Event ID 5723 Source: NETLOGON

wcgplc
wcgplc used Ask the Experts™
on
Evening experts,

We have a number of instances of Event ID 5723 Source: NETLOGON on one of our DC's with Win Svr 2008 installed (see below). Although the pc in the event does not belong to our network and never did. I work for a financial organisation and security is as tight as it can be regarding physical access to our main office so I'm assuming this access attempt was made remotely. Please, can you help me out here on how this could have happened? We don't have wifi on our network so I'm a little baffled here. Please advise.  

event id
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Scott SilvaNetwork Administrator

Commented:
Whatever it is, it got far enough into your network to try to login to the domain... You might need to do a system wide network audit to make sure someone didn't plug something into an open port OR has a virtual machine going...
Turning netlogin debugging on should capture IP addresses and maybe help you track down what is happening...

https://support.microsoft.com/en-us/help/109626/enabling-debug-logging-for-the-netlogon-service

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial