+ Post New Thread
Results 1 to 10 of 10
Windows Server 2000/2003 Thread, Computer Accounts DELETED from Active Directory !! in Technical; Hi, Over the last couple of months we have had a few computer accounts deleted from AD. I at fist ...
  1. #1

    Join Date
    Aug 2007
    Posts
    804
    Thank Post
    95
    Thanked 60 Times in 45 Posts
    Rep Power
    25

    Computer Accounts DELETED from Active Directory !!

    Hi,
    Over the last couple of months we have had a few computer accounts deleted from AD. I at fist thought this may have been a mistake by one of the team etc. I simply took the workstations off the domain and back on and problem solved.

    BUT recently we have had this happen again. Today we had 6 machines disappear from AD. I have checked and they were actually deleted as they are in the CN=Deleted Objects container.

    Not too long ago we added 2 additional 2012 DCs (DC3&DC4) to our current 2 x 2003R2 DCs....
    When I was happy with the FSMO roles and replication etc I then dcpromo`ed and demoted one of the 2003 DCs. (other still to do)

    I have checked replication with dcdiag /V and all is fine on all three servers. I was wondering if anyone else had seem anything like this before? I get Events "The session setup from computer 'LC1-18' failed because the security database does not contain a trust account 'LC1-18$' referenced by the specified computer."


    One other possibility is last week we took out several machines from the store to replace identical faulty machines. I simply swapped the working HDD and put it into the old machines. I was careful not to power up the machine with the old HDD in as i know (from experience!) that this then causes the account to be disabled... (but not deleted)

    As a third suggestion when i setup the new 2012 DCs i also redid the DNS scavenging.... possibly related?

    Has anyone seen anything like this before? Any suggestions in-case this maybe gets any worse?

    Thanks in advance!

  2. #2

    Join Date
    Oct 2008
    Location
    Leeds
    Posts
    215
    Thank Post
    21
    Thanked 17 Times in 17 Posts
    Rep Power
    14
    A couple of ideas:

    There is an ADS Clean-up wizard somewhere in Windows that when run will delete any computer objects that have not been used for 90 days. Maybe there is a way to automate this process and this is what is causing it?

    Under the bonnet, all computer objects (like user objects) have a password and this is automatically changed for each PC by the DC every 30 days (but only when the PC is turned on). If any computer is left turned off for extended periods, the computer object never gets modified and the wizard I mentioned would use the modified date to determine that the computer has not been used and therefore probably doesn't exist.

    This of course would only be an issue if the computer has not been be used for ages.

    Another avenue of investigation would be examine the modified date of the objects in the Deleted Objects Container(*), it might not be particularly useful in the above scenario but it might give you the precise date/time when the objects were deleted.

    Another avenue would be to enable auditing of modifying of computer objects events on the DCs (in local security policy settings), so you can get some info on precisely when they were deleted and by what user/security principle, and maybe a reason.

    One final avenue would be to check the GUID of the your computer objects to ensure they all have unique GUID numbers, I imagine that having computer objects with duplicate GUIDs could cause all sorts of weird behaviour.

    (*) When was the Deleted Objects container introduced into ADS, I have not seen it before? I am aware of the Object Recycle bin, but I was under impressions this was for domains running at 2008 R2 Functional Level only.

    Thanks,

    Bruce.

  3. Thanks to Bruce123 from:

    burgemaster (8th May 2013)

  4. #3

    Join Date
    Aug 2007
    Posts
    804
    Thank Post
    95
    Thanked 60 Times in 45 Posts
    Rep Power
    25
    Thanks for the reply..

    The Reception computer disappeared from the domain at around 10am. I used the following command to view the details.

    repadmin /showmeta "CN=RECEPTION\0ADEL:30a71625-ad56-4910-aaa1-c50cceb294ca,CN=Deleted Objects,DC=Wolverley,DC=local" dc4
    and got among other results...

    Default-First-Site-Name\DC2 53209194 2013-05-07 09:27:08 1 isDeleted
    So It would appear that DC2 deleted the account at 9:27am....

    Im leaning towards the multiple GUID accounts now that have occured when brining back the old hardware and swapping HDDs over....

    I think i am going to rejoin these 6 and keep an eye on it.

    Thanks again

  5. #4

    Join Date
    Oct 2008
    Location
    Leeds
    Posts
    215
    Thank Post
    21
    Thanked 17 Times in 17 Posts
    Rep Power
    14
    I did wonder about the affect of bringing the old PCs back onto the network, but as you simply moved the HDD from the broken PC into the newly commissioned old hardware, I would have expected the GUID of the computers to remain the same....

    Computer GUIDs are supposed to be randomly generated, but I noticed that when deploying WinXP PCs it was simply picking up the MAC address of the NIC and using that as the GUID (prefixing it with zeros). So one way you can end up with computer objects with duplicate GUIDs is if they were joined to the network with the same network card (or cards with the same MAC address).

    One issue to watch out for when removing and re-joining PCs from the domain, if there are objects with duplicate GUIDs then I am guessing that when you remove the PC from the domain, all of the computers objects with the same GUID would be deleted too..

    Thanks,

    Bruce.
    Last edited by Bruce123; 8th May 2013 at 11:13 AM.

  6. Thanks to Bruce123 from:

    burgemaster (8th May 2013)

  7. #5

    Join Date
    Oct 2008
    Location
    Leeds
    Posts
    215
    Thank Post
    21
    Thanked 17 Times in 17 Posts
    Rep Power
    14
    I could be barking up the wrong tree with the duplicate GUIDs, it's just an idea...

    Also, the Security Event log on DC2 may give more details about the deletion of the computer object event (but only if the appropriate local security policy setting is enabled).

    Thanks,

    Bruce.

  8. #6

    Join Date
    Oct 2008
    Location
    Leeds
    Posts
    215
    Thank Post
    21
    Thanked 17 Times in 17 Posts
    Rep Power
    14
    Just to add one last thing to this thread... (Columbo....)

    I have seen this happen before, and it's one of the strangest things, and I never did manage to track it down. I even wondered if a 'hacker' had managed gain the rights to delete computer objects and was randomly deleting the odd object. Though in our cases there number of occurrences was few and far between..

  9. #7

    Join Date
    Aug 2007
    Posts
    804
    Thank Post
    95
    Thanked 60 Times in 45 Posts
    Rep Power
    25
    I think i have found the culprit!!
    When we join a machine to the domain it knocks a computer account off the domain!

    Code:
    There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=TESTXPMACHNIE,CN=Computers,DC=XXXXX,DC=local. 
    All duplicate  accounts have been deleted. Check the event log for additional duplicates.
    
    There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=S15-03,OU=Student_Machines,OU=PCs_School_Rooms_S15,OU=PCs_School_Rooms,OU=PCs_SCHOOL,OU=PCs,DC=XXXXXX,DC=local. 
    All duplicate  accounts have been deleted. Check the event log for additional duplicates.
    Now that I have found the reason why, now to find the cause!!
    At least I know my AD structure isnt crumbling for no reason
    Last edited by burgemaster; 13th May 2013 at 11:16 AM.

  10. #8

    Join Date
    Oct 2008
    Location
    Leeds
    Posts
    215
    Thank Post
    21
    Thanked 17 Times in 17 Posts
    Rep Power
    14
    Interesting...

    It was caused by Duplicate SIDs rather than duplicate GUIDs.

    It could have been caused by be the way the Windows image was sys-prep'ed before uploading to the WDS server.

    There is a tick box on sys-prep window "Don't re-generate security identifiers". I wonder if this ticked by accident?

    Anyway, good luck with it, you're half way there now you have identified the cause.

    Thanks,

    Bruce.

  11. #9

    Join Date
    Aug 2007
    Posts
    804
    Thank Post
    95
    Thanked 60 Times in 45 Posts
    Rep Power
    25
    Ive not tested this but Im pretty sure its sorted. If anyone else has anything like this here is what I did:

    First i narrowed it down to the RID, DC2 was giving out old SIDs of computer accounts so i read up on RID allocation.
    I found the following command that will give RID information of each DC. I ran it on each DC and got the following:

    Code:
    dcdiag /v /test:ridmanager
    Results were:

    DC2:
    Code:
    Starting test: RidManager
       * Available RID Pool for the Domain is 16603 to 1073741823
       * DC4.Wolverley.local is the RID Master
       * DsBind with RID Master was successful
       * rIDAllocationPool is 15103 to 15602
       * rIDPreviousAllocationPool is 13603 to 14102
       * rIDNextRID: 13641
    DC3
    Code:
    Starting test: RidManager
        * Available RID Pool for the Domain is 16603 to 1073741823
        * DC4.Wolverley.local is the RID Master
        * DsBind with RID Master was successful
        * rIDAllocationPool is 15603 to 16102
        * rIDPreviousAllocationPool is 15603 to 16102
        * rIDNextRID: 15639
    DC4
    Code:
    Starting test: RidManager
        * Available RID Pool for the Domain is 16603 to 1073741823
        * DC4.Wolverley.local is the RID Master
        * DsBind with RID Master was successful
        * rIDAllocationPool is 16103 to 16602
        * rIDPreviousAllocationPool is 16103 to 16602
        * rIDNextRID: 16122
    As you can see on DC2 the next available RID for allocation is 13641 (scroll the code box down to see the rIDNextRID). This isnt located in the allocation pool that the DC has been given (15103 to 15602). So, i simply Demoted it and then dcpromo`ed again..

    Now if i run the command again:

    Code:
    Starting test: RidManager
       * Available RID Pool for the Domain is 17103 to 1073741823
       * DC4.Wolverley.local is the RID Master
       * DsBind with RID Master was successful
       * rIDAllocationPool is 16603 to 17102
       * rIDPreviousAllocationPool is 16603 to 17102
    Ive rejoined a few machines back to the domain that got removed and no system event errors as of yet fingers crossed.
    We will see in the morning!
    Last edited by burgemaster; 13th May 2013 at 08:31 PM.

  12. #10

    Join Date
    Aug 2007
    Posts
    804
    Thank Post
    95
    Thanked 60 Times in 45 Posts
    Rep Power
    25
    1 week later, 31 new machines imaged. No problems as of yet.
    If anyone else has problems maybe: check event logs on all DCs, find the dc with the addition errors. Check the rid allocation pool.

SHARE:
+ Post New Thread

Similar Threads

  1. Managing Mac from Active Directory
    By Michael in forum Windows Server 2000/2003
    Replies: 5
    Last Post: 9th June 2011, 11:14 AM
  2. Uninstalling a defunct Exchange server from Active Directory
    By CyberNerd in forum Windows Server 2000/2003
    Replies: 14
    Last Post: 27th October 2010, 02:37 PM
  3. Replies: 3
    Last Post: 26th August 2010, 03:42 PM
  4. Exporting From Active Directory
    By tri_94 in forum Learning Network Manager
    Replies: 13
    Last Post: 24th April 2008, 03:42 PM
  5. ORK and Office11 Deployment from Active Directory
    By roland in forum How do you do....it?
    Replies: 4
    Last Post: 7th October 2007, 01:31 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •