Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 5723 Source: NETLOGON

Source
Level
Description
The session setup from the computer name_of_computer failed because there is no trust account in the security database for this computer. The name of the account referenced in the security database is name_of_computer$.
Comments
 
This message indicates that the computer referred to in the message has not joined the domain properly or the account is corrupted. Rejoin the domain.
In one case, this Event ID appeared for a computer account that had been disabled for some time before it was re-enabled. It had probably become invalid.

In another case, this Event ID appeared for a computer account that had been added to the domain but the domain controllers were restored to an earlier point in time.

In another case, this Event ID appeared on a Windows 2003 SP1 domain controller each time a Windows XP SP2 computer was started. This computer could ping the domain controller but not vice versa.
Resolution: Disable the Windows XP Firewall. Remove and re-join the computer to the domain. Consider deleting the computer object in Active Directory users and computers in-between to delete any sub-components of the computer object.
When you want to establish a trust between an NT4 and an Windows 2003 Domain you have to check first if the name resolution is correctly configured. See ME889030 for details.
If this is the first occurrence of this event for the specified computer and account, then this may be a transient issue that does not require any actions at this time. Otherwise, the following steps may be taken to resolve this problem:

1. If “name_of_computer$” is a legitimate machine account for the computer “name_of_computer”, then “name_of_computer” should be rejoined to the domain.

2. If “name_of_computer$” is a legitimate inter-domain trust account, then the trust should be recreated.

Otherwise, assuming that “name_of_computer$” is not a legitimate account, the following action should be taken on “name_of_computer”:

3. If “name_of_computer” is a Domain Controller, then the trust associated with “name_of_computer$” should be deleted.

4. If “name_of_computer” is not a Domain Controller, then it should be disjoined from the domain.
This problem can also occur if you are using F-Secure Anti-Virus version 5.3 on Windows XP, because F-Secure Anti-Virus version 5.3 is not compatible with Windows XP. See ME831348 for more details.

This event may appear if the account referenced does not exist in the security database. See MSW2KDB for more details.

See ME150518, ME154398, ME318266, ME823659 for additional information on this event.


I had this error after disabling a computer account that did not comply with our naming standards. This event was logged once for every DC in the site, and then NetLogon event 5805 (Access Denied). Enabling the account solved the problem.
If for some reason the "process of secure channel password change" fails, this error will be generated. This event may also mean that the computer does not have an account in the domain or has been deleted.

For each BDC, there is a discrete communication channel (the secure channel) with the PDC. The secure channel is used by the NetLogon service on the BDC and on the PDC in order to communicate. When a BDC is part of a domain, a computer account is created (the computer account can be seen with Server Manager.) A default password is given to the computer account and the BDC stores the password in LSA secret storage $machine.acc. The password is then changed every seven days. Each BDC maintains such an LSA secret, which is used by the NetLogon service in order to establish a secure channel. If the computer account's password and the LSA secret are not synchronized, the NetLogon service fails to start on the BDC.

The error is in Data. For example, the error 0xC0000022 means the computer account's password is invalid, while the error 0xC000018B means the computer account has been deleted, and so on.

See also ME821240.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...