Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 5788 Source: NETLOGON

Source
Level
Description
Attempt to update HOST Service Principal Names (SPNs) of the computer
object in Active Directory failed. The updated values were '<value 1>' and '<value 2>'.
The following error occurred: <error description>
Comments
 
- Error: "Access is denied" - The member's computer account can read but cannot write to the Active Directory. See "JSI Tip 2550" to solve this problem.
- Error: "Access is denied" - I have solved this problem simply by disjointing the PC from domain to workgroup, deleting the computer account in Active Directory, and then rejoining the domain.
- Error: "The remote procedure call failed and did not execute" - We ran into this error, in addition to an EventID 5789, booting up PC's at a new facility that was using LAN to LAN VPN over DSL. The computers that belonged to Active Directory would hang on "applying computer settings" on boot-up. What it turned out to be was that we needed to add an "ip mtu 1460" statement to the WAN interface of our Cisco router. The link “Adjusting IP MTU, TCP MSS, and PMTUD on Windows and Sun Systems” provides helpful information related to this issue.
- Error: "The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation)" - In my case a faulty NIC caused this problem. After changing the NIC, the problem disappeared.
This behavior can occur if the computer account has permission to read the Active Directory record for itself, but does not have permission to write to the record or to the entire directory. Using the Active Directory Users and Computers snap-in, verify that the computer has permissions in the "Access the computer from the network" user right for the "Default domain controllers" Group Policy object (GPO) in the Domain Controllers organizational unit. Open each of the following items in the snap-in:
Default Domain Controllers Policy
Computed Configuration
Windows Settings
Security Settings
Local Policies
User Rights Assignment
As a test, add "Authenticated Users" if it is not present. Also, verify that the security settings in the computer object have permission to read, write, create, and delete child objects, and change passwords.

The "Access is denied" error message occurs when Netlogon attempts to update the directory service object for its computer account. In most cases, this occurs for new machine accounts before the computer has had a chance to update the records for the first time.

If the error message is "The system cannot find the file specified" instead of "Access is denied, " the computed object may have been deleted. Or (more likely), the computer account does not have permission to even read the object for its computer account. Check the permissions.

If the error message is "The parameter is incorrect" instead of "Access is denied, " the DNS suffix for the computer may not match the domain name. To verify and change the suffix, right-click My Computer, click Properties, click the Network Identification tab, click Properties, and then click More. The DNS suffix is listed in the Primary DNS suffix for this computer box. Confirm that this matches your domain name, or change it if necessary.

Check ME257623, ME329708, ME819411, ME826899 to fix this problem.


- Error: "The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation)" - I got this error when trying to promote Windows 2000 machines into a Windows 2003 domain. The new machines being added did not have any service packs installed. I installed Service Pack 4 on the Win2k boxes, and then they would promote to a DC with no errors.
- Error: "The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation)" - I got this error when I joined a server to the domain and renamed the computer at the same time. The updated value still showed the old name of the computer. After the mandatory reboot, the error did not repeat.
In my case, the last sentence stated that the "RPC Server is unavailable". What I found was that the host record (A) on the domain controller was incorrect, since the IP address of the server was changed, so I edited the host records to point to the correct IP. I noted this when I tried pinging the host name PCC.LOCAL and got a totally different IP that the one in the TCP/IP properties of the server. Once these changes were made, I tried flushing and re-registering DNS on the 2000 server and got the following when trying to re-register: “Error: The system cannot find the file specified. Refreshing DNS names”. I then found ME266319 that addresses this issue and it turned out to be a disabled DHCP Client on the server. After that, I was able to finally re-register the DNS records. Logging into the domain was quick and no more errors were listed in the event log.
I searched everywhere for an answer and finally figured out what to do. I went to Active Directory Users and Computers, clicked in the Computers object, and then selected the PC that was getting the errors, went to properties and Security. I gave Authenticated Users Full Control. Restarted and it was fixed. Unfortunately I am going to have to go around and do this for every Computer object in Active Directory now.
See ME249256 to find out how to troubleshoot intra-site replication failures.
Error: "The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation)." - We have seen this occuring on workstations that while being part of a Windows 2000 domain / active directory, their DNS domain did not match the one of the AD.

Error: "Access is denied"  - this typically means that the computer account does not have the required permissions to complete a task. This behavior can occur if the DNS domain name for the computer does not match the Active Directory domain name. See ME257734.

Error "The System Cannot Find the File Specified" - it usually means that the computer account does not have permission to read the object for its computer account. This behavior can occur if the DNS domain name for the computer does not match the Active Directory domain name. See ME257734.

Error: "The attribute syntax specified to the directory service is invalid." This behavior can occur if the DNS domain name for the computer does not match the Active Directory domain name." See ME258503.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...