3

This happens very seldom but lately a computer lost the trust relationship with our domain so I wanted to reset the computer credentials. Looking at my main DC (Server 2008 R2) I wasn't able to find that computer anymore.

I am pretty sure that DNS/DHCP have nothing to do with this, I googled many forums that suggested this and I already checked this problem.

My guess would be that this happened because computer was moved shortly after being added to the domain. In my case this means that it was added to the domain on a child-domain controller of ours and moved to the network with our main-domain controller. I can't be sure though.

Is there any way to find out what exactly happened?

Our forest:
Main-DC,
3 Children-DCs that replicate with the main-DC

Already tried DCDIAG, checked LOGs and replication and was not able to find any errors.

Sysprep can't be the problem either, we run sysprep with generalize.

Every idea is much appreciated!

Blufftl
  • 87
  • 1
  • 8
  • What is a "sub-domain controller"? There is no such thing... Did you mean a child domain in a domain tree? Maybe you can elaborate more on your domain setup and/or add a screenshot on how your forest is build up. Also: did you verify that the DCs are replicating correctly? Did you check the Event Logs of the clients? – duenni Apr 18 '17 at 08:43
  • @duenni thank you for your reply. Sorry about the sub-domain controller, English is not my native language. Our domain setup consists of one main-DC and 3 children-DCs. I already checked the logs, DCDIAG and replication - sadly no information was given about this issue. I still haven't had the chance to check the client itself, my last hope of finding the problem. – Blufftl Apr 18 '17 at 09:34
  • https://serverfault.com/q/774583/78437 – duenni Apr 18 '17 at 09:51
  • @duenni thank you duenni, the problem here explains why the trust relatoinship is lost. My problem isn't just that, but furthermore that when looking for these computers in my AD to reset them I am not able to find them anymore - they are inexplicably removed from my AD on my DC. – Blufftl Apr 18 '17 at 09:54
  • You need to enable auditing for Directory Services. – Greg Askew Apr 18 '17 at 10:22
  • @GregAskew What exactly do you mean? The auditing for computer accounts in the GPO for DCs? – Blufftl Apr 18 '17 at 11:54
  • https://serverfault.com/a/386775/20701 – Greg Askew Apr 18 '17 at 12:09
  • @GregAskew great stuff Greg, thank you very much! I activated auditing Success and Failure for "Advanced Audit Policy Configuration"-->"Audit Policies"-->"Account Management"-->"Audit Computer Account Management" This should inform me in the future as to why the computer account got deleted or lost, right? – Blufftl Apr 18 '17 at 14:43

0 Answers0