Solved

Windows 2008 Event ID 5722, 5805

Posted on 2014-03-04
10
1,728 Views
Last Modified: 2014-03-05
hi

I am getting the following event ids


Event ID: 5722
The session setup from the computer VV-HS-R107-04 failed to authenticate. The name(s) of the account(s) referenced in the security database is VV-HS-R107-04$.  The following error occurred:
Access is denied.

Event ID: 5805
The session setup from the computer VV-HS-R107-04 failed to authenticate. The following error occurred:
Access is denied.

Netlogon.log:
03/04 11:16:41 [MAILSLOT] Received ping from VV-HS-R107-04 valleyview.local. (null) on UDP LDAP
03/04 11:16:41 [MAILSLOT] VALLEYVIEW: Ping response 'Sam Logon Response Ex' (null) to \\VV-HS-R107-04 Site: Default-First-Site-Name on UDP LDAP
03/04 11:16:41 [SESSION] VALLEYVIEW: NetrServerAuthenticate entered: VV-HS-R107-04 (10.10.9.95) on account VV-HS-R107-04$ (Negot: fffff)
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Bad password 0 for VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Failed to authenticate VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [SESSION] VALLEYVIEW: NetrServerAuthenticate entered: VV-HS-R107-04 (10.10.9.95) on account VV-HS-R107-04$ (Negot: fffff)
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Bad password 0 for VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Bad password 0 for VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Failed to authenticate VV-HS-R107-04 on account VV-HS-R107-04$

I seem to be getting a lot of these.  How can I resolve them

Thank you for your help in advance
0
Comment
Question by:thomasm1948
  • 6
  • 4
10 Comments
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
I think this is known issue and below articles explain this issue

You need to identify which article suites you and then take actions accordingly

http://support.microsoft.com/kb/942564

http://support.microsoft.com/kb/810977

Mahesh
0
 

Author Comment

by:thomasm1948
Comment Utility
I ran the following:

C:\>nltest /time:1CF334E 73ECBC44
01cf334e 73ecbc44 = 6/3/28071 22:48:3
The command completed successfully


The date and time are incorrect.  What can be causing this
0
 

Author Comment

by:thomasm1948
Comment Utility
Is there a tool that can check for duplicate names.  I tried to use NTDSUtil and did a check for duplicate SIDs and it found nothing
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Is your DC is in correct time zone ?
0
 

Author Comment

by:thomasm1948
Comment Utility
Yes it is.

The following command seems to work

C:\>nltest /server:VV-HS-R107-04 /sc_query:valleyview.local
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\VV-HS-DC01.valleyview.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

Is there a tool that I can run against AD to find all of the computers that may have this issue.  Its not a SID issue but I think there might be a computer in AD where one  of their attributes in ADSIedit might have the same name (servicePrincipalName)
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:thomasm1948
Comment Utility
I did the above command incorrectly

C:\>nltest /time:73ECBC44 1CF334E
73ecbc44 01cf334e = 2/26/2014 18:57:06
The command completed successfully

I get this.  Now I do know that the computer was reimaged around then
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
You can enable netlogon debug logging on DC
Follow below article to enable debug logging
http://support.microsoft.com/kb/109626

Then you can find computers whose secure channel is broken in debug logs

There are several ways to reset this secure channel and resolve the login issue,
 
1) Active Directory Users and Computers
If you have access to the AD Users and Computers MMC, you can reset the secure channel by finding the computer object in question, right-clicking on it and choosing Reset Account. Resetting a computer account will break that computer's connection to the domain and will require that computer to rejoin the domain.  

2) Netdom.exe
You can reset the secure channel from the command prompt with the Netdom command as follows :

netdom reset machinename /domain:domainname

replacing machinename with your computer name and domainname with your domain name

You can run this command on machinename itself, or from any other computer or domain controller as long as you are logged in with an account that has admin priviledges to the machinename computer.

The following command tests the secure channel for a computer:
> nltest /server:<ComputerName> /sc_query:<DomainName>

The following command resets the secure channel for a computer:
> nltest /server:<ComputerName> /sc_reset:<DomainName>

To reset the SC between a computer and a DC with Powershell

Open PowerShell on the computer and run

Test-ComputerSecureChannel -repair

*The cmdlet requires PowerShell 2.0, which is pre-installed on Win7/2008R2.

Mahesh
0
 

Author Comment

by:thomasm1948
Comment Utility
I have the netlogon debug turned on.  So it looks like the only way to resolve this issue is to rejoin the computer to the domain.  

Is there a tool out there that I can run to view all of the computers that may have this issue or do I just have to keep on reviewing the event viewer and the netlogon.log?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
Yes, ultimately you don't have to rejoin computer every time to domain unless you use computer account reset method through ADUC
The other method (netdom) do not require to rejoin domain

I am not aware with any tool which explicitly designed for your purpose
The best option I can see is to rely on netlogon.log or you can use MS event Comb tool to fetch related events from DC and correct the issue on affected computers

http://www.microsoft.com/en-in/download/details.aspx?id=18465 - download link
http://support.microsoft.com/kb/824209 - How to use the EventCombMT utility to search event logs for account lockouts

Also
On affected computer please open Advanced Tcp/IP settings and check DNS Tab.
In DNS tab, check below settings.
ensure that "Append Primary and connection specific dns suffixes" radio button is selected
Ensure that "Append parent suffixes of primary dns suffix" checkbox is selected
Ensure that "register this connection addresses in Dns" checkbox is selected
If there is any deviation in the above settings, its probably you will face name resolution issues

Mahesh
0
 

Author Closing Comment

by:thomasm1948
Comment Utility
Excellent.  Thank you for all of your help
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Suggested Solutions

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now