Computers losing contact to the Domain
Solution 1
Unfortunately this problem resolved itsself once we deployed a self joining domain image out using WDS. We cleared all the computer names out of AD, prestaged all the machines and have never had any problems like this again.
Solution 2
One scenario where this can occur is if a computer backup is restored to second computer. When that second computer comes online, the machine's password (which the machine changes every 30 days by default) does not match the password in and AD and disables the machine account.
Using System Restore may also restore a previous machine account password.
Note that the computer's password is not subject to the domain's password expiration policy. It is controlled by the computer's netlogon service.
Solution 3
Do you have anything altering the time on the PCs independantly to the domain?
Solution 4
Was there a previous PDC? DNS working perfectly(pings working vice-versa)? Time differences between machines? And finally could you try changing the user's password from the workstation or even vice versa?
When a workstation joins a domain it sets a trust between the DC and the workstation. Now there are a number of reasons which can be found here (Although most of them only for Server 2000) and a more recent article here that can prevent that from happening.
Related videos on Youtube
Joe Taylor
Updated on September 18, 2022Comments
-
Joe Taylor over 1 year
We have a problem with a set of computers on our domain. they are constantly losing their trust relationship with the domain. it first happened last week and 8 days later happened again. On the Server we are getting NETLOGON errors with event 5722.
The session setup from the computer ComputerName failed to authenticate. The name of the account referenced in the security database is AccountName$. The following error occurred: Access is denied.
I was wondering if there was any way to determine why this is happening? I have checked the error logs and nothing seems to happen before these errors occur. I was thinking about re-imagaing the whole group of the machines. If I do re-image them all would I be best deleting the computer objects out of AD completely and letting them create new computer objects when I re-join them to the domain? Is it best manually join them or is there a better method? I will have to re-name the machines as it is so will need to access them locally.
The Server is Windows Server 2008 R2 SP1, the machines are Windows 7 SP1
Edit: - In response to comments :-
These machines run Windows 7, Office and Adobe Audition, thats it so nothing odd. They are exactly the same as ten other machines in the room that we have no problem with.
The AD runs on Server 2008 R2 with a secondary domain controller running Windows Server 2008. The machines sync time with the PDC and checking this they are at the correct time.
There are no duplicate names in AD.
If I remove them and re-add then they run fine again, thats what I did last time, then 8 days later they all dropped off again.One odd thing:
The room next door had the same problem. I removed the PC's from the domain. Deleted the computer accounts from AD. Flushed the DNS Cache and removed the records of the machines from DNS. I then re-added them to the domain. they can contact the domain fine but their computer accounts do not show up in AD anywhere. Confused me something rotten.-
GregD over 12 yearsHave you tried removing and readding these machines to the domain? Are there any duplicate names in AD?
-
user1364702 over 12 yearsYou're not running anything that freezes the configuration of your clients over reboots?
-
Nixphoe over 12 yearsI think the key might be that you're not removing them correctly from the domain as you pointed out in your question. If you're not removing them from the domain and making sure they're not in ADDS any more, when you readd the computer, it will generate a different SID then the current one in ADDS, which could be your whole issue, same computer name, different SIDs.
-
GregD over 12 yearsHow are you imaging these machines?
-
Joe Taylor over 12 yearsThey are deployed by WDS
-
ravi yarlagadda over 12 yearsWhat's the
pwdLastSet
attribute on the machine accounts set to when they break?
-
-
Joe Taylor over 12 yearsNo, the PC's use the PDC for their time sync
-
Nixphoe over 12 years+1 Not sure why he got a down vote. I've seen all sorts of login issues due to time.
-
GregD over 12 yearsHe got a downvote from me because it's a question....not an answer.
-
JamesRyan over 12 yearsPfft. Don't be such a pedant. It is something to check that could lead directly to the solution.
-
APR over 12 yearsStill, should be a comment, not an answer.
-
JamesRyan over 12 yearsI don't agree. It is a possible solution to his problem therefore an answer. Maybe it would confuse you less if it was not phrased as a question but the essential meaning would be the same.