Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 5516 Source: Netlogon

Source
Level
Description
The computer or domain <domain1> trusts domain <domain2>. (This may be an indirect trust.) However, <domain1> and <domain2> have the same machine security identifier (SID). NT should be re-installed on either <domain1> or <domain2>.
Comments
 
This event can occur when your computer system's backup domain controller cannot be promoted to a primary domain controller, because a trust relationship is configured from the backup domain controller to the domain to which the backup domain controller is a member. See ME263636 to solve this problem.

See "JSI Tip 2956" for additional information about this event.
For computers on which a critical system is to be installed, only use SYSPREP (The only exception to this could be when there is a problem with using SYSPREP and the computer is part of a test system. In this case a 3rd-party utility could be used). There is a separate version for Windows 2000/2003/XP (and possibly for different service packs). Other methods of changing the SID are not supported by Microsoft, so if you use them and you ever need Microsoft support for the computer they may refuse to help. See ME162001 and ME298491 for information on the System Preparation Tool (SYSPREP).

In one case, I added a Windows 2003 SP1 computer to the domain and after restarting it this Event ID appeared, and when I tried to logon with a domain account, I got the following message:

Logon message

The system cannot log you on due to the following error:

The name or Security ID (SID) of the domain specified is inconsistent with the trust information for that domain.

Please try again or contact your system administrator.

Therefore, in some cases this is not just a security issue that can be ignored. This issue was fixed by restoring from an earlier image and running SYSPREP.
In the case where the logged error references a domain and a computer you do not have to re-install NT as it suggests in the event system log. This happened on a Windows 2000 Advanced Server and I fixed it by removing the computer from the domain, then I used Ghost Walker to change the SID. This resolved the issue.
This event also occurs for example if you are using Virtual PC with the same image. After the failure of joining a Domain with the same SID you can also use "NewSID" from Sysinternals.com, a free utility which changes the SID to a new one.
Simply run sysprep from "<Install CD>\Support Tools\deploy.cab”. This action resets the SID. After you restart the system, you must insert the information for regular install (regional settings, CD key, etc.).


If one of the domains mentioned is the local machine and the second is the NT domain, you will have to reinstall the OS on the local machine. This really rare event occurs when you try to bring up a machine using disk-cloning utilities (for example, Ghost), or, if you try to run dcpromo to promote a Win2000 machine to domain controller for a new domain when this domain already exists in the network.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...