Brainlitter » Netlogon Events 5775, 5792, 5719 – SBS 2008 Pooched Until a Reboot

Netlogon Events 5775, 5792, 5719 – SBS 2008 Pooched Until a Reboot

We ran into this little gem today at a client site (running SBS 2008) – thanks for the detail Avi. The client called, explaining how their Outlook clients were unable to connect to the server (Outlook stated it was ‘Trying to connect’ in the bottom right hand). Upon closer inspection of the server, all services were started successfully, but the event logs were riddled with errors (in both the Application and System logs). When I tried to open ‘Active Directory Users and Computers’, we received the following error:

 

   

Active Directory Domain Services

Naming Information cannot be located for the following reason:

The server Is not operational.

 

   

If you are trying to connect to a Domain Controller running Windows 2000, verify that Windows 2000 Server Service Pack 3 or later is installed on the DC, or use the Widows 2000 administration tools. For more information about connecting to DCs running Windows 2000, see Help and Support.

 

   

   

 

 

When we tried to open ‘Exchange Management Console’, we received the following errors:

 

   

An Active Directory error 0x8007203A occurred while searching for domain controllers in domain xxxxx.local:

The server is not operational.

 

   

Name: “xxxxx.local”

It was running command ‘get-recipient -ResultSize’1000’ -SortBy ‘DisplayName’ -RecipientType UserMailbox”.

 

   

   

   

After some further troubleshooting and research, it appears that this is becoming a common issue for Windows Server 2008. The basic symptoms are the following:

  • User Authentication fails
  • SYSVOL is inaccessible and replication fails
  • Server shares are shown, but unavailable
  • One of the following Netlogon events occurs:
    • Netlogon event 5775
    • Netlogon event 5792
    • Netlogon event 5792
    • Netlogon event 5719

   

 

We have been seeing this happen at another office where the users are losing network connectivity with their SBS 2008 server after a few days to a few weeks (this is a known symptom/condition), and rebooting the SBS 2008 server temporarily resolves the issue.

   

 

This issue occurs when you are using a filter driver (commonly a firewall) that utilizes the Transport Driver Interface (Trend Micro uses a TDI network driver, so be aware for our other Trend Micro customers running on Windows 2008/Vista), which is now being deprecated and replaced with WFP in Vista/2008 and beyond.

   

 

The following is a description from Microsoft on why the issues occur:

This problem occurs because of a race condition in which the Tdx.sys driver does not send a disconnect input/output request packet (IRP) indication to the afd.sys driver. When this occurs, the reference count on the AFD socket is not decremented. Eventually, the AFD connection is orphaned. The process that owns the orphaned AFD connection is also orphaned.

   

 

After the issue occurs for some time, all available ports are consumed. Therefore, many orphaned processes appear. When resources become exhausted, the problem occurs that the “Symptoms” section describes.

   

 

The Fix

The following is the Microsoft article explaining the issue, and provides the link to the hot fix which after being applied, has helped. http://support.microsoft.com/default.aspx?scid=kb;EN-US;961775