Problem login on using domain accounts due to Event: 5719 Source: Netlogon

Question

Hi,   Does anyone have a solution I haven't tried yet to solve the problem that the netlogon service tries to access the network before the network card is ready.   Simplified system event log:   info 15:55:38 eventlog 6009 (CPU report) info 15:55:38 eventlog 6005 (Log service started) error 15:55:40 netlogon 5719 (Can't find a domaincoontroler for domain .. reason: no logon domain controller available warning 15:55:42 w32time 14 (ntpclient can'T find Domiancontroller...) cause by the 5719 error 15:55:42 432time 29 (Time not syncronised... retry in 1 minutes) cause 5719 warning 15:55:42 w32time 14 (ntpclient can'T find Domiancontroller...) cause by the 5719 error 15:55:42 432time 29 (Time not syncronised... retry in 1 minutes) cause 5719   .... Some info entries of services starting and finally, the root cause of the problem last entry before below at 15:55:47 info 15:55:34 b57w2k  15 (Driver initialized sucessfully) info 15:55:34 b57w2k 9 (network card configured for 100Mb full-duplex)   As can be noted the message timestamp is from before the eventlog started, but was entered in the log after everything else started.   Things tried: Disable spanning tree on all switches. Result: Negative Enable autonegotiation of speed. Result Negative Disable autonegotiation on both the switch port and the system. Result: Negative Disable media sense as by MS KB-9388449. Result: Negative Upgraded to latest Broadcom driver. Result Negative. Change the stack type from NDIS to PNPTDI. Result Negative Reduce number of services started to absolute minimum. Result: Negative And several combinations of the above. For some reason the netlogon service starts much to early. This problem occurs only on all Dell Laptops we have. All our systems run Windows XP SP2 Dutch or German and are at the latest MS SP's and patch levels. The Laptops are all Latitudes, models: C640, D410, D505, D520, D600. The only models I haven't seen this on is on the D420's which are the most recent baught. But all models worked for years without problems. First I suspected the VPN software, but now I get the same message on laptops where this software hasn't been installed yet. I'm starting to suspect some changes to the netlogon service by Microsoft which only activate on Laptops. Which must have been made somewhere in January or before. At first I followed the sugestion of Microsoft to just ignore it when users still can logon. But now I have the first user who can't logon, this because his laptop has been re-added to the domain, which erased the local password cache. Due to the 5719 event, even a enterprise adim can't logon to this system. The reason why I think that this is laptop specific, is because we have Dell Optiplex Desktop's which use the same Broadcom chipset and drivers where netlogon doesn't start for at least 1 minute, giving the network adapter ample time to initiliaze. I notice this only because so now and then the w32time service enters a report and this is started right after the netlogon service, because it depends on it to find a time source. Last time I checked this on a Desktop the time difference between the first eventlog entry and the w32time service log entry was 1 minute and 30 seconds. And 30 seconds before it I see the mentioned b57w2k service entries. During troubleshooting the mentioned desktop was connected to the same Dell PowerConnect switch as the laptop, at the moment a Dell D420. I'm going to scan which patches have been applied and find out what they changed. If I find one affecting TCP/IP or netlogon, I'll try to uninstall it before the last option. The last option to try would be a re-installation from scratch (an image could import the problem again). I hope someone has a solution to the problem. PS. The big difference between the laptops and desktops is that the network card stays powered in the desktops, to allow WoL. the laptops are locked away during the night and powered down due to this, this also automatically disables the network card every time. I'll try to disable this on my system and see what happens tomorrow.

vuilverwerking · Answer

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q239924

faber.w · Answer

Tried that already, no effect.

I even had a new development:

2 systems developped the problem to and within 24 hours wheren't able to connect to the domain anymore, I managed to get them running temporarily by using an USB network adapter, but they wheren't logged on to the domain, but at least the main application was able to run since now at least the certificates where updated again, without these updates our application isn'T able to access our Oracle server.

24 hours later, an error appeared in the security log, telling me the computer account had been disabled.

So I pulled the system from the domain, enabled the computer account and added the system back to the domain and all troubles where gone! No more netlogon errors in the event log. So I removed the USB network adapter and the system has now a clean event log again.

This is no longer looking like a timing problem but a security problem, something is interrupting the secure logon of the PC's with the domain controller.

I'll try a few things and drop it here if they are successfull.

Message Edited by faber.w on 12-05-2007 08:36 AM

vuilverwerking · Answer

Sorry, i did not see this thing in your story.   Do you have other netwerk services installed on that Network adapter? I installed W2K3 Server R2 SP2 with OMSA install CD on the PowerEdge 1855. Everything went fine. But when i installed Virtual Server 2005 it went wrong again. The DisableDHCPMediaSense option also did not work. When i turned off the Virtual Machine Network Service in the NIC properties the problem was solved. Intel Pro GigBit NIC on 3Com 3870 Switch.

faber.w · Answer

These are plain workstations, the users have locally only [user] authorisation so they can't install other software.   The most interesting was that I encountered this first on all Laptops and then a week later suddenly got 2 dektops where it appeared and also caused these to prevent login. Once I implemented an emergency workaround so they could again access our Oracle database, they could work again, but within 24 hours the DC reported that it locked the computer account. When I cycled the domain membership, after this lock, all errors where gone from the workstation. That's what makes me think that something is disrupting the security of my domain. My biggest problem in that is that I have a multi site domain, with each their own domain controller, so the cause could be on any of these sites, since anything in AD gets replicated to all sites. Including the one where I'm also responsible for the workstations. Another thing is also why do only some wokrstations get this problem and not all.   So I'm now concentrating on things like virusscanners and not properly configured systems.

Windows General

Was this post helpful?