NETLOGON errors, computers don't exist

Hello,

Active Directory in 2008 R2. vmware view is also on site with VDI's for thin clients.

I'm getting the following 3 errors respectively:

Log Name:      System
Source:        NETLOGON
Date:          12/20/2012 5:32:10 PM
Event ID:      5807
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      computer.domain.local
Description:
During the past 4.12 hours there have been 3 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites.  The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes.  The current maximum size is 20000000 bytes.  To set a different maximum size, create the above registry value and set the desired maximum size in bytes.

Log Name:      System
Source:        NETLOGON
Date:          12/20/2012 5:39:06 PM
Event ID:      5723
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      computer.domain.local
Description:
The session setup from computer 'VDI-4' failed because the security database does not contain a trust account 'VDI-4$' referenced by the specified computer.  

USER ACTION  
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'VDI-4$' is a legitimate machine account for the computer 'VDI-4' then 'VDI-4' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise, the following steps may be taken to resolve this problem:  

If 'VDI-4$' is a legitimate machine account for the computer 'VDI-4', then 'VDI-4' should be rejoined to the domain.  

If 'VDI-4$' is a legitimate interdomain trust account, then the trust should be recreated.  

Otherwise, assuming that 'VDI-4$' is not a legitimate account, the following action should be taken on 'VDI-4':  

If 'VDI-4' is a Domain Controller, then the trust associated with 'VDI-4$' should be deleted.  

If 'VDI-4' is not a Domain Controller, it should be disjoined from the domain.


Log Name:      System
Source:        NETLOGON
Date:          12/20/2012 8:46:03 PM
Event ID:      5805
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      computer.domain.local
Description:
The session setup from the computer VDI-4 failed to authenticate. The following error occurred:
Access is denied.


The problem, is that these computers do not exist in Active Directory. I removed them from DNS, and they came back. What am I missing?
LVL 5
MetaltreeAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Darius GhassemConnect With a Mentor Commented:
What is the system?

VDI-4

The system is some where.
0
 
Kent DyerIT Security Analyst SeniorCommented:
Check your DNS records for tombstones and/or GUIDs that don't make sense.  Any that appear odd or out of the ordinary, you will need to either remove or update.

You may also have to force replication before the grovler comes and gets out-of-date information for your DCs..

HTH,

Kent
0
 
MetaltreeAuthor Commented:
Kent,

I created a text file in the netlogon share and I noticed it wasn't showing up on the other DC's. I'm currently doing a D2 BurFlag to see if the non-authoritative restore possibly ends all my problems. Sound like a good plan?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Darius GhassemCommented:
Good start here are the steps

Run through the burflag method to get the replication to start again chose the one DC that is not having issues which is usally your DC that holds the PDC emulator role

Stopped NTFRS service on both DCs.
Make one of the DC authoritative server by modifying registry setting : Navigate to registry HKLM\System\CCS\Services\NTFRS\Parameters\CumlativeReplicaSets and Set the Burflags value to D4. This should be done with server which has the Updated information available or correct data.

Go to the other DCs and make them Non-authoritative by navigating to same registry location HKLM\System\CCS\Services\NTFRS\Parameters\CumlativeReplicaSets and Set the Burflags value to D2.

Restart NTFRS services
0
 
MetaltreeAuthor Commented:
I did the d2 burflag on the problem DC. The other DCs.. (DC1 and DC3) are fine and replicating with each other fine. However, DC2 is not, but nothing in event viewer that says its not working.

Is it necessary to do an authoritative restore on one of the other DCs if they are working properly?
0
 
gaurav2rawatCommented:
run net share netlogon to check if its fne on the problematic  dc, and also try repadmin /showreps it'll show if any issues with the replication.
0
 
Darius GhassemCommented:
You need to get the SYSVOL replicated so, follow the steps I posted this will replicate the data from a working DC to the DC that is not working
0
 
MetaltreeAuthor Commented:
I have verified replication is working on all DCs. I'm still getting these phantom NETLOGON errors.

What next?
0
 
gaurav2rawatCommented:
Do you have any frs errors logged on the dc in question and is your netlogon folder shared there?
0
 
MetaltreeAuthor Commented:
No errors, and sysvol is replicated properly across all DCs.

It's weird because:
1. I have confirmed these devices do NOT exist in AD.
2. I manually removed all entries of phantom devices in DNS, I've confirmed on all 3 servers they do not exist, BUT...
3. Even after a dns flush, I'm still able to resolve these host names when I try to ping them, obviously I get no response to the ping.
4. Replication is working.
0
 
gaurav2rawatCommented:
try running dcdiag /test:dns and look for any errors reported and please givemore details about computer.domain.local.
0
 
gaurav2rawatConnect With a Mentor Commented:
Are these phantom machines listed under active directory users and computers?
If yes then remove them from there
0
 
MetaltreeAuthor Commented:
@darisug and @gaurav2rawat

They are non existent in any of our systems, including active directory. My guess is some one had created a virtual desktop at one point but its long gone.
0
 
MetaltreeAuthor Commented:
@gaurav2rawat - Here are the test dns results, not sure how relevant the error is? I don't even know what server2 is, its not even in AD, and I think it was shut down a long time ago.

C:>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = SERVER
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: SERVER
      Starting test: Connectivity
         ......................... SERVER passed test Connectivity

Doing primary tests

   Testing server: SERVER

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... SERVER passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : domain

   Running enterprise tests on : domain.local
      Starting test: DNS
         Test results for domain controllers:

            DC: SERVER.domain.local
            Domain: domain.local


               TEST: Delegations (Del)
                  Error: DNS server: server2.domain.local.
                  IP:<Unavailable> [Missing glue A record]

         Summary of test results for DNS servers used by the above domain
         controllers:

            DNS server: 128.9.0.107 (b.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.9.0.107
            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.32.64.12
         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: domain.local
               SERVER                      PASS PASS PASS FAIL PASS PASS n/a

         ......................... domain.local failed test DNS
0
 
gaurav2rawatCommented:
You have a dns issue there try stopping and restarting netlogon,
Try ipconfig /flushdns and ipconfig /registerdns
make sure correct dns entries are present on the tcp/ip properties
Also try running netdiag /fix
0
 
MetaltreeAuthor Commented:
I noticed under the DNS role on SERVER that:

domain.local->_msdcs

Had an old decommissioned server as the glue A record, so I updated it. And it passed.
0
 
gaurav2rawatCommented:
cool  are you still getting those netlogon errors after getting rid of the dns issue?
0
 
MetaltreeAuthor Commented:
Yes, still getting the NETLOGON errors.
0
 
gaurav2rawatCommented:
0
 
MetaltreeAuthor Commented:
Unfortunately, I don't have anything to do from a PC/laptop side, so this doesn't apply. I'm going to look at our View admin and see if I can see something
0
 
MetaltreeAuthor Commented:
Long story short, I had to go into vSphere and under our View server, hop on the console of these random VDI machines and disjoin/rejoin to the domain.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.