Well assuming that the deletion occurred recently I would go look in the deleted items folder and see if you have an object by that name in there. You can then look at the replication metadata and see where the delete originated. From that see if they are all coming from one DC or if there are patterns. If you have auditing turned up you could see who/what is deleting them.
Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 1:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process What's unique about the domain this is happening to? That strikes me as odd that it's occurring in one domain, but not all. I have yet to see accounts get deleted in Active Directory (any version) without a process that removes them. This could be a new experience for me, but I'm skeptical that a process doesn't exist that is removing accounts or preventing the replication (you did say they checked, but like I said, I'm skeptical of any process that picks on computer account security principals but leaves user security principals alone.) I have seen strange issues occur when anti virus apps that run on the domain controllers were thought to have been configured properly but weren't. I've seen instances where similar symptoms were presented but in the end we found out that a process was running that caused this issue. I've seen issues of DC promotions and DNS that "ate" the DNS zones, but that's not what you describe. So I'm interested to know what's unique about the domain it occurs in. I'm interested to know why it doesn't occur in the other domains? SP1 is highly recommended of course - lots of bug fixes and additional security changes. I'm not familiar with the client side apps you mention, but if the environment I work in currently is any indication old computer accounts don't become suicidal without provocation. Shame too.... On 1/16/07, Rich Milburn <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote: I've found a little bit of info on this googling, and the results I'm finding seem to be related to replication problems, lack of SP1, or other issues with DCs that need to be reinstalled (reason not identified). What's happening is that computer accounts are getting deleted - most of them are ones that can't update their passwords because they have been turned off, or in the case of a group of users, their computers have Deep Freeze running on them, and those computers update their passwords but apparently the computers reset when they are rebooted so the password is reset to the old one too. But the issues are not isolated to these accounts. We do not have an automated process set up to delete these accounts. This is Server 2003, non-SP1 (that's scheduled for this Friday). There are no discovered replication errors, they have checked for those. We only have 6 DCs, two each for a root and two child domains, and this is happening in one of the child domains. Here is an example event that we are getting. If anyone has seen this before or has any ideas, we'll be most appreciative. Event Type: Error Event Source: NETLOGON Event Category: None Event ID: 5723 Date: 1/16/2007 Time: 9:21:28 AM User: N/A Computer: CORPDC2 Description: The session setup from computer 'ACCT-95XDP11' failed because the security database does not contain a trust account 'ACCT-95XDP11$' referenced by the specified computer. USER ACTION If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem: If 'ACCT-95XDP11$' is a legitimate machine account for the computer 'ACCT-95XDP11', then 'ACCT-95XDP11' should be rejoined to the domain. If 'ACCT-95XDP11$' is a legitimate interdomain trust account, then the trust should be recreated. Otherwise, assuming that 'ACCT-95XDP11$' is not a legitimate account, the following action should be taken on 'ACCT-95XDP11': If 'ACCT-95XDP11' is a Domain Controller, then the trust associated with 'ACCT-95XDP11$' should be deleted. If 'ACCT-95XDP11' is not a Domain Controller, it should be disjoined from the domain. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 8b 01 00 c0 ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- "I love the smell of red herrings in the morning" - anonymous -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
