Solved

Source: Netlogon  Event ID 5722/5805

Posted on 2013-01-28
15
10,362 Views
1 Endorsement
Last Modified: 2013-02-04
I have 3 domain controllers. 1 Windows 2008 R2 and 2 Windows 2003. On my DC1/Windows2008, I'm geeing Source: Netlogon  Event ID 5722/5805 everyday error on my my system logs. Any thoughts on why would this happen since I upgraded one of my DC to windows 2008 R2. All help is greatly appreciated.  Thank you.

######################################################

Log Name:      System
Source:        NETLOGON
Date:          11/27/2012 10:26:09 AM
Event ID:      5722
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DOMAIN1.domain.local
Description:
The session setup from the computer MFP-07279807 failed to authenticate. The name(s) of the account(s) referenced in the security database is MFP-07279807$.  The following error occurred:
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5722</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-11-27T15:26:09.000000000Z" />
    <EventRecordID>11789</EventRecordID>
    <Channel>System</Channel>
    <Computer>DOMAIN1.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>MFP-07279807</Data>
    <Data>MFP-07279807$</Data>
    <Data>%%1265</Data>
    <Binary>880300C0</Binary>
  </EventData>
</Event>

###################################################


Log Name:      System
Source:        NETLOGON
Date:          11/27/2012 10:34:23 AM
Event ID:      5805
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DOMAIN1.domain.local
Description:
The session setup from the computer MFP-07273913 failed to authenticate. The following error occurred:
Access is denied.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5805</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-11-27T15:34:23.000000000Z" />
    <EventRecordID>11792</EventRecordID>
    <Channel>System</Channel>
    <Computer>DOMAIN1.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>MFP-07273913</Data>
    <Data>%%5</Data>
    <Binary>220000C0</Binary>
  </EventData>
</Event>
1
Comment
Question by:tomfontanilla
  • 9
  • 6
15 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 38827542
What is this machine? - MFP-07273913

Looks like a Multi Function Printer? If so then its not actually part of the domain and therefore I assume can't authenticate...

If not and its a pc, is it actually working? Logging in etc?
0
 

Author Comment

by:tomfontanilla
ID: 38827615
What is this machine? - MFP-07273913 - This is a network printer. Yes this printer is working. It also happen one of my workstation. See below.

Log Name:      System
Source:        NETLOGON
Date:          1/28/2013 11:46:52 AM
Event ID:      5722
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DOMAIN1.domain.local
Description:
The session setup from the computer WBDESK12 failed to authenticate. The name(s) of the account(s) referenced in the security database is WBDESK12$.  The following error occurred:
Access is denied.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5722</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-01-28T16:46:52.000000000Z" />
    <EventRecordID>14464</EventRecordID>
    <Channel>System</Channel>
    <Computer>DOMAIN1.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>WBDESK12</Data>
    <Data>WBDESK12$</Data>
    <Data>%%5</Data>
    <Binary>220000C0</Binary>
  </EventData>
</Event>
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38827693
Ok, you have 3 DC's? Is replication working ok?

Can you post output from 2008 DC of

repadmin /showrepl

Here's a link to an existing solution on EE about the same issue, basically it means the pc account isn't in sync with the DC(password sync between the pc and DC), so possibly this is a replication issue...if its happening for all client machines...

If just your pc then a simple dis-join and re-join should get it back in sync

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_24502394.html
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:tomfontanilla
ID: 38827762
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC3
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 1dbc4b75-a6c9-49dc-9758-20d2344f297a
DSA invocationID: 877e6e62-2039-4844-a240-34fb13729ae4

==== INBOUND NEIGHBORS ======================================

DC=domain,DC=local
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 009ab66f-eb8c-4566-847a-155d3772061b
        Last attempt @ 2013-01-28 12:59:42 was successful.
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: ea42fe80-e8dd-44ce-ad9a-ba69f57efab7
        Last attempt @ 2013-01-28 13:01:22 was successful.

CN=Configuration,DC=domain,DC=local
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 009ab66f-eb8c-4566-847a-155d3772061b
        Last attempt @ 2013-01-28 12:54:41 was successful.
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: ea42fe80-e8dd-44ce-ad9a-ba69f57efab7
        Last attempt @ 2013-01-28 12:54:41 was successful.

CN=Schema,CN=Configuration,DC=domain,DC=local
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 009ab66f-eb8c-4566-847a-155d3772061b
        Last attempt @ 2013-01-28 12:54:41 was successful.
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: ea42fe80-e8dd-44ce-ad9a-ba69f57efab7
        Last attempt @ 2013-01-28 12:54:41 was successful.

DC=ForestDnsZones,DC=domain,DC=local
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 009ab66f-eb8c-4566-847a-155d3772061b
        Last attempt @ 2013-01-28 12:54:41 was successful.
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: ea42fe80-e8dd-44ce-ad9a-ba69f57efab7
        Last attempt @ 2013-01-28 12:54:41 was successful.

DC=DomainDnsZones,DC=domain,DC=local
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 009ab66f-eb8c-4566-847a-155d3772061b
        Last attempt @ 2013-01-28 12:54:41 was successful.
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: ea42fe80-e8dd-44ce-ad9a-ba69f57efab7
        Last attempt @ 2013-01-28 12:54:41 was successful.
0
 

Author Comment

by:tomfontanilla
ID: 38827764
If just your pc then a simple dis-join and re-join should get it back in sync

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_24502394.html.

I tried this already, and no luck.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38827865
When you dis-joined from the domain, did you delete the computer object from ADUC? Need to do that to make it work properly...

Also you've tried the netdom reset command from the original solution?

NETDOM.EXE RESET WBDESK12 /Domain:DomainName /UserO:WBDESK12\Administrator /PasswordO:*
0
 

Author Comment

by:tomfontanilla
ID: 38831199
I tried your recommendation today, and no luck. I'm still getting millions of the same error.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38831784
Sorry what OS is your client machines here? XP? Win7?

This is happening with all machines or just a few?
0
 

Author Comment

by:tomfontanilla
ID: 38831907
Window 7. But the issue is on more than one PC. Millions of Source: Netlogon Event ID 5722/5805 error.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38832864
Ok, just thought of something...

You disconnected the machine from the domain - deleted the account from AD - correct?

Did you delete from all 3 DC's?

If not then that may be the cause of the issue...you need to either delete from all 3 DC's, or worst case give enough time after disconnecting from the domain for replication to process...

Can you try this again? After disconnecting the machine, delete the computer account from AD, do so on all 3 DC's...give it 5 minutes and then reconnect the machine and see if it resolves the issue...
0
 

Author Comment

by:tomfontanilla
ID: 38832876
I deleted it from my PDC, the other to DC  are just RID. Between, I did thought of that and check each DC just in-case. But no indication of those PC name on any of the DC's. In addition, i also force GPUPDATE after deleting and rejoining the pc back to the domain.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38833038
Is this computer on all DC's? Not sure what you mean by 'other DC are just RID'...

All DC's should show all the same records, if you aren't seeing the computer account on all DC's then something is wrong(unless I've forgotten how Active Directory works...)

From the 2008 server run this command and post results thanks...

dcdiag /v
repadmin /replsummary
0
 

Author Comment

by:tomfontanilla
ID: 38835453
(RID) Relative Identifier.
0
 

Accepted Solution

by:
tomfontanilla earned 0 total points
ID: 38836989
Thanks for your Help. I tried this and it work.


http://support.microsoft.com/?kbid=810977
0
 

Author Closing Comment

by:tomfontanilla
ID: 38850484
Found solution on MS website.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Server 2008 R2 - RDP Session:  How to delete a user profile? 1 51
Windows NLB cluster 3 28
Access bios on restart 11 49
How to remove unwanted words? 34 34
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now