Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
The computer name <name> connected to server \\<server name> using the trust relationship to the <domain name> domain. However, the computer doesn't properly know the security identifier (SID) for the domain. Reestablish the trust relationship.
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What is a SID?
What is the role of the Netlogon share?
In one case, this Event ID appeared on a Windows 2003 SP1 domain controller each time a Windows XP SP2 computer was started. This computer could ping the domain controller but not vice versa. When the Windows XP Firewall was disabled and the computer was removed and re-joined to the domain, this Event ID stopped.
In my case, I found an errant trust on an AD controller to its own domain. I deleted it in Sites and Services and all was well.
From a newsgroup post: "If you have a new system to setup as a domain and you want to keep the same domain name, keep in mind that although the domain name is same, the domain's SID is different. In general, we can perform In-Place Upgrade. For example, if your source domain is a WinNT domain, you can upgrade the PDC to a Windows 2003 domain. Here are the steps:
1. Perform a full backup for the existing Windows NT PDC.
2. Install Windows NT 4.0 BDC on the new server and apply the latest Service Pack.
3. In Server Manager, promote the BDC to PDC.
4. In-place upgrade the new server to Windows Server 2003.
References: ME326209, “Windows NT Server 4.0 Upgrade Guide”, and “Upgrading from Windows NT Server 4.0”."
See the link to "EventID 5513 from source Alerter" for additional information on this event.
To solve this issue, I had to remove the computer account from AD, then change the Win2k workstation to a random workgroup, restart the workstation and then rejoin the domain.
Probably, ME248132 article will be useful in some cases.
These error messages indicate the Windows NT workstation or server computer account information does not match that held by the authenticating domain controller. For resolution see the link below.
We found that in some cases the error occurs on a BDC (so it is not possible to remove it from the domain and rejoin.). In this case the BDC will have to be reinstalled. See ME128489 and ME150963 for more details.
By reinstalling the system and changing the domain name you have reset the SID for the domain and the computer account for the workstation. You have a few choices:
1) Remove the workstation from the domain - reboot - join the domain.
2) If the machine shows up in Active Directory Users and Computers under the Computers container - right click and select reset account. Reboot the workstation.
3) Use the NETDOM command to reset the computer account from the command line.
|Private comment: Subscribers only. See example of private comment|
|Links: ME128489, ME150963, ME248132, ME326209, Windows NT Server 4.0 Upgrade Guide, Upgrading from Windows NT Server 4.0, EventID 5513 from source Alerter|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated