Event ids 1030 & 1097 userenv on 2003 DC
Im posting this here in the hope someone has had this issue or knows a fix as I cant fathom out what is causing this and more importantly how to stop it.
We have a 2003 domain xp clients etc everything service packed right up.
All has being ticking over nicely until 11:47am this morning when the 2003 EXCHANGE server started for some odd reason spitting out every 5 mins event ID errors:
1030 Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
1097 Windows cannot find the machine account, The logon attempt failed.
**************************
Nothing what so ever has changed today, no service packs were installed automatically as I install them manually on the servers.
This exchange server is also a domain controller (dont ask) its not got any FSMO roles but it is a GC, all setup before I arrived. Its NOT a DHCP server or a DNS server it forwards its DNS from the main DNS server which has no errors.
We have 3 other DCs all ticking over nicely NONE of which have these event ID's in them, none of which have being rebooted for weeks.
NETLOGON service is started on all the DCs.
The only thing I noticed recently was that on all 4 DCs we were getting event id:
5772 netlogon
The session setup from the computer computername failed to authenticate. The name(s) of the account(s) referenced in the security database is computername$. The following error occurred:
Access is denied.
None of the computers named exist anymore on the domain and have not existed for at least 6 months.
I renamed a couple of spare new clients to these phantom computers and joined them to the domain left them overnight and removed them from the domain etc.
Apart from that nothing what so ever has changed, incedently all 4 dcs are still showing the 5772 event.
Later today I will reboot the exchange and see if that has any effect.
ANY IDEAS GREATLY APPRECIATED AS IVE GOT TO HOLD MY HANDS UP AND ADMIT THIS ONE HAS GOT ME AT THE MOMENT.
Thanks for at least reading this one lads.
We have a 2003 domain xp clients etc everything service packed right up.
All has being ticking over nicely until 11:47am this morning when the 2003 EXCHANGE server started for some odd reason spitting out every 5 mins event ID errors:
1030 Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
1097 Windows cannot find the machine account, The logon attempt failed.
**************************
Nothing what so ever has changed today, no service packs were installed automatically as I install them manually on the servers.
This exchange server is also a domain controller (dont ask) its not got any FSMO roles but it is a GC, all setup before I arrived. Its NOT a DHCP server or a DNS server it forwards its DNS from the main DNS server which has no errors.
We have 3 other DCs all ticking over nicely NONE of which have these event ID's in them, none of which have being rebooted for weeks.
NETLOGON service is started on all the DCs.
The only thing I noticed recently was that on all 4 DCs we were getting event id:
5772 netlogon
The session setup from the computer computername failed to authenticate. The name(s) of the account(s) referenced in the security database is computername$. The following error occurred:
Access is denied.
None of the computers named exist anymore on the domain and have not existed for at least 6 months.
I renamed a couple of spare new clients to these phantom computers and joined them to the domain left them overnight and removed them from the domain etc.
Apart from that nothing what so ever has changed, incedently all 4 dcs are still showing the 5772 event.
Later today I will reboot the exchange and see if that has any effect.
ANY IDEAS GREATLY APPRECIATED AS IVE GOT TO HOLD MY HANDS UP AND ADMIT THIS ONE HAS GOT ME AT THE MOMENT.
Thanks for at least reading this one lads.
might be related to SIDs..
I thing the computer's SID does not match in AD has for the computer account object. Normally happens when using Ghost..
Reset the computer account, then rejoin the computer to the domain.
I thing the computer's SID does not match in AD has for the computer account object. Normally happens when using Ghost..
Reset the computer account, then rejoin the computer to the domain.
above response
Event ID: 5772 related to workstations normally
Event ID: 5772 related to workstations normally
are you running MOM by any chance to monitor AD..
ASKER
No were not running MOM sean.
The 5772 is for work stations,
Sorry sean again its a typo it should of being event 5722 not 5772
The session setup from the computer computername failed to authenticate. The name(s) of the account(s) referenced in the security database is computername$. The following error occurred:
Access is denied.
and also
5723
The session setup from computer 1computername1 failed because the security database does not contain a trust account 'computername$' referenced by the specified computer.
**************************
the event is being generated on the DCs.
However the phantom workstations have not being on the domain for at least 6 months, they were built manually not via ghost.
However this may not have any bearing what so ever in the main 2 events Im more concerned with ie
1030 & 1097 userenv
Its just that these 2 events were the last 2 changes Ive made in the last few weeks that I can put my finger on and say this was changed yesterday.
Whether they have caused the 1030 & 1097 is open to debate.
Thanks for at least firing some suggestions over I appreciate it.
The 5772 is for work stations,
Sorry sean again its a typo it should of being event 5722 not 5772
The session setup from the computer computername failed to authenticate. The name(s) of the account(s) referenced in the security database is computername$. The following error occurred:
Access is denied.
and also
5723
The session setup from computer 1computername1 failed because the security database does not contain a trust account 'computername$' referenced by the specified computer.
**************************
the event is being generated on the DCs.
However the phantom workstations have not being on the domain for at least 6 months, they were built manually not via ghost.
However this may not have any bearing what so ever in the main 2 events Im more concerned with ie
1030 & 1097 userenv
Its just that these 2 events were the last 2 changes Ive made in the last few weeks that I can put my finger on and say this was changed yesterday.
Whether they have caused the 1030 & 1097 is open to debate.
Thanks for at least firing some suggestions over I appreciate it.
A few questions for you:
1. Has there ever been another Exchange server on the domain? Even with the same name?
2. Is the Exchange server on the same subnet as the PDC emulator?
3. Does the Exchange server point to itself or one of the other DCs for DNS servers?
4. Are there any entries in the event log for services start/stoppping about the time this started? Did any backup jobs start/finish about that time? Any other scheduled jobs like A/V scans?
5. Is the Exchange server running any A/V, host intrusion detection, or firewall software?
1. Has there ever been another Exchange server on the domain? Even with the same name?
2. Is the Exchange server on the same subnet as the PDC emulator?
3. Does the Exchange server point to itself or one of the other DCs for DNS servers?
4. Are there any entries in the event log for services start/stoppping about the time this started? Did any backup jobs start/finish about that time? Any other scheduled jobs like A/V scans?
5. Is the Exchange server running any A/V, host intrusion detection, or firewall software?
Let's also give DNS a quick check.
Execute the following from the command-line from any workstation:
nslookup <name of PDC Emulator> <IP Address of Exchange Server>
nslookup <name of RID Master> <IP Address of Exchange Server>
We'll also give AD a quick check.
Execute the following from the command-line and report any errors:
1. DCDIAG /s:<Exchange Server> /test:netlogons
2. DCDIAG /s:<Exchange Server> /test:KnowsOfRoleHolders
3. DCDIAG /s:<Exchange Server> /test:FSMOCheck
4. DCDIAG /s:<Exchange Server> /test:RidManager
5. DCDIAG /s:<Exchange Server> /test:MachineAccount
DCDIAG can be found in the Server 2003 Support tools. Se the following link for installation intructions if necessary:
http://go.microsoft.com/fwlink/?LinkId=62270
Execute the following from the command-line from any workstation:
nslookup <name of PDC Emulator> <IP Address of Exchange Server>
nslookup <name of RID Master> <IP Address of Exchange Server>
We'll also give AD a quick check.
Execute the following from the command-line and report any errors:
1. DCDIAG /s:<Exchange Server> /test:netlogons
2. DCDIAG /s:<Exchange Server> /test:KnowsOfRoleHolders
3. DCDIAG /s:<Exchange Server> /test:FSMOCheck
4. DCDIAG /s:<Exchange Server> /test:RidManager
5. DCDIAG /s:<Exchange Server> /test:MachineAccount
DCDIAG can be found in the Server 2003 Support tools. Se the following link for installation intructions if necessary:
http://go.microsoft.com/fwlink/?LinkId=62270
ASKER
Thanks very much for the above lads I really appreciate it, you knopw the score when your the one that everyone looks to fix things and your stumped its a bit disconcerting, its not always the exact fix that you get on here its the ideas from suggestions that more often than not lead to you getting the problem solved.
Anyway I reset the resynced the ntp time server on this DC/Exchange server as I noticed that a (couple not all) of the events were showing a date of 20th nov 2006 obviously not possible when yesterday it was only the 1st nov 06, yet the clock etc was showing correct time and data.
http://geekswithblogs.net/jemimus/archive/2005/03/16/26502.aspx
Rebooted and low n behold since from last night till this morning the event logs are perfect re the events 1030 & 1097,
Ive got to admit Im not convinced, so I will monitor this for the next week just on the off chance it kicks off again.
I did also find a link on M/S which gives our EXACT scenario and event id and message.
http://support.microsoft.com/kb/913463
Which Im posting here incase anyone else has these errors in the future along with the suggestions above.
I WILL post back either way as I cant believe it was that easy after all.
Roy
Anyway I reset the resynced the ntp time server on this DC/Exchange server as I noticed that a (couple not all) of the events were showing a date of 20th nov 2006 obviously not possible when yesterday it was only the 1st nov 06, yet the clock etc was showing correct time and data.
http://geekswithblogs.net/jemimus/archive/2005/03/16/26502.aspx
Rebooted and low n behold since from last night till this morning the event logs are perfect re the events 1030 & 1097,
Ive got to admit Im not convinced, so I will monitor this for the next week just on the off chance it kicks off again.
I did also find a link on M/S which gives our EXACT scenario and event id and message.
http://support.microsoft.com/kb/913463
Which Im posting here incase anyone else has these errors in the future along with the suggestions above.
I WILL post back either way as I cant believe it was that easy after all.
Roy
ASKER
Over a week later and the event logs are free of the Event ids 1030 & 1097.
It appears that either resyncing the exchange/dc with the errors fixed the problem or the simple reboot of the server, cant be 100% which as I did them one after the other staright away.
The events 5722 - 5723 are still showing but thats another story
It appears that either resyncing the exchange/dc with the errors fixed the problem or the simple reboot of the server, cant be 100% which as I did them one after the other staright away.
The events 5722 - 5723 are still showing but thats another story
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>>Its NOT a DHCP server or a DNS server it forwards its DNS from the main DNS server which has no errors.
<<<
Of course its DNS its a DC,
it has the main DNS serverS ip address which forwards out to the ISP as its preferred and its own static IP as its secondary.
It also has WINS set up as well.
All of which has being working perfectly for months