Avatar of LITTLEHOUGHTON
LITTLEHOUGHTON
 asked on

Event id 5722 Windows 2003 system Restore

Recently recovered a windows 2003 SP1 Domain Controller which is the only DC within the domain using NTBACKUP from a system state backup (dated 22nd Dec 09 and restored 19th Feb 2010) Only backup that was available. Restore went fine no errors, AD looked fine. Took back to site 21st Feb to test ready for the monday and found clients could not logon. Domain unavailable or computer account not found errors. Accounts exist in AD etc, DHCP fine, clients recieve ip addresses etc. but there is event id 5722 logged in eventvwr for any clients that have attempted logon to the domain

"Computer: ComputerName
Description: The session setup from the computer ComputerName failed to authenticate. The name of the account referenced in the security database is AccountName$.
The following error occurred:
Access is denied."

Now the quick fix is to re add clients to the domain and all is well again but there is hundreds of computers to readd.

question 1) is there a way to fix this on mass without running around?
question 2) i have read the following article - http://support.microsoft.com/kb/216393/en-us - The time between system state backup and the first client attempting contact would be 65 days after system state restored, the article mentions every 30 days the secure channel pw are sycn'ed but if problems occurr you get the 5722 id. The secure channel is broken from the tests but what i dont understand is this 30 days, i have had clients not contact the DC for more than 30 days and still operated fine? Can a good explanation be given for this anyone?
question 3) You cannot apparntly restore DC system state data that is older than the Tombstone lifetime, in windows 2003 sp1 this is 180 days. Just for future reference does this apply in a single Domain Controller Network config or does it just apply in multi partner replication secnerios?
Windows Server 2003Microsoft Legacy OSMicrosoft Server OS

Avatar of undefined
Last Comment
LITTLEHOUGHTON

8/22/2022 - Mon
cjrmail2k

I think you were supposed to use directory services restore mode on the DC, maybe you still can but I don't know the commands off hand.
LITTLEHOUGHTON

ASKER
Restored using DS restore mode - but this is a single DC environment and ran a full restore on a new server, thought they wouldnt be any need for that in this case? but as a matter of routine did so and ran ntdsutil and authorative restore etc which completed successfully. The server appears operational the logon accounts work without problem once the computer accounts are re-joined to the domain. Thanks anyway.

I have just realised that the TLS value is not 180 days unless you have manually set it to be so! I am now thinking that that the time of 60 days is extremley close to the time and that the system state backup is potentially 'bad'
cjrmail2k

strange, perhaps something to do with SID inconsistency, as it appears as though they are there but the Domain doesnt recognise them...just an idea.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
LITTLEHOUGHTON

ASKER
Cheers, had thought of this. The local techie assures me that they had been sysprep'd but i am starting to think otherwise. At the moment trying to find out what the max length of time is a client can be offline from AD before causing issues.
LITTLEHOUGHTON

ASKER
Found answer to my third question - you can still restore old system state data which is older than the TLS, it only matters in multi replication secnerios even then its still possible. Just need to find out more about tombstone lifetime for the clients and what caused the secure channel to break?
ASKER CERTIFIED SOLUTION
LITTLEHOUGHTON

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question