AD Troubleshooting

AD and Domain-related issues and troubleshooting methods for Active Directory.

Netlogon 5719 and the Disappearing Domain [Controller]

Netlogon 5719 and the Disappearing Domain [Controller]

  • Comments 4
  • Likes

Netlogon is a client and a server component; when it logs 5719 it is acting as a client and trying to make a network connection that fails for some reason.

A Netlogon 5719 event indicates that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation against.


Most of the time this is caused by network issues or name resolution (DNS/WINS) issues. 
Network devices (Switches/Routers/Firewalls) on the way are also on the list of prime suspects behind Netlogon 5719 events.  That includes the NIC drivers on both the client logging the event and DC's it is trying to reach.


If this is being logged on a DC and the event refers to the DC's own domain, something might be preventing the client component of Netlogon from starting a network session (to itself or to another DC in the domain).  Since this is a client component error, port exhaustion can be one possible cause.


If this is referring to remote trusted or trusting domains then connectivity and name resolution for those domains need to be investigated further.


Less frequently, this is caused by a resource leak on the machine logging the event or the target DC(s) it is trying to talk to.


If you're only seeing Netlogon 5719 at startup then the port the machine is connected to on your switch may not be fully up when Netlogon starts.

Netlogon is otherwise a patient client component and will retry again 2 mins after the initial failure and every now and then after that until it is able to reach a DC.


On the other hand, Applications that are relying on Netlogon having domain connectivity when they start might fail as a result if they aren't handling sporadic network outages properly.

Netlogon can be configured to increase the time it waits for the DC to respond by using the ExpectedDialUpDelay registry key.



Further reading: 

PRB: Netlogon Logs Event ID 5719 on a Domain Controller
http://support.microsoft.com/kb/310339


Cannot connect to domain controller and cannot apply Group Policy with Gigabit Ethernet devices
http://support.microsoft.com/kb/326152/en-us


IIS runs out of work items and causes RPC failures when connecting to a remote UNC path
http://support.microsoft.com/kb/221790/en-us


How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000
http://support.microsoft.com/kb/244474/en-us


Error message in a Windows Server 2003-based domain or in a Windows 2000 Server-based domain: "The remote procedure call failed and did not run"
http://support.microsoft.com/kb/911799/en-us


How to Troubleshoot Black Hole Router Issues
http://support.microsoft.com/kb/314825


When you try to connect from TCP ports greater than 5000 you receive the error 'WSAENOBUFS (10055)'
http://support.microsoft.com/kb/196271


Making Netlogon wait longer for a response from a DC before timing out
http://technet.microsoft.com/en-us/library/cc758105.aspx


Using PortFast and Other Commands to Fix Workstation Startup Connectivity Delays (Netlogon 5719)
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtml

 

Comments
  • hi,

    we have similar events in our network environment. the interessting thing is that only laptop users are affected and getting event 5179 or 40960 or 40961. desktop users have no problems.

    your links are very helpful.

  • The laptops are telling you they can't reach a DC to authenticate against which points to the network they're using not being ready at the time when it is logged.

    In general, isolating a common factor between the affected machines should help.  A second recommended factor is to simplify the troubleshooting scenario as much as possible (uninstall anything non-critical from one of the machines that you use to test).

    You have identified the laptops as having the problem while wired clients do not so you need to figure out the common factor between the laptops.

    An interesting test would be to disable the WLAN card on the laptops, connect them to the LAN and see if you have the same event being logged.

    Another factor to identify is *when* you're seeing the event, if it's only at startup or resume then it's not uncommon as the network switch may not be ready when you enter your credentials.

    The important bit is that the event is not a problem in itself....it's just an indicator that you don't have network connectivity when it is logged.  That in turn may cause other problems.

    You should however not look at Netlogon 5719 and try to find problems related to it, you should look at any problem you have and Netlogon 5719 might be an additional symptom of it.

  • See the following for a W2k8 hotfix concerning port exhaustion (which generates a Netlogon 5719 event)

    http://support.microsoft.com/?id=959816

  • Another typical error message which is usually network-related (DNS or transport):

    "The specified domain either does not exist or could not be contacted."

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment