|
| 1 | +--- |
| 2 | +title: Event ID 5719 occurs when the NetLogon service restarts |
| 3 | +description: Helps you diagnose and understand Event ID 5719 (NetLogon). Windows logs this event when you restart the NetLogon service on Windows Server systems. The event appears especially when Windows Server 2025 member servers interact with domain controllers that run earlier Windows Server versions. |
| 4 | +ms.date: 01/15/2025 |
| 5 | +manager: dcscontentpm |
| 6 | +audience: itpro |
| 7 | +ms.topic: troubleshooting |
| 8 | +ms.reviewer: kaushika, herbertm, raviks, arrenc, v-appelgatet |
| 9 | +ms.custom: |
| 10 | +- sap:windows security\NetLogon, secure channel, dc locator |
| 11 | +- pcy:WinComm Directory Services |
| 12 | +appliesto: |
| 13 | + - <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Supported versions of Windows Server</a> |
| 14 | +--- |
| 15 | +# Event ID 5719 occurs when the NetLogon service restarts |
| 16 | + |
| 17 | +This article helps you diagnose and understand Event ID 5719 (NetLogon). Windows logs this event when you restart the NetLogon service on Windows Server systems. The event appears especially when Windows Server 2025 member servers interact with domain controllers that run earlier Windows Server versions. |
| 18 | + |
| 19 | +## Symptoms |
| 20 | + |
| 21 | +Each time the NetLogon service restarts on a Windows Server 2025 system, Windows logs Event ID 5719 in the System event log. The event text resembles the following excerpt: |
| 22 | + |
| 23 | +> This computer was not able to set up a secure session with a domain controller in domain [domain name] due to the following: An internal error occurred. |
| 24 | +
|
| 25 | +The event text might include the `0xC00000E5 (STATUS_INTERNAL_ERROR)` code. |
| 26 | + |
| 27 | +The event doesn't persist. Windows establishes the secure channel with the domain controller. Normal domain operations then resume. |
| 28 | + |
| 29 | +The event occurs even though you haven't made any recent configuration, update, or software changes. |
| 30 | + |
| 31 | +## Cause |
| 32 | + |
| 33 | +When the NetLogon service restarts in mixed Windows Server environments (Windows Server 2025 vs. Windows Server 2022 or Windows Server 2019 domain controllers), Windows generates Event ID 5719. As long as the secure channel is established, this event is expected and harmless. |
| 34 | + |
| 35 | +The error happens because of protocol differences in Kerberos authentication support. The error doesn't indicate a functional problem unless it keeps occurring in circumstances other than those that this article describes. |
| 36 | + |
| 37 | +When a Windows Server 2025 member server tries to establish a secure channel with a domain controller that runs Windows Server 2022 or an earlier version, it starts the connection by using the new Kerberos authentication method. Older domain controllers don't support this new authentication Remote Procedure Call (RPC) call. Because of this lack of support, authentication fails and Windows logs Event ID 5719. The system automatically falls back to the legacy NetLogon method. This method succeeds in establishing the secure channel. |
| 38 | + |
| 39 | +This sequence results in a single, harmless error event. You can ignore this event unless it's accompanied by ongoing authentication or connectivity problems. |
| 40 | + |
| 41 | +## Resolution |
| 42 | + |
| 43 | +If Event ID 5719 occurs only once when NetLogon restarts and the secure channel is established (domain operations proceed without issue), this event is harmless. You can safely ignore it. |
| 44 | + |
| 45 | +Don't try remediation unless you see additional, persistent authentication or secure channel issues. |
| 46 | + |
| 47 | +Microsoft recognizes this event as expected in mixed-version environments. Microsoft might suppress or clarify this event in future updates or documentation. |
| 48 | + |
| 49 | +> [!IMPORTANT] |
| 50 | +> If the error recurs outside of NetLogon restarts or is accompanied by domain trust or authentication failures, investigate further. Collect the log data as described in [Collecting log data](#collecting-log-data), and then contact Microsoft Support. |
| 51 | +
|
| 52 | +### Workaround (optional) |
| 53 | + |
| 54 | +As part of the transition to Windows Server 2025 or newer domain controllers that support Kerberos for secure channel setup, temporarily configure the following registry setting. Configure this setting on Kerberos-capable member computers that also run NetLogon. |
| 55 | + |
| 56 | +This change suppresses the logging of NetLogon Event ID 5719. Once you deploy enough Windows Server 2025 or newer Kerberos-capable DCs in the domain to ensure reliable Kerberos-based secure channel establishment, remove the registry setting. |
| 57 | + |
| 58 | +- **Registry subkey**: `HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters` |
| 59 | + |
| 60 | +- **Registry entry details**: |
| 61 | + |
| 62 | + - Name: `UseKerberosForSecureChannels` |
| 63 | + - Type: `REG_DWORD` |
| 64 | + - Value: `0` |
| 65 | + |
| 66 | +To use a Windows Command Line prompt to apply this change, run the following command: |
| 67 | + |
| 68 | +```console |
| 69 | +reg add "HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters" /v UseKerberosForSecureChannels /t REG_DWORD /d 0 /f |
| 70 | +``` |
| 71 | + |
| 72 | +To use a Windows PowerShell prompt to apply this fix, run the following command: |
| 73 | + |
| 74 | +```powershell |
| 75 | +Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters" -Name "UseKerberosForSecureChannels" -Value 0 -Type DWord |
| 76 | +``` |
| 77 | + |
| 78 | +Apply this configuration only temporarily. Monitor it for removal once the domain environment is adequately updated. |
| 79 | + |
| 80 | +## Collecting log data |
| 81 | + |
| 82 | +Collect the following logs: |
| 83 | + |
| 84 | +- **System event logs**. Focus on entries for Event ID 5719 (Source: NetLogon). |
| 85 | + |
| 86 | +- **NetLogon service logs**. If you need deeper analysis, turn NetLogon debugging on. |
| 87 | + |
| 88 | +### Collecting system event logs |
| 89 | + |
| 90 | +```console |
| 91 | +wevtutil qe System "/q:*[System[(EventID=5719)]]" /f:text /c:50 |
| 92 | +``` |
| 93 | + |
| 94 | +### Enabling NetLogon debug logging |
| 95 | + |
| 96 | +```console |
| 97 | +nltest /dbflag:0x2080ffff |
| 98 | +``` |
| 99 | + |
| 100 | +Windows writes these log entries to %systemroot%\debug\NetLogon.log. |
| 101 | + |
| 102 | +To turn off logging, run the `nltest /dbflag:0x0` command. |
| 103 | + |
| 104 | +## More information |
| 105 | + |
| 106 | +The event is specific to Windows Server 2025 member servers that authenticate by using domain controllers that run earlier versions of Windows. In the same scenario, Windows Server 2019 and Windows Server 2022 don't log Event ID 5719. |
| 107 | + |
| 108 | +Windows Server 2025 systems that authenticate by using Windows Server 2025 domain controllers don't log Event ID 5719. |
| 109 | + |
| 110 | +### Log entries in NetLogon.log that trace the secure channel process |
| 111 | + |
| 112 | +When Windows first tries to establish the secure channel, it uses Kerberos: |
| 113 | + |
| 114 | +```output |
| 115 | + [INIT] [10664] UseKerberosForSecureChannels = TRUE |
| 116 | +``` |
| 117 | + |
| 118 | +When Windows tries to connect to the domain controller the first time, it receives an error message that resembles the following log excerpt: |
| 119 | + |
| 120 | +```output |
| 121 | +[SESSION] [3036] CONTOSO: NlDiscoverDc: Found DC \\CONTOSODC.CONTOSO.com |
| 122 | +[SESSION] [3036] CONTOSO: NlSessionSetup: Denied access as we could not authenticate with Kerberos 0xC002002E |
| 123 | +[CRITICAL] [3036] Assertion failed: ClientSession->CsState == CS_IDLE (Source File: onecore\ds\netapi\svcdlls\logonsrv\server\lsrvutil.c, line 3963) |
| 124 | +[SESSION] [3036] CONTOSO: NlSessionSetup: Denied access as we could not authenticate with Kerberos (translated status) 0xC00000E5 |
| 125 | +[SESSION] [3036] CONTOSO: NlSetStatusClientSession: Set connection status to c00000e5 |
| 126 | +[SESSION] [3036] CONTOSO: NlSetStatusClientSession: Unbind from server \\CONTOSODC.CONTOSO.com (TCP) 0. |
| 127 | +[MISC] [3036] Eventlog: 5719 (1) "CONTOSO" 0xc00000e5 3dc54378 84808124 847d677c e2aadc59 xC.=$...|g}.Y... |
| 128 | +[SESSION] [3036] CONTOSO: NlSetStatusClientSession: Set connection status to c000005e |
| 129 | +[SESSION] [3036] CONTOSO: NlSessionSetup: Session setup Failed[AC3] |
| 130 | +``` |
| 131 | + |
| 132 | +Windows tries to create the secure channel again. This time, it works. Windows logs entries that resemble the following excerpt: |
| 133 | + |
| 134 | +```output |
| 135 | +[SESSION] [10664] CONTOSO: NlSessionSetup: Try Session setup |
| 136 | +[SESSION] [10664] CONTOSO: NlDiscoverDc: Start Synchronous Discovery |
| 137 | +[MISC] [10664] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c3fffff1 |
| 138 | +[MAILSLOT] [10664] NetpDcPingListIp: CONTOSO.COM.: Sending UDP ping to 10.32.51.12 ... |
| 139 | +… |
| 140 | +[MISC] [10664] NetpDcAllocateCacheEntry: new entry 0x0000020544B6E450 -> DC:CONTOSODC DnsDomName:CONTOSO.COM Flags:0x3f1fd |
| 141 | +[MISC] [10664] NetpDcGetName: NetpDcGetNameIp for CONTOSO.COM. returned 0 |
| 142 | +``` |
| 143 | + |
| 144 | +Windows also records the Security-NetLogon Event ID 9005 in the Applications and Service Logs\Microsoft\Windows\Security-NetLogon\Operational event log. The log entry resembles the following excerpt: |
| 145 | + |
| 146 | +```output |
| 147 | +Source: Security-NetLogon |
| 148 | +Event ID 9005 |
| 149 | +Task Category: Secure channel setup |
| 150 | +Secure channel setup has failed with Kerberos: An internal error occurred. |
| 151 | +Falling back to NetLogon. |
| 152 | +``` |
0 commit comments