netlogon events 5805, 5722 logged on dc
w2003 ads, 2 dc in top domain, 4 dc in child domain with about 5000 users.
Recently I'm getting events 5805, 5722:
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5805
Date: 7/6/2007
Time: 8:45:10 AM
User: N/A
Computer: DC-03
Description:
The session setup from the computer xxxxxx failed to authenticate. The
following error occurred:
Access is denied.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0 "..À
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5722
Date: 7/6/2007
Time: 8:32:52 AM
User: N/A
Computer: DC-03
Description:
The session setup from the computer xxxxxx failed to authenticate. The
name(s) of the account(s) referenced in the security database is D-KCVP86Z$.
The following error occurred:
Access is denied.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0 "..À
Adding WS back to domain fixes the issue...for now.
There are about 10-20 WS daily having simmilar problem. Troubleshooting is a
bit tricky as this is being fixed by other group without looking for the root
cause. Basic check with dcdiag or netdiag on dc came back empty. No other
errors in the log I could relate to it. DNS log clean, WS seems to have a
right A record registered in DNS.
Any ideas before I hit panic button are greatly appreciated.....
Roman
Re: netlogon events 5805, 5722 logged on dc
Please start from:
http://eventid.net/display.asp?event...TLOGON&phase=1
')
--
Jabez Gan [MVP]
Microsoft MVP: Windows Server
http://www.blizhosting.com
MSBLOG: http://www.msblog.org
"Roman44" <Roman44@discussions.microsoft.com> wrote in message
news:C88409A6-59F4-4B60-9988-20058E0705AA@microsoft.com...
> w2003 ads, 2 dc in top domain, 4 dc in child domain with about 5000 users.
> Recently I'm getting events 5805, 5722:
> Event Type: Error
> Event Source: NETLOGON
> Event Category: None
> Event ID: 5805
> Date: 7/6/2007
> Time: 8:45:10 AM
> User: N/A
> Computer: DC-03
> Description:
> The session setup from the computer xxxxxx failed to authenticate. The
> following error occurred:
> Access is denied.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 22 00 00 c0 "..À
>
>
> Event Type: Error
> Event Source: NETLOGON
> Event Category: None
> Event ID: 5722
> Date: 7/6/2007
> Time: 8:32:52 AM
> User: N/A
> Computer: DC-03
> Description:
> The session setup from the computer xxxxxx failed to authenticate. The
> name(s) of the account(s) referenced in the security database is
> D-KCVP86Z$.
> The following error occurred:
> Access is denied.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 22 00 00 c0 "..À
>
> Adding WS back to domain fixes the issue...for now.
> There are about 10-20 WS daily having simmilar problem. Troubleshooting is
> a
> bit tricky as this is being fixed by other group without looking for the
> root
> cause. Basic check with dcdiag or netdiag on dc came back empty. No other
> errors in the log I could relate to it. DNS log clean, WS seems to have a
> right A record registered in DNS.
> Any ideas before I hit panic button are greatly appreciated.....
> Roman
Re: netlogon events 5805, 5722 logged on dc
Quote:
Originally Posted by
integralli
What if I have deleted the computer account from AD, deleted the DNS record and I don't know where the machine is ? If this event keeps coming up, how do I delete it forever, meaning the event id does not appear anymore ?
Then you will find these machines IP addresses on the security events as Failure Audit Event ID 539 after which it will be easy to find them.