Solved

Windows 2008 Event ID 5722, 5805

Posted on 2014-03-04
10
1,852 Views
Last Modified: 2014-03-05
hi

I am getting the following event ids


Event ID: 5722
The session setup from the computer VV-HS-R107-04 failed to authenticate. The name(s) of the account(s) referenced in the security database is VV-HS-R107-04$.  The following error occurred:
Access is denied.

Event ID: 5805
The session setup from the computer VV-HS-R107-04 failed to authenticate. The following error occurred:
Access is denied.

Netlogon.log:
03/04 11:16:41 [MAILSLOT] Received ping from VV-HS-R107-04 valleyview.local. (null) on UDP LDAP
03/04 11:16:41 [MAILSLOT] VALLEYVIEW: Ping response 'Sam Logon Response Ex' (null) to \\VV-HS-R107-04 Site: Default-First-Site-Name on UDP LDAP
03/04 11:16:41 [SESSION] VALLEYVIEW: NetrServerAuthenticate entered: VV-HS-R107-04 (10.10.9.95) on account VV-HS-R107-04$ (Negot: fffff)
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Bad password 0 for VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Failed to authenticate VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [SESSION] VALLEYVIEW: NetrServerAuthenticate entered: VV-HS-R107-04 (10.10.9.95) on account VV-HS-R107-04$ (Negot: fffff)
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Bad password 0 for VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Bad password 0 for VV-HS-R107-04 on account VV-HS-R107-04$
03/04 11:16:41 [CRITICAL] VALLEYVIEW: NetrServerAuthenticate: Failed to authenticate VV-HS-R107-04 on account VV-HS-R107-04$

I seem to be getting a lot of these.  How can I resolve them

Thank you for your help in advance
0
Comment
Question by:thomasm1948
  • 6
  • 4
10 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 39904045
I think this is known issue and below articles explain this issue

You need to identify which article suites you and then take actions accordingly

http://support.microsoft.com/kb/942564

http://support.microsoft.com/kb/810977

Mahesh
0
 

Author Comment

by:thomasm1948
ID: 39904074
I ran the following:

C:\>nltest /time:1CF334E 73ECBC44
01cf334e 73ecbc44 = 6/3/28071 22:48:3
The command completed successfully


The date and time are incorrect.  What can be causing this
0
 

Author Comment

by:thomasm1948
ID: 39904088
Is there a tool that can check for duplicate names.  I tried to use NTDSUtil and did a check for duplicate SIDs and it found nothing
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 36

Expert Comment

by:Mahesh
ID: 39904103
Is your DC is in correct time zone ?
0
 

Author Comment

by:thomasm1948
ID: 39904212
Yes it is.

The following command seems to work

C:\>nltest /server:VV-HS-R107-04 /sc_query:valleyview.local
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\VV-HS-DC01.valleyview.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

Is there a tool that I can run against AD to find all of the computers that may have this issue.  Its not a SID issue but I think there might be a computer in AD where one  of their attributes in ADSIedit might have the same name (servicePrincipalName)
0
 

Author Comment

by:thomasm1948
ID: 39904324
I did the above command incorrectly

C:\>nltest /time:73ECBC44 1CF334E
73ecbc44 01cf334e = 2/26/2014 18:57:06
The command completed successfully

I get this.  Now I do know that the computer was reimaged around then
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39904368
You can enable netlogon debug logging on DC
Follow below article to enable debug logging
http://support.microsoft.com/kb/109626

Then you can find computers whose secure channel is broken in debug logs

There are several ways to reset this secure channel and resolve the login issue,
 
1) Active Directory Users and Computers
If you have access to the AD Users and Computers MMC, you can reset the secure channel by finding the computer object in question, right-clicking on it and choosing Reset Account. Resetting a computer account will break that computer's connection to the domain and will require that computer to rejoin the domain.  

2) Netdom.exe
You can reset the secure channel from the command prompt with the Netdom command as follows :

netdom reset machinename /domain:domainname

replacing machinename with your computer name and domainname with your domain name

You can run this command on machinename itself, or from any other computer or domain controller as long as you are logged in with an account that has admin priviledges to the machinename computer.

The following command tests the secure channel for a computer:
> nltest /server:<ComputerName> /sc_query:<DomainName>

The following command resets the secure channel for a computer:
> nltest /server:<ComputerName> /sc_reset:<DomainName>

To reset the SC between a computer and a DC with Powershell

Open PowerShell on the computer and run

Test-ComputerSecureChannel -repair

*The cmdlet requires PowerShell 2.0, which is pre-installed on Win7/2008R2.

Mahesh
0
 

Author Comment

by:thomasm1948
ID: 39904399
I have the netlogon debug turned on.  So it looks like the only way to resolve this issue is to rejoin the computer to the domain.  

Is there a tool out there that I can run to view all of the computers that may have this issue or do I just have to keep on reviewing the event viewer and the netlogon.log?
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39905712
Yes, ultimately you don't have to rejoin computer every time to domain unless you use computer account reset method through ADUC
The other method (netdom) do not require to rejoin domain

I am not aware with any tool which explicitly designed for your purpose
The best option I can see is to rely on netlogon.log or you can use MS event Comb tool to fetch related events from DC and correct the issue on affected computers

http://www.microsoft.com/en-in/download/details.aspx?id=18465 - download link
http://support.microsoft.com/kb/824209 - How to use the EventCombMT utility to search event logs for account lockouts

Also
On affected computer please open Advanced Tcp/IP settings and check DNS Tab.
In DNS tab, check below settings.
ensure that "Append Primary and connection specific dns suffixes" radio button is selected
Ensure that "Append parent suffixes of primary dns suffix" checkbox is selected
Ensure that "register this connection addresses in Dns" checkbox is selected
If there is any deviation in the above settings, its probably you will face name resolution issues

Mahesh
0
 

Author Closing Comment

by:thomasm1948
ID: 39906132
Excellent.  Thank you for all of your help
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question