none
Computer accounts mysteriously dissappearing in active directory RRS feed

  • Question

  • We have a Win2008 domain.  We have had several computers have their accounts go missing in active directory so we have to add them back to the domain.  We have also had dns entries mysteriously disappear as well.  My first thought is replication has an issue.


    Network Touch

    Wednesday, June 13, 2012 9:25 PM

Answers

All replies

  • Does the computer that seems to go missing disappear from every domain controller?  If that is the case there probably isn't a replication issue but checking replication health with repadmin or the new AD replication status tool  http://www.microsoft.com/en-us/download/details.aspx?id=30005

    Do you have auditing turned on?  I'd turn it on and try and track who is deleting the machines.  

    Do you have scavenging enabled?  You can also track DNS record deletion (again involves auditing)  http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record-deletion.aspx

    Thanks

    Mike


    http://adisfun.blogspot.com
    Follow @mekline

    • Proposed as answer by cron22 Wednesday, June 20, 2012 3:58 AM
    • Marked as answer by Yan Li_Moderator Monday, June 25, 2012 10:16 AM
    Wednesday, June 13, 2012 10:36 PM
  • Hi,

    AS Mike already pointed out, it would not be a replication issue but it's worthwhile to check it.

    You can try with repadmin/replsum or dcdiag /test:replications - IN elevated Command Prompt. You need to have .net framework 4.0 to use the new ADREPLSTATS tool..

    In your DNS Zone properties, do you have Scavenging enabled.if so what are the settings..? To understand Scavenging I have an article which will explain the basics.. https://mohanrav.wordpress.com/2011/11/17/33/ 


    Regards, Mohan R Sr. Administrator - Server Support

    • Proposed as answer by cron22 Wednesday, June 20, 2012 3:59 AM
    • Marked as answer by Yan Li_Moderator Monday, June 25, 2012 10:17 AM
    Thursday, June 14, 2012 4:30 AM
  • Hi,

    Based on my knowledge that computers won't disappear itself. Whether some other administrators delete it or whether some domain users move the computer from the domain to workgroups.

    In addition, here is a similar thread, please go through it for more details:

    objects disappear from active directory

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/3675324b-3e07-46f9-97e5-ed834913609a

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Yan Li

    TechNet Community Support

    Thursday, June 14, 2012 5:25 AM
    Moderator
  • Hello,

    missing/disappearing accounts in AD UC for computers i know from machines that are not prepared with sysprep when installed from images.

    Also i have seen this if machines computernames are longer then 15 characters, the NetBios name limit.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thursday, June 14, 2012 7:11 AM
  • As others have suggest, if you have auditing enabled in the AD, you can track the deletion of the computer account deletion.

    You can refer below article for tracing user/computer account deletion.

    Tracing down user and computer account deletion in Active Directory

    http://blogs.technet.com/b/abizerh/archive/2010/05/27/tracing-down-user-and-computer-account-deletion-in-active-directory.aspx

    Also, verify the computer object is not been moved to other OU, because i haven't came across of this kind of behavior. Also, auditing can tell you the real reason or culprit behind it.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, June 14, 2012 9:11 AM
    Moderator
  • Hi ,

    As suggested by above experts I would also recommend to enable auditing, also you can check if you have enabled any kind of automated scripts to remove the stale accounts from active directory

    Also check for event ID 4660 triggered when object is deleted


    Hope it helps __________________________ Best regards Sarang Tinguria MCP, MCSA, MCTS Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thursday, June 14, 2012 9:14 AM
  • Hi,

    Any update? If there is anything that I can do for you, please feel free let me know.

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Yan Li

    TechNet Community Support

    Wednesday, June 20, 2012 1:37 AM
    Moderator
  • I am wondering if this could be a scavenging issue.  Currently the dhcp scopes are set to 8 hours.  The scavenging settings are set to no-refresh 8hrs and refresh-8hrs.  I always thought scavenging should be set to the same as the dhcp lease time.  Is that correct?  If our dhcp scopes are set to 8 hours, what would you recommend for the scavenging settings?

    Network Touch

    Monday, July 16, 2012 3:52 PM
  • I am wondering if this could be a scavenging issue.  Currently the dhcp scopes are set to 8 hours.  The scavenging settings are set to no-refresh 8hrs and refresh-8hrs.  I always thought scavenging should be set to the same as the dhcp lease time.  Is that correct?  If our dhcp scopes are set to 8 hours, what would you recommend for the scavenging settings?  How can scavenging cause a computer acccount in the domain to be deleted?  Wouldn't that just remove it from dns?

    Network Touch

    Monday, July 16, 2012 3:59 PM
  • Hello,

    the posted ipconfig from "lonestar" contains the router as DNS server, so this is NOT correct. In a domain ONLY the domain DNS servers should be used on the NIC and NONE else. So please remove this and run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon service.

    Does the netlogon and sysvol share exist and contain the required structure and are you able to access them?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, July 16, 2012 6:03 PM
  • Did you ever identify the cause?

    Friday, May 9, 2014 2:13 AM
  • Was a cause determined? We had a similar issue occur today.

    Hank Vare

    Monday, June 27, 2016 9:23 PM