17851767
Let's also give DNS a quick check.

Execute the following from the command-line from any workstation:

nslookup <name of PDC Emulator> <IP Address of Exchange Server>
nslookup <name of RID Master> <IP Address of Exchange Server>

We'll also give AD a quick check.

Execute the following from the command-line and report any errors:

1.  DCDIAG /s:<Exchange Server> /test:netlogons
2.  DCDIAG /s:<Exchange Server> /test:KnowsOfRoleHolders
3.  DCDIAG /s:<Exchange Server> /test:FSMOCheck
4.  DCDIAG /s:<Exchange Server> /test:RidManager
5.  DCDIAG /s:<Exchange Server> /test:MachineAccount

DCDIAG can be found in the Server 2003 Support tools.  Se the following link for installation intructions if necessary:
http://go.microsoft.com/fwlink/?LinkId=62270
0
 
LVL 10

Expert Comment

by:SeanUK777
ID: 17856214
0
 
LVL 9

Author Comment

by:rpartington
ID: 17856487
Thanks very much for the above lads I really appreciate it, you knopw the score when your the one that everyone looks to fix things and your stumped its a bit disconcerting, its not always the exact fix that you get on here its the ideas from suggestions that more often than not lead to you getting the problem solved.
Anyway I reset the resynced the ntp time server on this DC/Exchange server as I noticed that a (couple not all) of the events were showing a date of 20th nov 2006 obviously not possible when yesterday it was only the 1st nov 06, yet the clock etc was showing correct time and data.
http://geekswithblogs.net/jemimus/archive/2005/03/16/26502.aspx

Rebooted and low n behold since from last night till this morning the event logs are perfect re the events 1030 & 1097,
Ive got to admit Im not convinced, so I will monitor this for the next week just on the off chance it kicks off again.

I did also find a link on M/S which gives our EXACT scenario and event id and message.
http://support.microsoft.com/kb/913463
Which Im posting here incase anyone else has these errors in the future along with the suggestions above.

I WILL post back either way as I cant believe it was that easy after all.

Roy
0
 
LVL 9

Author Comment

by:rpartington
ID: 17896749
Over a week later and the event logs are free of the Event ids 1030 & 1097.
It appears that either resyncing the exchange/dc with the errors fixed the problem or the simple reboot of the server, cant be 100% which as I did them one after the other staright away.
The events 5722 - 5723 are still showing but thats another story
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 18367974
PAQed with points refunded (500)

DarthMod
Community Support Moderator
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Learn about cloud computing and its benefits for small business owners.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now