locked
Netlogon error 5719 Windows server 2008 R2 64bit

    Question

  • just installed a few 2008 R2 servers all experiencing event ID 5719 after booting, the servers are joined to the domain, and can logon fine.
    I can restart the netlogon service with no errors after the servers are up.

    I found the following kb article has anyone else had this issue:
    http://support.microsoft.com/default.aspx/kb/938449
    Saturday, October 17, 2009 6:43 PM

Answers

  • Hi Arkturas,

     

    Thank you for your upload. Please try the below steps to see whether it resolves the issue.

     

    1.     Follow KB 244474 How to force Kerberos to use TCP instead of UDP in Windows
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474

    2.    Made netlogon service to depend on network connections:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon DependOnService =
    Netman

    3.    Disable the Spanning Tree Algorithm feature of your Ethernet switch.

    Set the registry
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
    ExpectedDialupDelay = 180
    KB 202840 A client connected to an Ethernet switch may receive several logon-related error messages during startup
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;202840

    4.    Reboot the server, Check the event log again.

     

    Hope it helps.

     

    Best Regards,

    Wilson Jia


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Arkturas Thursday, October 22, 2009 4:21 PM
    Tuesday, October 20, 2009 5:36 AM
  • Ok we plugged a generic (buy at local pc shop) hub between the 2008 R2 server and the Cisco Cat6509 switch. - it fixed the NETLOGON & Ldap issue.

    before anyone mentions it, the switch port on the Catalyst had port-spanning disabled.

    hope this helps anyone else with this issue.

    • Marked as answer by Wilson Jia Wednesday, October 21, 2009 3:41 AM
    Tuesday, October 20, 2009 2:57 PM

All replies

  • these servers will eventually become domain controllers.

    Saturday, October 17, 2009 6:44 PM
  • Hi

    This is typically a Domain controller connectivity problem and check your domain countrollers ?

    If you logon to the server and try to ping the DC by DNS or NetBios name can you resolve the IP?


    Thanks...


    Deva --Self-trust is the first secret of success.
    Saturday, October 17, 2009 8:45 PM
  • I only seem to have thiserror on my 2008 R2 64bit servers, 2003, 2008 are fine no netlogon issues.
    I can ping the DC's and resolve them to their FQDN's

    as I said I only get the the netlogon error when the server restarts here is the details:



    first event is a warning:


    Log Name:      System
    Source:        Microsoft-Windows-DNS-Client
    Date:          17/10/2009 21:20:53
    Event ID:      1014
    Task Category: None
    Level:         Warning
    Keywords:     
    User:          NETWORK SERVICE
    Computer:      host.mydomain.com
    Description:
    Name resolution for the name _ldap._tcp.dc._msdcs.mydomain.com timed out after none of the configured DNS servers responded.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-DNS-Client" Guid="{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}" />
        <EventID>1014</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x4000000000000000</Keywords>
        <TimeCreated SystemTime="2009-10-17T20:20:53.598845900Z" />
        <EventRecordID>1545</EventRecordID>
        <Correlation />
        <Execution ProcessID="988" ThreadID="1000" />
        <Channel>System</Channel>
        <Computer>host.mydomain.com</Computer>
        <Security UserID="S-1-5-20" />
      </System>
      <EventData>
        <Data Name="QueryName">_ldap._tcp.dc._msdcs.mydomain.com</Data>
        <Data Name="AddressLength">16</Data>
        <Data Name="Address">02000035AC133A410000000000000000</Data>
      </EventData>
    </Event>



    The second error is the netlogon error

    Log Name:      System
    Source:        NETLOGON
    Date:          09/10/2009 21:51:11
    Event ID:      5719
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      host.mydomain.com
    Description:
    This computer was not able to set up a secure session with a domain controller in domain "my domain" due to the following:
    There are currently no logon servers available to service the logon request.
    This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

    ADDITIONAL INFO
    If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="NETLOGON" />
        <EventID Qualifiers="0">5719</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2009-10-09T20:51:11.000000000Z" />
        <EventRecordID>4844</EventRecordID>
        <Channel>System</Channel>
        <Computer>host.mydomain.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data>mydomain.com</Data>
        <Data>%%1311</Data>
        <Binary>5E0000C0</Binary>
      </EventData>
    </Event>

    Saturday, October 17, 2009 10:03 PM
  • its as if the services (Netlogon) are starting before the NIC has time to negotiate.

    Saturday, October 17, 2009 10:12 PM
  • Hi

    Please paste the unedited IPconfig /all and dcdiag results from your server

    Thanks.....
    Deva --Self-trust is the first secret of success.
    Saturday, October 17, 2009 10:17 PM
  • Hi Arkturas,

     

    According to your description, I understand that your new installed Windows 2008 R2 servers got an event ID 5719 when they logged in to Windows 2003 domain.

     

    To isolate the issue, please run the following command on server to test DNS.

     

    (1) Type nslookup, and then press ENTER.

    (2) Type set type=all, and then press ENTER.

    (3) Type _ldap._tcp.dc._msdcs.mydomain.com and then press ENTER.

     

    What’s the result?

     

    In addition, please collect a MPSreport on the server.

     

    How to collect an MPS report:

     

    1.    Download the proper MPS Report tool from the website below.

    Microsoft Product Support Reports

    http://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en  

         

    2.    Double-click to run it. If the requirement is not met, please follow the wizard to download and install them. After that, click Next, when the "Select the diagnostics you want to run" page appears, select General; Internet and Networking;Server Components; click Next.

     

    3.    After collecting all log files, choose "Save the results". Choose a folder to save the <Computername>MPSReports.cab file. Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give us the download address.

     

    Best Regards,

    Wilson Jia


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, October 19, 2009 6:03 AM
  • Hi, here is the result of the service records:

    C:\>nslookup
    Default Server:  dc1-sc.im-corp.com
    Address:  172.30.58.60

    > set type=all
    > _ldap._tcp.dc._msdcs.im-corp.com
    Server:  dc1-sc.im-corp.com
    Address:  172.30.58.60

    _ldap._tcp.dc._msdcs.im-corp.com        SRV service location:
              priority       = 0
              weight         = 100
              port           = 389
              svr hostname   = dc4-ch.im-corp.com
    _ldap._tcp.dc._msdcs.im-corp.com        SRV service location:
              priority       = 0
              weight         = 100
              port           = 389
              svr hostname   = dc1-sc.im-corp.com
    _ldap._tcp.dc._msdcs.im-corp.com        SRV service location:
              priority       = 0
              weight         = 100
              port           = 389
              svr hostname   = dc3-ch.im-corp.com
    _ldap._tcp.dc._msdcs.im-corp.com        SRV service location:
              priority       = 0
              weight         = 100
              port           = 389
              svr hostname   = dc2-sc.im-corp.com
    dc4-ch.im-corp.com       internet address = 172.30.57.65
    dc1-sc.im-corp.com       internet address = 172.30.58.60
    dc3-ch.im-corp.com       internet address = 172.30.57.60
    dc2-sc.im-corp.com       internet address = 172.30.58.65
    >

    I will upload the MPS report in a couple of min - thanks for the help


    PS - further info.

    Teaming is not enabled (spare NIC is disabled) , server is a Dell PE1950, IPv6 is disabled using MS reg fix "DisabledComponents" 0xff

    Monday, October 19, 2009 9:36 AM
  • any ideas ?, this one has really got me stumped, updated BIOS and NIC drivers on Dell Power Edge servers.
    I dont understand why this is only affecting physical 2008 r2 servers.

    I'm reluctant to dc promo these servers until I get this resolved.
    Monday, October 19, 2009 6:02 PM
  • Hi Arkturas,

     

    Thank you for your upload. Please try the below steps to see whether it resolves the issue.

     

    1.     Follow KB 244474 How to force Kerberos to use TCP instead of UDP in Windows
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474

    2.    Made netlogon service to depend on network connections:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon DependOnService =
    Netman

    3.    Disable the Spanning Tree Algorithm feature of your Ethernet switch.

    Set the registry
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
    ExpectedDialupDelay = 180
    KB 202840 A client connected to an Ethernet switch may receive several logon-related error messages during startup
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;202840

    4.    Reboot the server, Check the event log again.

     

    Hope it helps.

     

    Best Regards,

    Wilson Jia


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Arkturas Thursday, October 22, 2009 4:21 PM
    Tuesday, October 20, 2009 5:36 AM
  • Thanks, these servers will eventually become DC's - I will run through your steps.

    thanks
    again
    Tuesday, October 20, 2009 8:47 AM
  • Unfortunately this has not resolved the problem, appreciate the time take to post the potential resolves.
    I'm still getting the following two errors when the member server boots.
    Warning Event ID 1014: Name resolution for the name _ldap._tcp.dc._msdcs.mydomain.com timed out after none of the configured DNS servers responded.

    Error Event ID 5719: This computer was not able to set up a secure session with a domain controller in domain "my domain" due to the following:
    There are currently no logon servers available to service the logon request.
    This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

    I have tried all the steps you mentioned above, I was careful in making sure everything was added.
    I have also tried re-joining the server to the domain.

    I will probably go ahead and DCPROMO these servers and see what happens, these servers will be DNS Servers so it should not need to contact other DC's for _ldap._tcp.dc._msdcs.mydomain.com

    when DNS is configured and the netlogon service started it should then create a DSAguid for itself.
    Tuesday, October 20, 2009 11:43 AM
  • Ok we plugged a generic (buy at local pc shop) hub between the 2008 R2 server and the Cisco Cat6509 switch. - it fixed the NETLOGON & Ldap issue.

    before anyone mentions it, the switch port on the Catalyst had port-spanning disabled.

    hope this helps anyone else with this issue.

    • Marked as answer by Wilson Jia Wednesday, October 21, 2009 3:41 AM
    Tuesday, October 20, 2009 2:57 PM
  • Hi Arkturas,

    I am glad that you have addressed the root cause of this issue. Thank you for sharing your information to us.

    Welcome to post your question in our TechNet Forum in the future.

    Best Regards,
    Wilson Jia

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, October 21, 2009 3:41 AM