Solved

Windows 2008 Event ID 5722, 5805

Posted on 2014-03-04
10
1,881 Views
Last Modified: 2014-03-05
hi

I am getting the following event ids


Event ID: 5722
The session setup from the computer VV-HS-R107-04 failed to authenticate. The name(s) of the account(s) referenced in the security database is VV-HS-R107-04$.  The following error occurred:
Access is denied.

Event ID: 5805
The session setup from the computer VV-HS-R107-04 failed to authenticate. The following error occurred:
Access is denied.

Netlogon.log:
03/04 11:16:41 [MAILSLOT] Received ping from VV-HS-R107-04 valleyview.local. (null) on UDP LDAP
03/04 11:16:41 [MAILSLOT] VALLEYVIEW: Ping response 'Sam Logon Response Ex' (null) to \\VV-HS-R107-04 Site: Default-First-Site-Name on UDP LDAP
03/04 11:16:41 [SESSION] VALLEYVIEW: NetrServerAuthenticate entered: VV-HS-R107-04 (10.10.9.95) on account VV-HS-R107-04$ (Negot: fffff)
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Bad password 0 for VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Failed to authenticate VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [SESSION] VALLEYVIEW: NetrServerAuthenticate entered: VV-HS-R107-04 (10.10.9.95) on account VV-HS-R107-04$ (Negot: fffff)
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Bad password 0 for VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Bad password 0 for VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Failed to authenticate VV-HS-R107-04 on account VV-HS-R107-04$

I seem to be getting a lot of these.  How can I resolve them

Thank you for your help in advance
0
Comment
Question by:thomasm1948
  • 6
  • 4
10 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39904045
I think this is known issue and below articles explain this issue

You need to identify which article suites you and then take actions accordingly

http://support.microsoft.com/kb/942564

http://support.microsoft.com/kb/810977

Mahesh
0
 

Author Comment

by:thomasm1948
ID: 39904074
I ran the following:

C:\>nltest /time:1CF334E 73ECBC44
01cf334e 73ecbc44 = 6/3/28071 22:48:3
The command completed successfully


The date and time are incorrect.  What can be causing this
0
 

Author Comment

by:thomasm1948
ID: 39904088
Is there a tool that can check for duplicate names.  I tried to use NTDSUtil and did a check for duplicate SIDs and it found nothing
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 37

Expert Comment

by:Mahesh
ID: 39904103
Is your DC is in correct time zone ?
0
 

Author Comment

by:thomasm1948
ID: 39904212
Yes it is.

The following command seems to work

C:\>nltest /server:VV-HS-R107-04 /sc_query:valleyview.local
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\VV-HS-DC01.valleyview.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

Is there a tool that I can run against AD to find all of the computers that may have this issue.  Its not a SID issue but I think there might be a computer in AD where one  of their attributes in ADSIedit might have the same name (servicePrincipalName)
0
 

Author Comment

by:thomasm1948
ID: 39904324
I did the above command incorrectly

C:\>nltest /time:73ECBC44 1CF334E
73ecbc44 01cf334e = 2/26/2014 18:57:06
The command completed successfully

I get this.  Now I do know that the computer was reimaged around then
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39904368
You can enable netlogon debug logging on DC
Follow below article to enable debug logging
http://support.microsoft.com/kb/109626

Then you can find computers whose secure channel is broken in debug logs

There are several ways to reset this secure channel and resolve the login issue,
 
1) Active Directory Users and Computers
If you have access to the AD Users and Computers MMC, you can reset the secure channel by finding the computer object in question, right-clicking on it and choosing Reset Account. Resetting a computer account will break that computer's connection to the domain and will require that computer to rejoin the domain.  

2) Netdom.exe
You can reset the secure channel from the command prompt with the Netdom command as follows :

netdom reset machinename /domain:domainname

replacing machinename with your computer name and domainname with your domain name

You can run this command on machinename itself, or from any other computer or domain controller as long as you are logged in with an account that has admin priviledges to the machinename computer.

The following command tests the secure channel for a computer:
> nltest /server:<ComputerName> /sc_query:<DomainName>

The following command resets the secure channel for a computer:
> nltest /server:<ComputerName> /sc_reset:<DomainName>

To reset the SC between a computer and a DC with Powershell

Open PowerShell on the computer and run

Test-ComputerSecureChannel -repair

*The cmdlet requires PowerShell 2.0, which is pre-installed on Win7/2008R2.

Mahesh
0
 

Author Comment

by:thomasm1948
ID: 39904399
I have the netlogon debug turned on.  So it looks like the only way to resolve this issue is to rejoin the computer to the domain.  

Is there a tool out there that I can run to view all of the computers that may have this issue or do I just have to keep on reviewing the event viewer and the netlogon.log?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39905712
Yes, ultimately you don't have to rejoin computer every time to domain unless you use computer account reset method through ADUC
The other method (netdom) do not require to rejoin domain

I am not aware with any tool which explicitly designed for your purpose
The best option I can see is to rely on netlogon.log or you can use MS event Comb tool to fetch related events from DC and correct the issue on affected computers

http://www.microsoft.com/en-in/download/details.aspx?id=18465 - download link
http://support.microsoft.com/kb/824209 - How to use the EventCombMT utility to search event logs for account lockouts

Also
On affected computer please open Advanced Tcp/IP settings and check DNS Tab.
In DNS tab, check below settings.
ensure that "Append Primary and connection specific dns suffixes" radio button is selected
Ensure that "Append parent suffixes of primary dns suffix" checkbox is selected
Ensure that "register this connection addresses in Dns" checkbox is selected
If there is any deviation in the above settings, its probably you will face name resolution issues

Mahesh
0
 

Author Closing Comment

by:thomasm1948
ID: 39906132
Excellent.  Thank you for all of your help
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question