none
COMPUTER GETS DISJOINED FROM THE DOMAIN

    问题

  • Hi everyone,

    We are getting the following errors on some computers:

    --------------------------------------------------------------------------------------------------------------------------------
    Source:        NETLOGON
    Date:          5/5/2012 12:50:01 AM
    Event ID:      5805
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      PCIT0120

    Description:
    The session setup from the computer PCIT0120 failed to authenticate. The following error occurred:
    Access is denied.

    The only solution is to login as local Administrator , disjoin the computer from Domain and rejoin it . But this i happening quite often , Untill now about 60 computers I have disjoined and joined .

    SO please help to solve this issue,

    Thank you,

    Imran

    2012年5月17日 19:18

答案

  • Is it happening on windows 7 and windows 2008 R2 machine, if yes then i would consider applying below hotfix.

    A secure channel is broken after you change the computer password on a Windows 7 or Windows Server 2008 R2-based client computer

    http://support.microsoft.com/kb/979495

    More on secure channel. http://awinish.wordpress.com/2010/12/24/when-secure-channel-is-broken/


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012年5月18日 10:48
    版主
  • Hello,

    Client computers are losing their secure channel and you need to disjoin them and join them again in this case.

    Are these computers prepared from images? If yes then, next time you take an image, run sysprep before to prepare the reference machine.

    However, this may also be due to AD replication issues.

    Please run dcdiag /v on all DCs you have and check if there is any failures.

    If yes, then use Microsoft Skydrive to upload the output of these commands on all DCs you have:

    • ipconfig /all > c:\ipconfig.txt
    • dcdiag /v /e > c:\dcdiag.txt

    Once done, post a link here.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    2012年5月17日 20:21
  • It seems that machines are created from and image that is NOT prepared with sysprep.If this is the case refer below links.Also ensure that only the domain DNS is configured on client/member server and None else like public IP address.


    What Is Sysprep?  http://technet.microsoft.com/en-us/library/dd799240%28v=ws.10%29.aspx

    How Sysprep Works  http://technet.microsoft.com/en-us/library/dd744512%28v=ws.10%29.aspx

    How to Sysprep in Windows Server 2008 R2 and Windows 7  http://briandesmond.com/blog/how-to-build-a-sysprep-answer-file-for-imagin

    DNS configuration on clients and member servers:
    -----------------------------------
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of Workstation.

    Take a look at below hotfix too.
    A secure channel is broken after you change the computer password on a Windows 7 or Windows Server 2008 R2-based client computer:http://support.microsoft.com/kb/979495

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    2012年5月18日 4:03

全部回复

  • Hello,

    Client computers are losing their secure channel and you need to disjoin them and join them again in this case.

    Are these computers prepared from images? If yes then, next time you take an image, run sysprep before to prepare the reference machine.

    However, this may also be due to AD replication issues.

    Please run dcdiag /v on all DCs you have and check if there is any failures.

    If yes, then use Microsoft Skydrive to upload the output of these commands on all DCs you have:

    • ipconfig /all > c:\ipconfig.txt
    • dcdiag /v /e > c:\dcdiag.txt

    Once done, post a link here.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    2012年5月17日 20:21
  • I agree with Mr X. Non-sysprepped machine and replication are the key factors here.

    In addition, I've also seen this if the DCs were ever reverted to a previous "snapshot," such as in a HyperV or VMWare environment, or using Ghost, ALtiris, etc. If this is the case, the rule of thumb is to never use snapshots.

    See this for more specifics:
    http://eventid.net/display-eventid-5805-source-NETLOGON-eventno-3925-phase-1.htm

    .

    Diagnosing AD:

    If you would like us to assist further if you are already using SYsprep and not using snapshots, please post the data Mr X asked for. Also post the following additional info:

    • Number of DCs
    • Number of AD Sites (if applies)
    • Any event log errors on the DCs. Please check for any event log errors. check all Event log errors including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs. (other than the one you posted).
    • repadmin /showrepl dc01.domain.local /verbose /all /intersite> c:\rep-showrepl.txt   (From each DC. This helps understand the replication topology and replication failures)
    • nltest /dsgetdc:<domain.local> /force                                   (From each DC - This tests secure channels between DCs)
    • repadmin /showreps > c:\rep-showreps.txt                            (From each DC - This switch shows if partitions have replicated or not)
    • repadmin /replsum > c:\rep-replsummary.txt                        (From each DC - View replication summary. You can also use the output to create report)

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年5月18日 0:30
  • It seems that machines are created from and image that is NOT prepared with sysprep.If this is the case refer below links.Also ensure that only the domain DNS is configured on client/member server and None else like public IP address.


    What Is Sysprep?  http://technet.microsoft.com/en-us/library/dd799240%28v=ws.10%29.aspx

    How Sysprep Works  http://technet.microsoft.com/en-us/library/dd744512%28v=ws.10%29.aspx

    How to Sysprep in Windows Server 2008 R2 and Windows 7  http://briandesmond.com/blog/how-to-build-a-sysprep-answer-file-for-imagin

    DNS configuration on clients and member servers:
    -----------------------------------
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of Workstation.

    Take a look at below hotfix too.
    A secure channel is broken after you change the computer password on a Windows 7 or Windows Server 2008 R2-based client computer:http://support.microsoft.com/kb/979495

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    2012年5月18日 4:03
  • Is it happening on windows 7 and windows 2008 R2 machine, if yes then i would consider applying below hotfix.

    A secure channel is broken after you change the computer password on a Windows 7 or Windows Server 2008 R2-based client computer

    http://support.microsoft.com/kb/979495

    More on secure channel. http://awinish.wordpress.com/2010/12/24/when-secure-channel-is-broken/


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012年5月18日 10:48
    版主
  • Hello,

    as already mentioned from others, either the secure channel is broken because of NOT using sysprep to prepare machines or a patch may be required.

    Additional incorrect DNS settings may result in connection problems, so assure to use only the domain DNS servers on the machines NIC and NONE else.

    For using sysprep see: http://support.microsoft.com/kb/314828 http://support.microsoft.com/kb/828287

    http://technet.microsoft.com/en-us/library/dd744512(WS.10).aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    2012年5月18日 15:47
  • Hi Imran,
     
    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
     
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
     
    Best Regards
     
    Kevin

    TechNet Community Support

    2012年5月21日 2:34
  • Sorry for late reply .

    But replication is fine . these computers are not prepared from images .

    I will upload the outputs of commands soon  by today .


    IMRAN.

    2012年6月17日 10:09
  • Yes it happens only on windows 7  and  windows  2008 R2 machines .. I will apply this hotfix and iwill update wuth results .

    Thank you .


    IMRAN.

    2012年6月17日 10:12
  • First of All , I am sorry for the delayed reply , I applied the fix , still the same issue was ther and allthe images were sysprep, So i opened a case with microsoft , the they gave the solution as to apply Sp1 for windows 7 . And You now what the problem is solved ---Thank friends for allyour help.


    IMRAN.

    2013年1月3日 18:59