none
Netlogon error with event log 5783, only reboot can solve the problem.

    Question

  • Dear all,

    SYMPTOMS

    Member server:  Server 2003
    DCs: All are server 2008 R2, domain level 2003 native

    Schedule task to reboot member server on each Sat 9 AM. These 2 weeks has new findings.

    1.  Nov 5 (Sat) 9AM server reboot, then netlogon generate 5783 error 1 time at 1:30 PM, at 11PM domain user cannot login DC except Administartrator use local account to login and reboot server manually, restart netlogon service cannot work so only reboot as a workaround. it functions after reboot.

    2.  All can function until Nov 12 (Sat) 9AM server reboot again, then netlogon generate 5783 error 1 time at 1:32 PM, at 11PM domain user reported that they cannot login DC except Administartrator reboot server manually, it functions after reboot. Admin don't know whether they can logon between 9AM-1:30PM (Users and Admin are sleeping on Sat morning so no one access office server to have a look), all reports are after 1:30 PM.

    Error:
    Event log  NetLogon 5783
    11/5/2011 1:32:57 PM
    The session setup to the Windows NT or Windows 2000 Domain Controller \\DC01.contoso.local for the domain CONTOSO is not responsive.  The current RPC call from Netlogon on \\server03 to \\DC01.contoso.local has been cancelled.

    Question:

    1. Why netlogon error generate on 1:30 PM? The server didn't reboot at 1:30 PM. Is netlogon log only generate on member server during startup and error happen? I checked event logs and confirm 9AM-1:30PM there is no other reboot error, and there is no any netlogon event log in Oct.

    2. Any clue to indentify the cause? Is it caused by reboot. From 9AM-1:30PM no other error log except log 5783.

    Thanks.


    • Edited by goodhehe Tuesday, November 15, 2011 1:32 PM
    Tuesday, November 15, 2011 1:30 PM

All replies

  • Hi,

    Could you please post the result of dcdiag /q

    Netlogon Event ID 5783

       

    Cause:

    The source server listed in the error message was unable to complete a remote procedure call (RPC) call to the destination server. Most commonly, this means that either the source server could not locate the server in DNS or the RPC interface on the destination server is not working.

    Solution:

    If the source server could not locate the server in DNS, troubleshoot Active Directory replication failure due to incorrect DNS configuration. If this is not a DNS problem, troubleshoot RPC problems.

    For details

    http://technet.microsoft.com/en-us/library/bb727055.aspx

    Similar issues

    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/4ce92ed6-066c-455c-b884-1a4aefc1a95b/

     


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

     


    Tuesday, November 15, 2011 1:39 PM
  • dcdiag /q 

    Run this command on DC or member server?

    The problem and error are generated on the member server, and we reboot member server to let it function again. There is FW between member server and DC, local Windows FW on member server and DC are disabled. No FW blocking log found in FW. The DC doesn;t have any similar log after I check.
    Tuesday, November 15, 2011 1:50 PM
  • Event id 5783 relates to broken secure channel. The secure channel gets broken due to various reason like insufficient connectivity, machine is not able to communicate with DC for password refresh or virus issue. Can you make sure machine is running with latest SP and patches as well as hardware(bios/firmware/drivers etc.) drivers.

    http://awinish.wordpress.com/2010/12/24/when-secure-channel-is-broken/

    For rectifying the broken secure channel member server needs to be disjoint and rejoin is the only solution. You can use netdom /resetpwd for DC but for member server disjoin and rejoin is the option.

    The other possible way of broken secure channel is duplicate hostname/IP in dns, SPN issue etc. You have to start from the network connectivity first.


    Regards  


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Tuesday, November 15, 2011 3:07 PM
  • Hi,

    My appologies. Could you please share the output of netdiag command from member server


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, November 15, 2011 3:21 PM
  • Do you see any DNS errors?  Please run DCDIAG /q on DC and post output here.

    http://technet.microsoft.com/en-us/library/bb727055.aspx

    you may refer : http://www.eventid.net/display.asp?eventid=5783&eventno=1024&source=NETLOGON&phase=1

    Also this issue occurs due to secure channel broken, if its member server then simply unjoin and rejoin it again to domain.

    Or refer this, Domain Secure Channel Utility -- Nltest.exe
    http://support.microsoft.com/kb/158148

    For the DC- secure channel broken:
    http://abhijitw.wordpress.com/2011/08/31/active-directory-resetting-secure-channel/


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    Tuesday, November 15, 2011 3:31 PM
  • Thanks, I am curious that why netlogon error generated at 1:30 PM these 2 weeks? Is it an error  delay but realted to weekly startup at 9 AM?
    Tuesday, November 15, 2011 4:01 PM
  • Well, why it is generated at this time, it can be when system tries to contact DC to refresh its password or updating its records in DNS it is logged. If secure channel is broken on member server, it will not work and most of the time it will not allow domain login and access to the resources from that server.

    Out of curiosity, is this server build from any image or clone or snapshot? Is any system been tried to joined to domain using same hostname or IP?

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Tuesday, November 15, 2011 4:08 PM
  • I used check duplicate sid command to check, no duplicate SID generated.

    And I run command on DC

    C:\Users\admin>nltest /server:server3 /sc_query:contoso
    Flags: 30 HAS_IP  HAS_TIMESERV
    Trusted DC Name \\dc01.contoso.local
    Trusted DC Connection Status Status = 0 0x0 NERR_Success
    The command completed successfully

    Can I say that the secure channel is not broken?
    Thursday, November 17, 2011 3:16 AM

  • Event ID: 5783
    Source: NETLOGON
    Description: The session setup to the Windows NT or Windows 2000 Domain Controller \\DC01.contoso.local for the domain CONTOSO is not responsive.  The current RPC call from Netlogon on \\server03 to \\DC01.contoso.local has been cancelled.

    Troubleshooting Steps:

    1.Make sure you have correct DNS settings. If you have multiplied DNS servers
    Check this link Setup Multiple DNS servers -http://www.chicagotech.net/dnstroubleshooting.htm#Setup_Multiple_DNS_servers_
    If you receive this error on a workstation, make sure the computer DNS points to the internal DNS instead of ISP DNS.

    2.Enabling WINS or NetBIOS over TCP/IP in the TCP/IP Advanced Settings may also resolve this issue, especially you have WAN/VPN conenction. However, if the WINS or NetBIOS over TCP/IP works in a LAN, you do have DNS issue.

    3.You may receive this error when there is network connection issue or the DNS server is not able for access.

    4. A third-party firewall program like Norton Security that is installed on the computer is blocking DNS queries.

    5.Refer this link also http://www.eventid.net/display.asp?eventid=5783&eventno=1024&source=NETLOGON&phase=1

    Hope this helps.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Thursday, November 17, 2011 3:52 AM
  • "Is any system been tried to joined to domain using same hostname or IP?"

    Suppose not.  I used check duplicate sid command to check, no duplicate SID generated. And no duplicate IP/hostname in DNS.

    "It will not work and most of the time it will not allow domain login and access to the resources from that server."

    That's the interesting thing, it can function after reboot.

    C:\Users\admin>nltest /server:server3 /sc_query:contoso
    Flags: 30 HAS_IP  HAS_TIMESERV
    Trusted DC Name \\dc01.contoso.local
    Trusted DC Connection Status Status = 0 0x0 NERR_Success

    The command completed successfully, can I assert that the secure channel is not broken?

    Thursday, November 17, 2011 12:28 PM