Windows 2008 Event ID 5722, 5805

hi

I am getting the following event ids


Event ID: 5722
The session setup from the computer VV-HS-R107-04 failed to authenticate. The name(s) of the account(s) referenced in the security database is VV-HS-R107-04$.  The following error occurred:
Access is denied.

Event ID: 5805
The session setup from the computer VV-HS-R107-04 failed to authenticate. The following error occurred:
Access is denied.

Netlogon.log:
03/04 11:16:41 [MAILSLOT] Received ping from VV-HS-R107-04 valleyview.local. (null) on UDP LDAP
03/04 11:16:41 [MAILSLOT] VALLEYVIEW: Ping response 'Sam Logon Response Ex' (null) to \\VV-HS-R107-04 Site: Default-First-Site-Name on UDP LDAP
03/04 11:16:41 [SESSION] VALLEYVIEW: NetrServerAuthenticate entered: VV-HS-R107-04 (10.10.9.95) on account VV-HS-R107-04$ (Negot: fffff)
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Bad password 0 for VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Failed to authenticate VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [SESSION] VALLEYVIEW: NetrServerAuthenticate entered: VV-HS-R107-04 (10.10.9.95) on account VV-HS-R107-04$ (Negot: fffff)
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Bad password 0 for VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Bad password 0 for VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Failed to authenticate VV-HS-R107-04 on account VV-HS-R107-04$

I seem to be getting a lot of these.  How can I resolve them

Thank you for your help in advance
thomasm1948Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
I think this is known issue and below articles explain this issue

You need to identify which article suites you and then take actions accordingly

http://support.microsoft.com/kb/942564

http://support.microsoft.com/kb/810977

Mahesh
0
thomasm1948Author Commented:
I ran the following:

C:\>nltest /time:1CF334E 73ECBC44
01cf334e 73ecbc44 = 6/3/28071 22:48:3
The command completed successfully


The date and time are incorrect.  What can be causing this
0
thomasm1948Author Commented:
Is there a tool that can check for duplicate names.  I tried to use NTDSUtil and did a check for duplicate SIDs and it found nothing
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

MaheshArchitectCommented:
Is your DC is in correct time zone ?
0
thomasm1948Author Commented:
Yes it is.

The following command seems to work

C:\>nltest /server:VV-HS-R107-04 /sc_query:valleyview.local
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\VV-HS-DC01.valleyview.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

Is there a tool that I can run against AD to find all of the computers that may have this issue.  Its not a SID issue but I think there might be a computer in AD where one  of their attributes in ADSIedit might have the same name (servicePrincipalName)
0
thomasm1948Author Commented:
I did the above command incorrectly

C:\>nltest /time:73ECBC44 1CF334E
73ecbc44 01cf334e = 2/26/2014 18:57:06
The command completed successfully

I get this.  Now I do know that the computer was reimaged around then
0
MaheshArchitectCommented:
You can enable netlogon debug logging on DC
Follow below article to enable debug logging
http://support.microsoft.com/kb/109626

Then you can find computers whose secure channel is broken in debug logs

There are several ways to reset this secure channel and resolve the login issue,
 
1) Active Directory Users and Computers
If you have access to the AD Users and Computers MMC, you can reset the secure channel by finding the computer object in question, right-clicking on it and choosing Reset Account. Resetting a computer account will break that computer's connection to the domain and will require that computer to rejoin the domain.  

2) Netdom.exe
You can reset the secure channel from the command prompt with the Netdom command as follows :

netdom reset machinename /domain:domainname

replacing machinename with your computer name and domainname with your domain name

You can run this command on machinename itself, or from any other computer or domain controller as long as you are logged in with an account that has admin priviledges to the machinename computer.

The following command tests the secure channel for a computer:
> nltest /server:<ComputerName> /sc_query:<DomainName>

The following command resets the secure channel for a computer:
> nltest /server:<ComputerName> /sc_reset:<DomainName>

To reset the SC between a computer and a DC with Powershell

Open PowerShell on the computer and run

Test-ComputerSecureChannel -repair

*The cmdlet requires PowerShell 2.0, which is pre-installed on Win7/2008R2.

Mahesh
0
thomasm1948Author Commented:
I have the netlogon debug turned on.  So it looks like the only way to resolve this issue is to rejoin the computer to the domain.  

Is there a tool out there that I can run to view all of the computers that may have this issue or do I just have to keep on reviewing the event viewer and the netlogon.log?
0
MaheshArchitectCommented:
Yes, ultimately you don't have to rejoin computer every time to domain unless you use computer account reset method through ADUC
The other method (netdom) do not require to rejoin domain

I am not aware with any tool which explicitly designed for your purpose
The best option I can see is to rely on netlogon.log or you can use MS event Comb tool to fetch related events from DC and correct the issue on affected computers

http://www.microsoft.com/en-in/download/details.aspx?id=18465 - download link
http://support.microsoft.com/kb/824209 - How to use the EventCombMT utility to search event logs for account lockouts

Also
On affected computer please open Advanced Tcp/IP settings and check DNS Tab.
In DNS tab, check below settings.
ensure that "Append Primary and connection specific dns suffixes" radio button is selected
Ensure that "Append parent suffixes of primary dns suffix" checkbox is selected
Ensure that "register this connection addresses in Dns" checkbox is selected
If there is any deviation in the above settings, its probably you will face name resolution issues

Mahesh
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
thomasm1948Author Commented:
Excellent.  Thank you for all of your help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.