NETLOGON 5723, 5805, 5722 from none existent computer

 

I have a single domain with Windows 2012, 2008 and 2003 domain controllers.  Domain forest functional level 2003.

 

All domain controller have NETLOGON 5723, 5805, 5722 errors caused by one computer.  The problematic computer was a Surface Pro 3 which we no longer have and is no longer on the network.

 

I have seen this type of problem before and simply disjoint and rejoin the computer to the domain to fix the problem.  However. This particular computer ST339, I just cannot remove the NETLOGON 5723, 5805, 5722 errors from the domain controllers event log.

 

I have no replication and network connectivity issues.  The whole network is on a local Ethernet LAN.

 

I have done the following:

 

Deleted DNS records to the machine, deleted computer account in the domain computers container, deleted DHCP record.

 

Used both different Windows 7 PC and Windows 8.1 laptop to try to fix the problem by changing their name to ST339 and join/disjoin/rejoin to the domain.  Tried this multiple times.  Even used a new Windows 7 installation (not image) to make are there are no SID issues.

 

Also used UTDSUTIL to check for duplicate SID in the domain and found none.

 

I can tell the computers can join the domain fine because AD show the computer ST339 and DNS record added (the AD shows computer with the correct OS i.e. Windows 7 or Windows 8.1 indicating it was jointed correctly).  After I disjoin the computer, the DNS record and the AD computer account are removed.

 

With a computer joined to the domain with ST339, I get the following error:

 

NETLOGON 5722 and shows this error exactly 4 hours apart down to the very second:

"The session setup from the computer ST339 failed to authenticate. The name(s) of the account(s) referenced in the security database is ST339$.  The following error occurred:

Access is denied."

 

With the computer disjointed from the domain and I made sure no records of it in the DNS and domain, I get errors 5723:

"The session setup from computer 'ST339' failed because the security database does not contain a trust account 'ST339$' referenced by the specified computer."

 

Followed by 5805 a few minutes apart:

The session setup from the computer ST339 failed to authenticate. The following error occurred:

Access is denied.

 

Again, my issue is I cant prevent those errors.  With the computer joined to the domain or the computer disjointed and all records deleted from the domain.

 

Also tried reset computer account from the AD.

 

DCDIAG shows no issues

 

Checked clock on DC and the computer.

 

I found this similar thread here and it was unsolved:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/e97adc10-6b58-4073-8028-6f5bf1de28fc/event-5805-the-session-setup-from-the-computer-ws12-failed-to-authenticate-the-following-error?forum=winserverDS

Hi,

Hope this is happening only for one Computer account?

Yes.  One computer account only.  Just checked the log.  5723 followed by 5805 every 4 hours like clock work.

Hi did you check

Change SPN from domain user account to machine account
--------------------------------------------------------------------------------
Remove the old SPN
1. At a cmd prompt run SetSPN D <service>/<netbios name> <your domain>\<domain user account>
2. At a cmd prompt runSetSPN D <service>/<fqdn name> <your domain>\<domain user account>

Add the new SPN:
1. At a cmd prompt run SETSPN A <service>/<netbios name> machinename.domain.com
2. At a cmd prompt run SETSPN A <service>/<fqdn> machinename

Verifying SPN's with SETSPN
At a cmd prompt run SETSPN -L <your domain>\<domain user account>
    SPN should no longer be listed.
   
At a cmd prompt run SETSPN -L <machinename>
    SPN should be listed.

Im not following what SPN has to do with this error.

No domain user account is associated with this machine account. 

When I add a machine with the name ST339 to the domain, I can see that it works with the machine showing up under domain computers. 

The error 5722 would appear right away in the domain controller event log.

Again it is only this one particular computer account name.  I have no issues if I simply change the computer name to something else and join the domain.

Running the SETSPN command:

C:\Users\Administrator.DOMAIN>setspn -L DOMAIN.com\st339

Registered ServicePrincipalNames for CN=ST339,CN=Computers,DC=DOMAIN,DC=com:

        RestrictedKrbHost/ST339

        HOST/ST339

        RestrictedKrbHost/ST339.DOMAIN.com

        HOST/ST339.DOMAIN.com

Hi,

Can you let me know do you have WINS in your environment?

no WINS

Hi,

This is issue looks like an secure channel issue. with client machine & Domain. I would suggest try do the following steps.

#Start remote Powershell session
Enter-PSSession -ComputerName worksation1
#Reset the password
Reset-ComputerMachinePassword -Credential domain/username -Server dc-server
#Test trust relationship
Test-ComputerSecureChannel
Exit-PSSessionssue.

Replace workstation1 with your actual target machine name
Replace domain/name with a user that has administrative rights
Replace dc-server with your actual server name
It will prompt for a password. 

Ref:http://blogs.technet.com/b/reference_point/archive/2012/11/22/quot-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed-quot.aspx

• Edited by Purvesh Adua 2 hours 17 minutes ago