Michael, Admittely, WAN links are not extremely reliable and tend to be dropped out at times. However, i can't explain how this can be related to my problem. Would you like to further explain this point please? Can WAN links be related to my problem? Has it something to do with replication? This what it happens: the client, all of a sudden cannot authenticate anymore. We check on the DCs and the computer account is gone...lost, as if someone deleted it (but auditings show no sign of manual deletions from privileged users). We have at least 2 DCs at each site and we verified that each client will authenticate from a DC in its local site. Each site has its own DCs and i verified that each client will authenticate from the correct DC in its own site. From my point of view, it doesn't look like a WAN links issue.
As for architectural changes: they can't be performed for a number of reasons. Hovever i still wonder how this issue may be related to WAN traffic. Thanks for your time Alex. > -----Messaggio originale----- > Da: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Per conto di > Michael Wassell > Inviato: venerd́ 6 febbraio 2004 16.25 > A: [EMAIL PROTECTED] > Oggetto: RE: [ActiveDir] computer account issues > > >From reading the detailed error messages it would seem that > the workstations are timing out for one reason or another > when synchronizing, you may want to research increasing > timeout values for network services (Browser service, Server > service etc.). Also, have you attempted to verify server > communication via the WAN links to verify that there are no > timeout issues occuring? Try pinging with an -l switch to > increase the ICMP data being sent with the -t switch and > watch for any timeouts or significant ping response time increases. > > Something you might want to consider is implementing > independent child domains for each of your sites. I believe > it would significantly decrease your network traffic across > your WAN links to allow for more prioritized processing of > network traffic to take place. However, that would likely be > a large project so a more temporary solution would be to > determine the cause of the current issue. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of J0mb > Sent: Friday, February 06, 2004 10:00 AM > To: [EMAIL PROTECTED] > Subject: R: [ActiveDir] computer account issues > > thanks for reply and sorry for being unclear. > The eventID 5723 as per my previous post is generated on the > domain controller. > These are the events generated on the client side: (please > note they were translated from a non-english system, > hopefully they're clear enough: > > Source: LSASRV > Category: SPNEGO > EventID: 40961 > Protection System could not establish a secured connection > with server cifs/dc.domain.local. No authentication protocol > was available > > Source: NETLOGON > Category: None > EventID: 5721 > Session installation on Windows NT or Windows 2000 domain > controller \\dc.domain.local was unsuccesful because domain > controller has no computer account for the computer "computername" > > Source: W32time > Category: none > EventID: 18 > NtpClient time provider was unable to establish a trust > relation from this machine to domain domain.local in order to > syncronize time in protected mode. Trust relation between > this workstation and the primary domain was unsuccesful (0x800706FD). > > One of the DCs has a SQL server to support a SMS 2.0 > installation but i can't figure any interactions with a > client authentication. > I am about to thoroughly read the Q article you suggested me. > From a quick check, the only relevant policy i could find is > "microsoft network server: > digitally sign up communication if client agrees" set ENABLED > on the default DC policy. > I have been working on this issue for a short time. People > working here for longer says this might have happened > exclusively (or mainly) on winXP workstations, but take this > as an unreliable piece of information. > Please let me know if you need more detailed information. I > appreciate your support. > Thanks!! > > > > > > > -----Messaggio originale----- > > Da: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Per conto di Michael > > Wassell > > Inviato: venerd́ 6 febbraio 2004 15.09 > > A: [EMAIL PROTECTED] > > Oggetto: RE: [ActiveDir] computer account issues > > > > A little bit unclear, but I have browsed through the Microsoft KB > > regarding that event id and this article was a match. > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 > > > > Search in the page for "5723" (without quotes). It is under the > > digitally sign communication (always) category. That may > be a first > > step to determining the cause? > > > > I also noticed that this error can be generated by SQL Server. > > > > Is this error being generated in the event log on the server? > > Or on the machine itself? > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of J0mb > > Sent: Friday, February 06, 2004 8:43 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] computer account issues > > > > good morning list, > > > > I am getting a weird problem lately. Our AD architecture is > made of 1 > > forest, 1 domain, 4 sites spanned through WAN links. There > are approx. > > 2500 nodes in the forest, there are 2 DCs at each site, a DC is > > configured as GC at each site. > > > > Randomly, with no apparent recurrent pattern, we get the eventID > > 5723(netlogon) error from some machines (i would say some > 4-5 a day). > > > > ------------------ > > > > The session setup from the computer <computer name> failed because > > there is no trust account in the security database for this > computer. > > The name of the account referenced in the security database is > > <computer name>$. > > > > The error code is 0xC000018B > > > > ------------------ > > > > The client is not able to authenticate to the DC anymore. > The only (to > > me) known resolution is to rejoin the machine to the domain. > > > > Would anyone suggest me a resolution, or correct steps for > > troubleshooting? > > > > I've already checked on eventid.net, and looks like none of the > > suggestion is relevant with my architecture. We're running a native > > mode windows 2000 domain. > > > > The error code states that the computer account has been > deleted. How > > can it this happen? How can i audit operation attempts on computer > > accounts? > > > > Thanks!! > > > > Alex > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
