none
RODC 5723 and 5805 NETLOGON events

    Question

  • I have added 4 RODC's to our domain that contains 2 regular DC's. All 4 RODC's are showing 5723 & 5805 NETLOGON events.

    I have a Global Security Group setup each branch office and I have added the user account in that office to this Group. These 4 groups have been added to the 'Allowed RODC Password Replication' Group. I tried adding the computers accounts for the branch offices to their repective office group, but the 5723 & 5805 events keep appearing. I have tried searching all over for a solution, but havent found one as yet.

    I have had a machine in the head office and it was reporting no errors on the writeable DC's. I then sent it off to the branch office and the errors start appearing on the RODC. I have also tried adding a machine to the domain while it is in the branch and this made no differance.
    Wednesday, June 3, 2009 7:05 AM

Answers

  • Hi,

    Before we go further, please make sure applied the following read-only domain controller compatibility pack.

    http://support.microsoft.com/kb/944043

    Also, check if there is any known issue except the NETLOGON error.
    Known Issues for Deploying RODCs
    http://technet.microsoft.com/en-us/library/cc725669(WS.10).aspx

    If the issue persists, try to review the accounts that are authenticated to an RODC, if they are the machines in NETLOGON error, try other suggestions in this guide to configure your  Password Replication Policy.

    http://technet.microsoft.com/en-us/library/cc754646.aspx#BKMK_Auth2

    If still no progress, please help to collect the following information for research.

    1.    Download proper MPS Report tool from the website below.

    Microsoft Product Support Reports
    http://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en

    2.    Double-click to run it, if requirement is not met, please follow the wizard to download and install them. After that, click Next, when the "Select the diagnostics you want to run" page appears, select "General", Server Components, click Next.

    3.    After collecting all log files, choose "Save the results", choose a folder to save <Computername>MPSReports.cab file. Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give us the download address.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, June 4, 2009 10:13 AM
    Moderator

All replies

  • Hello Grubsy,

    Did you follow the steps included in the event ids? Are the RODC cloned machines
    and just renamed? Please post an unedited ipconfig /all from them and also
    one DC from the Main site.

    Also check:
    http://www.eventid.net/display.asp?eventid=5723&eventno=106&source=NETLOGON&phase=1

    Best regards

    Meinolf Weber
    Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    no rights.
    ** Please do NOT email, only reply to Newsgroups
    ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

    Wednesday, June 3, 2009 7:58 AM
  • In case of the computer in question (the one that you shipped over to the branch office), have you confirmed that the computer account has replicated to the RODC? You might want to also verify that the DNS entry for this computer has been properly updated...

    hth
    Marcin

    Wednesday, June 3, 2009 1:11 PM
  • Did you follow the steps included in the event ids? Are the RODC cloned machines
    and just renamed? Please post an unedited ipconfig /all from them and also
    one DC from the Main site.
    Yes. I tried the steps in the event ids and it did not fix the problem. No the RODC's are not cloned machines.

    DC From Main Site
    C:\Users\Administrator>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : London
       Primary Dns Suffix  . . . . . . . : nci.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : nci.local

    Ethernet adapter Local Area Connection 2:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
       Physical Address. . . . . . . . . : 00-50-56-A3-67-24
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::441d:2b44:80f:538%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 172.30.0.240(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.252.0
       Default Gateway . . . . . . . . . : 172.30.0.1
       DNS Servers . . . . . . . . . . . : 127.0.0.1
                                           172.30.0.241
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 8:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : isatap.{198E3E17-0626-4479-97FD-CC8ABCA40050}
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    C:\Users\Administrator>

    RODC
    C:\Users\Administrator.NCI>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : Iraq
       Primary Dns Suffix  . . . . . . . : nci.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : nci.local

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
       Physical Address. . . . . . . . . : 00-1E-68-EF-63-7B
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 172.30.8.100(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.252.0
       Default Gateway . . . . . . . . . : 172.30.8.1
       DNS Servers . . . . . . . . . . . : 172.30.0.240
                                           172.30.0.241
                                           127.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 8:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : isatap.{A72BA2EF-9FC5-405E-8CA9-08B1C312F36F}
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 02-00-54-55-4E-01
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    C:\Users\Administrator.NCI>
    Wednesday, June 3, 2009 10:56 PM
  • In case of the computer in question (the one that you shipped over to the branch office), have you confirmed that the computer account has replicated to the RODC? You might want to also verify that the DNS entry for this computer has been properly updated...

    Hi Marcin, it isn't just 1 computer. I'm pretty certain it is every computer in all 4 branch offices that are having the issues. How do I check if the computer accounts have replicated properly to the RODC? I've checked AD Users & Computers and they are listed in there.

    If I check the 'Advanced Password Replication Policy' for the RODC and look at 'Accounts whose passwords are stored on this RODC' the computer accounts for the branch are listed. They are also listed under 'Accounts that have been authenticated to this RODC'.

    The DNS entries look fine, I often connect via VNC just using the computer name.

    Wednesday, June 3, 2009 11:01 PM
  • Hi,

    Before we go further, please make sure applied the following read-only domain controller compatibility pack.

    http://support.microsoft.com/kb/944043

    Also, check if there is any known issue except the NETLOGON error.
    Known Issues for Deploying RODCs
    http://technet.microsoft.com/en-us/library/cc725669(WS.10).aspx

    If the issue persists, try to review the accounts that are authenticated to an RODC, if they are the machines in NETLOGON error, try other suggestions in this guide to configure your  Password Replication Policy.

    http://technet.microsoft.com/en-us/library/cc754646.aspx#BKMK_Auth2

    If still no progress, please help to collect the following information for research.

    1.    Download proper MPS Report tool from the website below.

    Microsoft Product Support Reports
    http://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en

    2.    Double-click to run it, if requirement is not met, please follow the wizard to download and install them. After that, click Next, when the "Select the diagnostics you want to run" page appears, select "General", Server Components, click Next.

    3.    After collecting all log files, choose "Save the results", choose a folder to save <Computername>MPSReports.cab file. Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give us the download address.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, June 4, 2009 10:13 AM
    Moderator
  • Thanks Mervyn. I am not in the office the next few days. Will try on Tuesday and report back with the results. I did forget to mention all the clients are running Windows XP Pro SP3. Hopefully the compatibility pack might do the trick!. Is there a way I can deploy it via WSUS?
    Thursday, June 4, 2009 10:42 AM
  • Hi,

    Sorry to say I’m not familiar with WSUS, it’s suggested to post in the WSUS forum if you have WSUS questions. Thank you for your understanding.

    WSUS
    http://social.technet.microsoft.com/Forums/en-US/winserverwsus/threads

    Regards

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, June 5, 2009 9:50 AM
    Moderator
  • "I have a Global Security Group setup each branch office and I have added the user accounts in that office to this Group. These 4 groups have been added to the 'Allowed RODC Password Replication' Group. I tried adding the computers accounts for the branch offices to their repective office group. "

    This seems to have stopped just about every occurrence. I can see when a machine that is not in one of the 4 groups is in a branch office it reports the errors. I have also installed SP2 on the servers.
    Wednesday, July 1, 2009 10:57 PM
  • I know this is an old thread but I am having this exact same issue.  I have applied the RODC Compatibility patch to all xp sp3 clients in my outer offices and set up the PRP to Microsoft Best Practices standards yet I am still receiving this error.  The one thing I noticed was that I under the PRP where it lists the passwords that are cached on the server it is only listing the domain users accounts and not the computers.  However if I view "Accounts that have been authenticated to this Read Only Domain Controller" I see both computers and domain user accounts. 

     

    Do I need to add the computer accounts for that office to the Security group that allows password caching for that office? 

    Thursday, May 26, 2011 2:23 PM
  • I also am having the same issue as listed in this article but don't really from the posting understand what the exact resolution was.

    Could someone please elaborate on this?

    Monday, February 27, 2012 3:38 PM
  • In addition to having the branch office user accounts cached on the RODC, the branch office computer accounts should have their passwords cached as well.  Computer accounts are first class security principals just like users.  If a WAN link fails and the RODC cannot contact a RWDC to authenticate the computer, the user logon to the computer will fail.  For more information, please see:

    http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy(v=WS.10).aspx

    HTH,

    Brian


    BrianY MCT, MCLC

    Monday, February 27, 2012 6:27 PM
  • Ok here is what I did but I'm still seeing these errors.

    I put Domain computers as a member of: Allowed RODC Password Replication Group

    Then for each dc I edited internally to the object and allowed a group (universal security group) we have which contains all our users for that location.

    I did this on 2/27 and I'm still seeing these errors for machines.

    I have not installed a compatibility pack.

    Monday, March 5, 2012 8:30 PM
  • In my environment i have all the machines on win7 and all the domain controllers on windows 2008, but i still the same errors, do we need to install this KB patch on Windows 7 machines also.

    i have no accounts or machines cached on RODC and we dont want to cache any accounts on RODC's.

    Please suggest



    • Edited by hulk420 Tuesday, September 16, 2014 11:07 AM
    Tuesday, September 16, 2014 11:02 AM