Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Computerkonto wurde aus AD gelöscht! WISO?

197 views
Skip to first unread message

fabian...@googlemail.com

unread,
Nov 22, 2006, 3:31:19 AM11/22/06
to
Hallo alle zusammen,

ich war gerade dabei zwei neue Laptops zu konfiguriere. Plötzlich
konnte ich mich mit keinem AD-Konto mehr anmelden bis ich
herausgefunden habe, dass das Coputerkonto aus der AD gelöscht wurde.
Also habe ich den PC aus der Domäne raus und dann wieder rein. Das
funktioniert jetzt zwar aber wie ich von einem Kollegen hörte ist ihm
das selbe vor einer Woch bei einem anderen Mitarbeiter auch passiert.
Was kann man dagegen tun, dass dies nicht mehr passiert? Ich stelle mir
da die schrecklichsten Dinge vor wenn dies mal mit einem unserer Server
passiert!

vielen Dank schon mal!

LG
Fabian

"Frank Röder [MVP]"

unread,
Nov 22, 2006, 4:41:03 AM11/22/06
to
Hallo Fabian,

also so einfach verschwindet kein Computerkonto aus dem AD. Hattest Du
eventuell einen der Server in deiner Umgebung aus einem Image
wiederhergestellt?

Um genau beurteilen zu können, was in deiner Umgebung vor sich geht,
benötigen wir mehr Informationen.

-Relevante Einträge im Ereignisprotokoll
-Poste mal ein dcdiag von einem DC


--
Viele Grüße
Frank Röder
MVP Windows Server System - Directory Services
"Ex oriente lux"

fabian...@googlemail.com

unread,
Nov 22, 2006, 4:49:41 AM11/22/06
to
Hallo Frank,

das ist ja da seltsame! Es war nichts das Computerkonto ist einfach so
verschwunden! Wie vorher schon erwähnt ist dies schonmal passiert! vor
ca. einer Woche.
Im Ereignisprotokoll steht nur immer drin dass er den Domänencontroler
nicht mehr findet. Sonst nichts!

habt ihr keine Idee?

"Frank Röder [MVP]"

unread,
Nov 22, 2006, 5:00:17 AM11/22/06
to
fabian...@googlemail.com schrieb:
du solltest ein dcdiag posten. Hellseher sind wir leider keine.

fabian...@googlemail.com

unread,
Nov 22, 2006, 6:09:15 AM11/22/06
to
wir haben auf jedem dc das dcdiag durch gemacht und es ist bei allen,
laut meinem Kollegen, in ordnung.
Wenn du sagst du willst es trotzdem mal sehen, dann poste ich es rein
sobald mein Kollege aus dem Meeting raus is.

vielen vielen Dank schon mal!!!!

LG
Fabian

"Frank Röder [MVP]"

unread,
Nov 22, 2006, 6:31:54 AM11/22/06
to
fabian...@googlemail.com schrieb:

ja klar will ich das sehen. Wie sieht es denn nun mit der
Wiederherstellung aus? Habt ihr vor einer Weile einen DC aus einer
Sicherung wiederhergestellt?

fabian...@googlemail.com

unread,
Nov 22, 2006, 6:52:12 AM11/22/06
to
Nein, keine Wiederherstellung.

DC:

C:\Documents and Settings\KaWoAdm>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: ort\DOM3
Starting test: Connectivity
......................... DOM3 passed test Connectivity

Doing primary tests

Testing server: ort\DOM3
Starting test: Replications
......................... DOM3 passed test Replications
Starting test: NCSecDesc
......................... DOM3 passed test NCSecDesc
Starting test: NetLogons
......................... DOM3 passed test NetLogons
Starting test: Advertising
......................... DOM3 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... DOM3 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DOM3 passed test RidManager
Starting test: MachineAccount
......................... DOM3 passed test MachineAccount
Starting test: Services
......................... DOM3 passed test Services
Starting test: ObjectsReplicated
......................... DOM3 passed test ObjectsReplicated
Starting test: frssysvol
......................... DOM3 passed test frssysvol
Starting test: frsevent
......................... DOM3 passed test frsevent
Starting test: kccevent
......................... DOM3 passed test kccevent
Starting test: systemlog
......................... DOM3 passed test systemlog
Starting test: VerifyReferences
......................... DOM3 passed test VerifyReferences

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test
CheckSDRefDom

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test
CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test
CheckSDRefDom

Running partition tests on : firma
Starting test: CrossRefValidation
......................... firma passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... firma passed test CheckSDRefDom

Running enterprise tests on : firma.ag
Starting test: Intersite
......................... firma.ag passed test Intersite
Starting test: FsmoCheck
......................... firma.ag passed test FsmoCheck

C:\Documents and Settings\KaWoAdm>
Frank Röder [MVP] schrieb:

"Frank Röder [MVP]"

unread,
Nov 22, 2006, 6:55:55 AM11/22/06
to
fabian...@googlemail.com schrieb:
> Nein, keine Wiederherstellung.
>
[....] dcdiag

kannst du mal dcdiag ausführlich ausführen?

dcdiag /v

Nils Kaczenski [MVP]

unread,
Nov 22, 2006, 7:20:57 AM11/22/06
to
Moin,

fabian...@googlemail.com schrieb:
> wir haben
[...]
> laut meinem Kollegen

also habt ihr mehrere Kollegen, die administrieren. Die
wahrscheinlichste Ursache für euer Problem liegt für mich in
(versehentlicher) Fehlbedienung. Könnt ihr wirklich zweifelsfrei
ausschließen, dass die Konten manuell oder über ein zu weitreichendes
Skript o.ä. gelöscht wurden? Vielleicht lohnt ein Blick ins
Sicherheitsprotokoll für AD-Verwaltung (bzw. die Aktivierung der
Überwachung, um künftig derartigen Phänomenen auf die Spur zu kommen).


Schöne Grüße, Nils
--
Nils Kaczenski - MVP Windows Server
www.faq-o-matic.net
Antworten bitte nur in die Newsgroup!
PM: Vorname at Nachname .de
Das neue MVP-Buch: http://www.faq-o-matic.net/content/view/253/2/

fabian...@googlemail.com

unread,
Nov 22, 2006, 7:48:16 AM11/22/06
to

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine dom3, is a DC.
* Connecting to directory service on server dom3.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 5 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: ort\DOM3
Starting test: Connectivity

* Active Directory LDAP Services Check
* Active Directory RPC Services Check


......................... DOM3 passed test Connectivity

Doing primary tests

Testing server: ort\DOM3
Starting test: Replications

* Replications Check
* Replication Latency Check
CN=Schema,CN=Configuration,DC=firma,DC=ag
Latency information for 1 entries in the vector were
ignored.
1 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc.
0 had no
latency information (Win2K DC).
CN=Configuration,DC=firma,DC=ag
Latency information for 1 entries in the vector were
ignored.
1 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc.
0 had no
latency information (Win2K DC).
DC=firma,DC=ag
Latency information for 1 entries in the vector were
ignored.
1 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc.
0 had no
latency information (Win2K DC).
DC=entw,DC=firma,DC=ag
Latency information for 3 entries in the vector were
ignored.
0 were retired Invocations. 3 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc.
0 had no
latency information (Win2K DC).
* Replication Site Latency Check


......................... DOM3 passed test Replications

Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DOM3.
* Security Permissions Check for
DC=DomainDnsZones,DC=firma,DC=ag
(NDNC,Version 2)
* Security Permissions Check for
DC=ForestDnsZones,DC=firma,DC=ag
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=firma,DC=ag
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=firma,DC=ag
(Configuration,Version 2)
* Security Permissions Check for
DC=firma,DC=ag
(Domain,Version 2)
* Security Permissions Check for
DC=entw,DC=firma,DC=ag
(Domain,Version 2)


......................... DOM3 passed test NCSecDesc
Starting test: NetLogons

* Network Logons Privileges Check
Verified share \\DOM3\netlogon
Verified share \\DOM3\sysvol


......................... DOM3 passed test NetLogons
Starting test: Advertising

The DC DOM3 is advertising itself as a DC and having a DS.
The DC DOM3 is advertising as an LDAP server
The DC DOM3 is advertising as having a writeable directory
The DC DOM3 is advertising as a Key Distribution Center
The DC DOM3 is advertising as a time server
The DS DOM3 is advertising as a GC.


......................... DOM3 passed test Advertising
Starting test: KnowsOfRoleHolders

Role Schema Owner = CN=NTDS
Settings,CN=DOM4,CN=Servers,CN=ort,
CN=Sites,CN=Configuration,DC=firma,DC=ag
Role Domain Owner = CN=NTDS
Settings,CN=DOM3,CN=Servers,CN=ort,
CN=Sites,CN=Configuration,DC=firma,DC=ag
Role PDC Owner = CN=NTDS
Settings,CN=DOM3,CN=Servers,CN=ort,CN=
Sites,CN=Configuration,DC=firma,DC=ag
Role Rid Owner = CN=NTDS
Settings,CN=DOM3,CN=Servers,CN=ort,CN=
Sites,CN=Configuration,DC=firma,DC=ag
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=DOM4,CN=Servers,
CN=ort,CN=Sites,CN=Configuration,DC=firma,DC=ag


......................... DOM3 passed test KnowsOfRoleHolders
Starting test: RidManager

* Available RID Pool for the Domain is 5104 to 1073741823
* dom3.firma.ag is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 4604 to 5103
* rIDPreviousAllocationPool is 4604 to 5103
* rIDNextRID: 4696


......................... DOM3 passed test RidManager
Starting test: MachineAccount

Checking machine account for DC DOM3 on DC DOM3.
* SPN found :LDAP/dom3.firma.ag/firma.ag
* SPN found :LDAP/dom3.firma.ag
* SPN found :LDAP/DOM3
* SPN found :LDAP/dom3.firma.ag/firma
* SPN found
:LDAP/8bb26091-a9fa-4ffc-89ac-87eacdc17cab._msdcs.firma
.ag
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/8bb26091-a9fa-4ffc-89
ac-87eacdc17cab/firma.ag
* SPN found :HOST/dom3.firma.ag/firma.ag
* SPN found :HOST/dom3.firma.ag
* SPN found :HOST/DOM3
* SPN found :HOST/dom3.firma.ag/firma
* SPN found :GC/dom3.firma.ag/firma.ag


......................... DOM3 passed test MachineAccount
Starting test: Services

* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON


......................... DOM3 passed test Services

Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
DOM3 is in domain DC=firma,DC=ag
Checking for CN=DOM3,OU=Domain Controllers,DC=firma,DC=ag in
domain
DC=firma,DC=ag on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=DOM3,CN=Servers,CN=ort,CN=Site
s,CN=Configuration,DC=firma,DC=ag in domain
CN=Configuration,DC=firma,DC
=ag on 1 servers
Object is up-to-date on all servers.


......................... DOM3 passed test ObjectsReplicated
Starting test: frssysvol

* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready


......................... DOM3 passed test frssysvol
Starting test: frsevent

* The File Replication Service Event log test


......................... DOM3 passed test frsevent
Starting test: kccevent

* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last
15 minut
es.


......................... DOM3 passed test kccevent
Starting test: systemlog

* The System Event log test
Found no errors in System Event log in the last 60 minutes.


......................... DOM3 passed test systemlog

Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DOM3,OU=Domain Controllers,DC=firma,DC=ag and backlink on

CN=DOM3,CN=Servers,CN=ort,CN=Sites,CN=Configuration,DC=intercar
d,DC=ag
are correct.
The system object reference (frsComputerReferenceBL)
CN=DOM3,CN=Domain System Volume (SYSVOL share),CN=File
Replication Serv
ice,CN=System,DC=firma,DC=ag
and backlink on CN=DOM3,OU=Domain Controllers,DC=firma,DC=ag
are
correct.
The system object reference (serverReferenceBL)
CN=DOM3,CN=Domain System Volume (SYSVOL share),CN=File
Replication Serv
ice,CN=System,DC=firma,DC=ag
and backlink on
CN=NTDS
Settings,CN=DOM3,CN=Servers,CN=ort,CN=Sites,CN=Configur
ation,DC=firma,DC=ag
are correct.


......................... DOM3 passed test VerifyReferences

Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

Skipping site ort, this site is outside the scope provided by
the command line arguments provided.
Skipping site Heimstetten, this site is outside the scope
provided by
the command line arguments provided.


......................... firma.ag passed test Intersite
Starting test: FsmoCheck

GC Name: \\dom3.firma.ag
Locator Flags: 0xe00003fd
PDC Name: \\dom3.firma.ag
Locator Flags: 0xe00003fd
Time Server Name: \\dom3.firma.ag
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\dom3.firma.ag
Locator Flags: 0xe00003fd
KDC Name: \\dom3.firma.ag
Locator Flags: 0xe00003fd


......................... firma.ag passed test FsmoCheck

Test omitted by user request: DNS
Test omitted by user request: DNS

fabian...@googlemail.com

unread,
Nov 22, 2006, 7:55:40 AM11/22/06
to
> also habt ihr mehrere Kollegen, die administrieren. Die
> [...]
> Schöne Grüße, Nils


Hallo Nils,

nein, wir können 100%ig ausschließen, dass jemand von uns das Konto
gelöscht hat. Das war auch unsere erste Vermutung!

trotzdem Danke!

Yusuf Dikmenoglu [MVP]

unread,
Nov 22, 2006, 8:50:01 AM11/22/06
to

"fabian...@googlemail.com" wrote:
> nein, wir können 100%ig ausschließen, dass jemand von uns das Konto
> gelöscht hat.

Ich kenne ein ähnliches Verhalten, wenn die Clients geclonet/geimaget wurden.
Ist das bei diesem Client evtl. auch der Fall?

--
Regards from Rhein-Main/Germany
Yusuf Dikmenoglu - MVP Windows Server
Blog: http://blog.dikmenoglu.de
http://www.faq-o-matic.net

0 new messages