I just inherited a Windows 2k3 domain filled with NETLOGON errors

Discussion in 'Windows Server' started by indelljo, Jun 7, 2005.

  1. indelljo

    indelljo Guest

    Errors include:

    Evevt ID 5805
    The session setup from the computer computername failed to authenticate. The
    following error occurred:
    Access is denied.

    Event ID 5719
    This computer was not able to set up a secure session with a domain
    controller in domain domainname due to the following:
    There are currently no logon servers available to service the logon request.
    This may lead to authentication problems. Make sure that this computer is
    connected to the network. If the problem persists, please contact your domain

    Event ID 5723
    The session setup from computer 'computername' failed because the security
    database does not contain a trust account 'computername$' referenced by the
    specified computer.

    We have 30+ PC's that just dropped off the domain, their accounts are no
    longer in ADU&C without anyone deleting them. Is there anything I can do
    besides sending people out (we have 80 locations) to readd them to the domain?
    indelljo, Jun 7, 2005
  2. indelljo

    Manny Borges Guest

    One domain right? Why would you need to send anyone out?

    In any case, do an authoritative restore of the AD from a system state back
    up that still has the acounts. If they are all in one OU then you job is
    pretty straight foward. If not then a little more involved.

    Reboot into ad resore mode, restore a system state back up from "good" time"
    and use the ntdsutil to mark those sequence numbers up.
    Manny Borges, Jun 7, 2005
  3. System State restore:


    Doug Sherman

    Doug Sherman [MVP], Jun 7, 2005
  4. indelljo

    indelljo Guest

    They are in the same OU, but we have added several objects since we started
    getting the errors. Won't a restore wipe out the new additions? Also, our
    DC's are in a cluster. How would this effect restore? I am new to managing
    a domain, so I appreciate the help.
    indelljo, Jun 8, 2005
  5. indelljo

    Manny Borges Guest

    Clustered DCs. Interesting. Not a wise expenditure of resources usually, but
    interesting. I have found that with AD its easier to get more DCS and simply
    design a correct site topology than to get something that is incredibly
    powerful. A new proliant with 2 2.4s and four GB of ram and a nice NIC team
    doesn't even blink at servicing 20k users. By all means cluster web front
    ends, databases over 8GB, and other heavy hit resources. But IMHO clustering
    domin controllers is a usually unneeded.

    But thats beside the point.

    The answer to your question, no, the new objects will not be lost. When
    syncroization occurs ( I am assuming you have more DCS) then the objects will
    be added to the restored dc and the previously deleted objects that have had
    thier sequence numbers updated will untombstone the objects from your current
    Manny Borges, Jun 8, 2005
  6. indelljo

    indelljo Guest

    Actually, we don't have other DC's. The domain was originally setup for
    Exchange. The DCs are the exchange servers, that is why they are clustered.
    We have only recently added the PCs. Things were set up strangley here. Can
    I assume that without other functioning DC's the new items can't be
    recovered? Is there another way it can be done?
    indelljo, Jun 8, 2005
  7. indelljo

    Manny Borges Guest

    You need another dc. There is no ifs ands or buts about it. get a cheapo
    desktop and make it a dc, then you can proceed. if you have 80 locations, you
    should generally have 80 dcs. i know some would disagree with me, but I have
    just had too many issues when I have broken that rule.
    Manny Borges, Jun 9, 2005
  8. indelljo

    indelljo Guest

    I agree. We do need to add another DC, but buying anything is difficult when
    you work for the government. I am going to give the system restore a shot.
    indelljo, Jun 17, 2005
