Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 5513 Source: NETLOGON

Source
Level
Description
The computer name <name> connected to server \\<server name> using the trust relationship to the <domain name> domain. However, the computer doesn't properly know the security identifier (SID) for the domain. Reestablish the trust relationship.
Comments
 
In one case, this Event ID appeared on a Windows 2003 SP1 domain controller each time a Windows XP SP2 computer was started. This computer could ping the domain controller but not vice versa. When the Windows XP Firewall was disabled and the computer was removed and re-joined to the domain, this Event ID stopped.
In my case, I found an errant trust on an AD controller to its own domain. I deleted it in Sites and Services and all was well.
From a newsgroup post: "If you have a new system to setup as a domain and you want to keep the same domain name, keep in mind that although the domain name is same, the domain's SID is different. In general, we can perform In-Place Upgrade. For example, if your source domain is a WinNT domain, you can upgrade the PDC to a Windows 2003 domain. Here are the steps:
1. Perform a full backup for the existing Windows NT PDC.
2. Install Windows NT 4.0 BDC on the new server and apply the latest Service Pack.
3. In Server Manager, promote the BDC to PDC.
4. In-place upgrade the new server to Windows Server 2003.
References: ME326209, “Windows NT Server 4.0 Upgrade Guide”, and “Upgrading from Windows NT Server 4.0”."

See the link to "EventID 5513 from source Alerter" for additional information on this event.
To solve this issue, I had to remove the computer account from AD, then change the Win2k workstation to a random workgroup, restart the workstation and then rejoin the domain.
Probably, ME248132 article will be useful in some cases.


These error messages indicate the Windows NT workstation or server computer account information does not match that held by the authenticating domain controller. For resolution see the link below.
We found that in some cases the error occurs on a BDC (so it is not possible to remove it from the domain and rejoin.). In this case the BDC will have to be reinstalled. See ME128489 and ME150963 for more details.
By reinstalling the system and changing the domain name you have reset the SID for the domain and the computer account for the workstation. You have a few choices:
1) Remove the workstation from the domain - reboot - join the domain.
2) If the machine shows up in Active Directory Users and Computers under the Computers container - right click and select reset account. Reboot the workstation.
3) Use the NETDOM command to reset the computer account from the command line.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...