Solved

Netlogon Errors for computers that don't exist.

Posted on 2011-03-02
17
379 Views
Last Modified: 2012-05-11
Good afternoon.  I have a Domain environment with two internal DNS servers.  Both running Windows Server 2003.  Users are having intermittent connection errors.  Occationally a computer will lose its trust relationship and need to be disjoined and rejoined.  I looked at the System events logs and notice quite a few NetLogon errors on both server.  A majority of the errors are 5513.  Near as I can tell, non of the computers that are being logged, exists anymore, and one even appears to be a laptop that is not only non existant, but thinks it's a DNS server. Since our Systems administrator is no longer with the company and our Director of IT has been let go, it kind of puts me in a hard place, when it comes to servers.  I would like to flush the dns or flush cache, but don't know what effect it will have on the users or if the server requires a reboot afterwards.  Any assistance you can give will be greatly appreciated.
0
Comment
Question by:a1785
  • 9
  • 4
  • 4
17 Comments
 
LVL 9

Accepted Solution

by:
rsoly777 earned 500 total points
ID: 35021400
You can flush the DNS Cache you may also want to look at the DNS and see if those machines are still listed, remove them if they are. Do the same with DHCP although that should be clean of machines that have not existed for a long time
0
 

Author Comment

by:a1785
ID: 35021514
I will give that a try first thing Friday morning.  Thanks for the information.
0
 
LVL 6

Expert Comment

by:bluemeln
ID: 35022516
Flushing the DNS resolver cache only empties out the cache of IP addresses which the computer remembers; they are just shortcuts to destinations it previously went to. By emptying the cache, you force the computer to check with the DNS server for current information. The cache is emptied so that the computer does not use out-dated information. A reboot is not necessary.

If there are incorrect records in DNS, then those must be deleted manually as suggested. Remember to check the Reverse Lookup zones as well.

Event ID 5513 indicates that the computer's security identifier has changed and does not match the one the domain controller has on record. This explains why disjoining and rejoining fixes the problem, as it assigns a new SID to the computer.
Has there been a recent change to the domain, such as the addition of a domain controller or renaming the domain? Have any computers been renamed?
0
 

Author Comment

by:a1785
ID: 35027082
No changes have been made to the Domain.  In many cases, when a computer crashes or cannot be disjoined from the domain, it is rebuilt and given a new name.
0
 
LVL 6

Expert Comment

by:bluemeln
ID: 35027301
Yes, I do I also rename computers or delete their old computer accounts and rejoin them if they had to be reghosted.

What is the dominant problem at this time - that computers still intermittently lose their trust relationship? Or that old rogue computers appear in the domain controller's event log? Are the old computer accounts still present in AD?
0
 

Author Comment

by:a1785
ID: 35027413
I cannot get to that Server at this time, but did not see any of the three, in AD or DNS. Since the event is pretty regular, I thought I would flush the DNS and see what happens.  Since we have two DC's in the Domain, would I need to flush the Cache on both servers, or will flushing one take care of both?  I would assume both need to be flushed?
0
 
LVL 6

Expert Comment

by:bluemeln
ID: 35027456
Yes, both need to be flushed. The DNS resolver cache is local to the machine.
0
 

Author Comment

by:a1785
ID: 35027587
Thank you.  I will advise you of the results on Friday.  I also plan on initializing a defrag on the servers.  One this week and the other the following Friday.  Is there anything I should be concerned about or do before starting?  I assume it's no different on a server than it is on a users computer?  I'll make sure we have a good backup first.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 6

Expert Comment

by:bluemeln
ID: 35027693
Hard drive defragmentation is the same on a workstation or a server. The best time to run it is during times of low read and write activity, so not during business hours, especially on servers with very high I/O, such as email, file, and database servers.
0
 

Author Comment

by:a1785
ID: 35027738
Outstanding.  Thanks for the info.
0
 

Author Comment

by:a1785
ID: 35058370
Still working on an infected Laptop.  Also still running a defrag on the server.  Didn't want to leave you hanging.
0
 
LVL 9

Expert Comment

by:rsoly777
ID: 35058564
Where did the "Infected Laptop" come into play? Is this part of your issue also? Also if there are machines that you cannot reach and you do not know where they are I would just delete their accounts if the user has an issue you will hear about it. This way you can just re-join that particular machine.
0
 

Author Comment

by:a1785
ID: 35058620
Yes.  The laptop TMuckle-lt kept showing up in the system logs with a Netlogin error.  It was infected with a virus.  At one point I saw an entry in the logs that looked as though the system thought TMuckel-lt was a DC.  
0
 
LVL 9

Expert Comment

by:rsoly777
ID: 35059164
sometimes a workstation can force an election but it is very rare that it will ever win that election.
Takwe a look at this page, there is a registry setting you can impose on the workstations that will prevent them from causing these elections:
http://www.pctools.com/guides/registry/detail/54/
0
 

Author Comment

by:a1785
ID: 35059263
I'll check it out.  Thank you.
0
 
LVL 9

Expert Comment

by:rsoly777
ID: 35097959
any luck or updates on this?
0
 

Author Closing Comment

by:a1785
ID: 35098247
Though the network has been slow, I have not heard of any further connection problems from the users.  Let's consider this case closed.  If I run into any further issues, I'll post a new question.  Thank you all for your assistance.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now