Home
  •  

The NetLogon service on remote machines will not be able to connect to this DC over TCP/IP resulting in authentication failure

The_NetLogon_service_on_remote_machines_will_not_be_able_to_connect_to_this_DC_over_TCP_IP_resulting_in_authentication_failure_5_Rule (Rule)

Knowledge Base article:

Summary

The Net Logon service could not register a remote procedure call (RPC) endpoint for the TCP/IP protocol.

Sample Event:

The NetLogon service on this domain controller has been configured to use port %1 for incoming RPC connections over TCP/IP from remote machines. However, the following error occurred when Netlogon attempted to register this port with the RPC endpoint mapper service: %2 This will prevent the NetLogon service on remote machines from connecting to this domain controller over TCP/IP that may result in authentication problems.

Resolutions

The specified port is configured via the Group Policy or via a registry value 'DcTcpipPort' under the 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' registry key; the value configured through the Group Policy takes precedence. If the port specified is in error, reset it to a correct value. You can also remove this configuration for the port in which case the port will be assigned dynamically by the endpoint mapper at the time the NetLogon service on remote machines makes RPC connections to this domain controller. After the misconfiguration is corrected, restart the NetLogon service on this machine and verify that this event log no longer appears.

External

For more information, see:

Element properties:

TargetMicrosoft.Windows.Server.2003.AD.DomainControllerRole
CategoryEventCollection
EnabledTrue
Event_ID5809
Event SourceNetLogon
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
RemotableTrue
Alert Message
The NetLogon service on remote machines will not be able to connect to this DC over TCP/IP resulting in authentication failure
{0}
Event LogSystem
CommentMom2005ID='{09FCC6C3-1B69-4204-9320-EF13A795DE1B}';MOM2005GroupID=

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
CollectEventData WriteAction Microsoft.SystemCenter.CollectEvent Default
CollectEventDataWarehouse WriteAction Microsoft.SystemCenter.DataWarehouse.PublishEventData Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="The_NetLogon_service_on_remote_machines_will_not_be_able_to_connect_to_this_DC_over_TCP_IP_resulting_in_authentication_failure_5_Rule" Comment="Mom2005ID='{09FCC6C3-1B69-4204-9320-EF13A795DE1B}';MOM2005GroupID=" Enabled="onEssentialMonitoring" Target="AD2003Core!Microsoft.Windows.Server.2003.AD.DomainControllerRole" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>System</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>5809</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>NetLogon</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>1</Severity>

      <AlertOwner>$Data/PublisherName$</AlertOwner>

      <AlertMessageId>$MPElement[Name="The_NetLogon_service_on_remote_machines_will_not_be_able_to_connect_to_this_DC_over_TCP_IP_resulting_in_authentication_failure_5_Rule.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

    <WriteAction ID="CollectEventData" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="CollectEventDataWarehouse" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>

  </WriteActions>

</Rule>