Share via

Netlogon Error 5783 and 5816

Tom Andersen 96 Reputation points
2020-10-28T13:40:09.377+00:00

For a few months now I have been experiencing random slow logons and issues with timeouts connecting to other domains within ADUC. The issues have coincided with the appearence of Netlogon Errors 5783 and 5816. The problem only seems to occur with some of my DCs and when they are trying to do netlogons or communicate with DCs in other domains. We have full two-way trusts between domains. Microsoft tech support has been useless so far. The issue did not occur until our Network Team uninstalled the Palo Alto User Agent but they say that would not have caused the issue. I am out of ideas and would love any recommendations or support from this community. Thank you so much!

Example errors:
Netlogon has failed an authentication request of account (Domain Controller) in domain (Domain). The request timed out before it could be sent to domain controller (Domain Controller FQDN) in domain (Domain). This is the first failure.

The session setup to the Windows Domain Controller (Domain Controller FQDN) for the domain (Domain) is not responsive. The current RPC call from Netlogon on (Domain Controller) to (Domain Controller FQDN) has been cancelled.

Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
553 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 25,061 Reputation points Microsoft Vendor
    2020-10-29T08:40:24.203+00:00

    Hello @Tom Andersen ,

    Thank you for posting here.

    We can troubleshoot as below.

    1.We can enable netlogon.log on the DCs (or servers) with Event 5816.

    Enabling

    Via registry
    a) Start the Registry editor,
    b) Expand to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
    c) Under “Parameters”, if there is a registry value named “DBFlag” with type Reg_SZ, please delete it at first.
    d) Create a REG_DWORD value named “DBFlag”, set its value to be 2080FFFF (in hexadecimal).
    e) Collect the log in %systemroot%\debug\netlogon.log

    Via command
    nltest /dbflag:0x2080ffff
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v DBFlag /t Reg_Dword /d 0x2080ffff
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v MaximumLogFileSize /t Reg_Dword /d 0x6400000 /
    Log size, in bytes

    Disabling
    a) To disable debug logging, change the data value to 0x0 in the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
    b) Quit Regedt32.
    c) Stop Net Logon, and then restart Net Logon.

    2.Then if the event 5816 reproduces, we can check if there is message like this in netlogon.log file.

    6/3 14:17:43 [CRITICAL] [123]FakeDomain: NlpUserValidateHigher: Can't allocate Client API slot.

    3.If we can see such message "Can't allocate Client API slot", it is the issue related to "MaxConcurrentAPI bottleneck reached".

    4.We can create a new DWORD value named “MaxConcurrentAPI” (no quotes).

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
    DWORD Value:MaxConcurrentApi
    Double click the MaxConcurrentApi value and set the data to the desired value (based on the tuning performed, in this case, I suggest we can set the value ---20, 30 or larger) in decimal.

    Valid range reminder:

    i. Windows 2000: 1-10
    ii. Windows Server XP, 2003, 2003 R2: 1-10
    iii. Windows Server Vista, 7, 2008, 2008 R2: 1-150 (certain conditions apply)
    iv. Windows Server 2012 and above: 1-150 (maximum supported) ----Please see the important note in the default and maximum threads table!

    5.If we set value 20, and check whether the issue persists, if the issue persists, we can set value 30.
    If we set value 30, and check whether the issue persists, if the issue persists, we can set value 40 or more.

    At last, we can check if it helps through change the registry value larger.

    Tip:
    Strictly speaking, we should use performance monitor to calculate the above value, but this is a bit difficult and complicated. We can change the value of the registry and check if it helps.

    For more information, we can refer to the link below.
    Quick Reference: Troubleshooting, Diagnosing, and Tuning MaxConcurrentApi Issues
    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-diagnosing-and-tuning/ba-p/256868

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

  2. Tom Andersen 96 Reputation points
    2020-10-29T13:36:01.447+00:00

    Not seeing that actual error. Here is what I did see, sanitized... what next?
    10/29 09:08:42 [DOMAIN] [4396] THIS_DOMAIN: Domain thread started
    10/29 09:08:42 [DOMAIN] [4396] THIS_DOMAIN: Domain thread started doing API timeout
    10/29 09:08:42 [CRITICAL] [4396] THIS_DOMAIN: ANOTHER_DOMAIN: NlTimeoutApiClientSession: Start RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN
    10/29 09:08:42 [MISC] [4396] Eventlog: 5783 (1) "\FQDN_OF_DC_ON_ANOTHER_DOMAIN" "ANOTHER_DOMAIN" "THIS_DC"
    10/29 09:08:42 [MISC] [4396] Didn't log event since it was already logged.
    10/29 09:08:42 [CRITICAL] [4396] THIS_DOMAIN: ANOTHER_DOMAIN: NlTimeoutApiClientSession: Finish RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN 0
    10/29 09:08:42 [DOMAIN] [4396] THIS_DOMAIN: Domain thread exitting
    10/29 09:08:42 [CRITICAL] [3472] NlPrintRpcDebug: Dumping extended error for I_NetLogonSamLogonEx with 0xc0000022
    10/29 09:08:42 [CRITICAL] [3472] [0] ProcessID is 624
    10/29 09:08:42 [CRITICAL] [3472] [0] System Time is: 10/29/2020 13:8:42:915
    10/29 09:08:42 [CRITICAL] [3472] [0] Generating component is 2
    10/29 09:08:42 [CRITICAL] [3472] [0] Status is 5
    10/29 09:08:42 [CRITICAL] [3472] [0] Detection location is 501
    10/29 09:08:42 [CRITICAL] [3472] [0] Flags is 0
    10/29 09:08:42 [CRITICAL] [3472] [0] NumberOfParameters is 4
    10/29 09:08:42 [CRITICAL] [3472] Unicode string: ncacn_ip_tcp
    10/29 09:08:42 [CRITICAL] [3472] Unicode string: FQDN_OF_DC_ON_ANOTHER_DOMAIN
    10/29 09:08:42 [CRITICAL] [3472] Long val: 305419896
    10/29 09:08:42 [CRITICAL] [3472] Long val: 5
    10/29 09:08:42 [CRITICAL] [3472] [1] ProcessID is 624
    10/29 09:08:42 [CRITICAL] [3472] [1] System Time is: 10/29/2020 13:8:42:915
    10/29 09:08:42 [CRITICAL] [3472] [1] Generating component is 2
    10/29 09:08:42 [CRITICAL] [3472] [1] Status is 5
    10/29 09:08:42 [CRITICAL] [3472] [1] Detection location is 1750
    10/29 09:08:42 [CRITICAL] [3472] [1] Flags is 0
    10/29 09:08:42 [CRITICAL] [3472] [1] NumberOfParameters is 1
    10/29 09:08:42 [CRITICAL] [3472] Long val: 5
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: timeout call to \FQDN_OF_DC_ON_ANOTHER_DOMAIN. Count: 9
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: dropping the session to \FQDN_OF_DC_ON_ANOTHER_DOMAIN
    10/29 09:08:42 [SESSION] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Set connection status to c000005e
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Start RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Finish RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN 0
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Start RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Finish RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN 0
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Start RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Finish RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN 0
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Start RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Finish RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN 0
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Start RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Finish RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN 0
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Start RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Finish RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN 0
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Start RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Finish RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN 0
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Start RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Finish RpcCancelThread on \FQDN_OF_DC_ON_ANOTHER_DOMAIN 0
    10/29 09:08:42 [SESSION] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Unbind from server \FQDN_OF_DC_ON_ANOTHER_DOMAIN (TCP) 9.
    10/29 09:08:42 [CRITICAL] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlpUserValidateHigher: denying access after status: 0xc0000022 1
    10/29 09:08:42 [SESSION] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSessionSetup: Try Session setup
    10/29 09:08:42 [SESSION] [6588] THIS_DOMAIN: ANOTHER_DOMAIN: NlDiscoverDc: Start Async Discovery
    10/29 09:08:42 [MISC] [6588] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c1fffff1
    10/29 09:08:42 [MAILSLOT] [6588] NetpDcPingListIp: ANOTHER_DOMAIN: Sent UDP ping to IP_OF_DC_IN_ANOTHER_DOMAIN
    10/29 09:08:43 [MISC] [6588] NetpDcAllocateCacheEntry: new entry 0x000001810DC62270 -> DC:DC_IN_ANOTHER_DOMAIN DnsDomName:ANOTHER_DOMAIN Flags:0xf1fc
    10/29 09:08:43 [MISC] [6588] NetpDcGetName: NetpDcGetNameIp for ANOTHER_DOMAIN returned 0
    10/29 09:08:43 [MISC] [6588] NetpDcDerefCacheEntry: destroying entry 0x000001810DC62770
    10/29 09:08:43 [PERF] [6588] NlSetServerClientSession: Not changing connection (00000181044B6988): "\FQDN_OF_DC_ON_ANOTHER_DOMAIN"
    ClientSession: 000001810DD30AA0THIS_DOMAIN: ANOTHER_DOMAIN: NlDiscoverDc: Found DC \FQDN_OF_DC_ON_ANOTHER_DOMAIN
    10/29 09:08:43 [SESSION] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSessionSetup: Negotiated flags with server are 0x613fffff
    10/29 09:08:43 [SESSION] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Set connection status to 0
    10/29 09:08:43 [SESSION] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSetStatusClientSession: Set connection status to 0
    10/29 09:08:43 [SESSION] [3472] THIS_DOMAIN: ANOTHER_DOMAIN: NlSessionSetup: Session setup Succeeded
    10/29 09:08:43 [LOGON] [3472] THIS_DOMAIN: SamLogon: Network logon of ANOTHER_DOMAIN\DC_IN_ANOTHER_DOMAIN$ from DC_IN_ANOTHER_DOMAIN Returns 0x0
    10/29 09:08:43 [LOGON] [4344] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Entered
    10/29 09:08:43 [LOGON] [4344] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Returns 0x0
    10/29 09:08:43 [LOGON] [4344] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\ANOTHER_DC_IN_THIS_DOMAIN$ from ANOTHER_DC_IN_THIS_DOMAIN (via DC_IN_ANOTHER_DOMAIN) Entered
    10/29 09:08:43 [LOGON] [4344] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\ANOTHER_DC_IN_THIS_DOMAIN$ from ANOTHER_DC_IN_THIS_DOMAIN (via DC_IN_ANOTHER_DOMAIN) Returns 0x0
    10/29 09:08:43 [CRITICAL] [8740] NlPrintRpcDebug: Dumping extended error for I_NetLogonSamLogonEx with 0xc0000001
    10/29 09:08:43 [CRITICAL] [8740] [0] ProcessID is 624
    10/29 09:08:43 [CRITICAL] [8740] [0] System Time is: 10/29/2020 13:8:43:40
    10/29 09:08:43 [CRITICAL] [8740] [0] Generating component is 2
    10/29 09:08:43 [CRITICAL] [8740] [0] Status is 1825
    10/29 09:08:43 [CRITICAL] [8740] [0] Detection location is 1750
    10/29 09:08:43 [CRITICAL] [8740] [0] Flags is 0
    10/29 09:08:43 [CRITICAL] [8740] [0] NumberOfParameters is 1
    10/29 09:08:43 [CRITICAL] [8740] Long val: 1825
    10/29 09:08:43 [SESSION] [8740] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: Unbind from server (null) (TCP) 8.
    10/29 09:08:43 [CRITICAL] [8740] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: timeout call to \FQDN_OF_DC_ON_ANOTHER_DOMAIN. Count: 1
    10/29 09:08:43 [CRITICAL] [8740] THIS_DOMAIN: ANOTHER_DOMAIN: NlpUserValidateHigher: denying access after status: 0xc0000001 1
    10/29 09:08:43 [LOGON] [8740] THIS_DOMAIN: SamLogon: Network logon of ANOTHER_DOMAIN\DC_IN_ANOTHER_DOMAIN$ from DC_IN_ANOTHER_DOMAIN Returns 0x0
    10/29 09:08:43 [LOGON] [8740] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Entered
    10/29 09:08:43 [LOGON] [8740] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Returns 0x0
    10/29 09:08:43 [CRITICAL] [8216] NlPrintRpcDebug: Dumping extended error for I_NetLogonSamLogonEx with 0xc0000001
    10/29 09:08:43 [CRITICAL] [8216] [0] ProcessID is 624
    10/29 09:08:43 [CRITICAL] [8216] [0] System Time is: 10/29/2020 13:8:43:40
    10/29 09:08:43 [CRITICAL] [8216] [0] Generating component is 2
    10/29 09:08:43 [CRITICAL] [8216] [0] Status is 1825
    10/29 09:08:43 [CRITICAL] [8216] [0] Detection location is 1750
    10/29 09:08:43 [CRITICAL] [8216] [0] Flags is 0
    10/29 09:08:43 [CRITICAL] [8216] [0] NumberOfParameters is 1
    10/29 09:08:43 [CRITICAL] [8216] Long val: 1825
    10/29 09:08:43 [SESSION] [8216] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: Unbind from server (null) (TCP) 7.
    10/29 09:08:43 [CRITICAL] [8216] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: timeout call to \FQDN_OF_DC_ON_ANOTHER_DOMAIN. Count: 2
    10/29 09:08:43 [CRITICAL] [8216] THIS_DOMAIN: ANOTHER_DOMAIN: NlpUserValidateHigher: denying access after status: 0xc0000001 1
    10/29 09:08:43 [LOGON] [8216] THIS_DOMAIN: SamLogon: Network logon of ANOTHER_DOMAIN\DC_IN_ANOTHER_DOMAIN$ from DC_IN_ANOTHER_DOMAIN Returns 0x0
    10/29 09:08:43 [LOGON] [8216] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Entered
    10/29 09:08:43 [LOGON] [8216] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Returns 0x0
    10/29 09:08:43 [CRITICAL] [3444] NlPrintRpcDebug: Dumping extended error for I_NetLogonSamLogonEx with 0xc0000001
    10/29 09:08:43 [CRITICAL] [3444] [0] ProcessID is 624
    10/29 09:08:43 [CRITICAL] [3444] [0] System Time is: 10/29/2020 13:8:43:56
    10/29 09:08:43 [CRITICAL] [3444] [0] Generating component is 2
    10/29 09:08:43 [CRITICAL] [3444] [0] Status is 1825
    10/29 09:08:43 [CRITICAL] [3444] [0] Detection location is 1750
    10/29 09:08:43 [CRITICAL] [3444] [0] Flags is 0
    10/29 09:08:43 [CRITICAL] [3444] [0] NumberOfParameters is 1
    10/29 09:08:43 [CRITICAL] [3444] Long val: 1825
    10/29 09:08:43 [SESSION] [3444] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: Unbind from server (null) (TCP) 6.
    10/29 09:08:43 [CRITICAL] [3444] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: timeout call to \FQDN_OF_DC_ON_ANOTHER_DOMAIN. Count: 3
    10/29 09:08:43 [CRITICAL] [3444] THIS_DOMAIN: ANOTHER_DOMAIN: NlpUserValidateHigher: denying access after status: 0xc0000001 1
    10/29 09:08:43 [LOGON] [3444] THIS_DOMAIN: SamLogon: Network logon of ANOTHER_DOMAIN\DC_IN_ANOTHER_DOMAIN$ from DC_IN_ANOTHER_DOMAIN Returns 0x0
    10/29 09:08:43 [LOGON] [3444] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Entered
    10/29 09:08:43 [LOGON] [3444] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Returns 0x0
    10/29 09:08:43 [CRITICAL] [7808] NlPrintRpcDebug: Dumping extended error for I_NetLogonSamLogonEx with 0xc0000001
    10/29 09:08:43 [CRITICAL] [7808] [0] ProcessID is 624
    10/29 09:08:43 [CRITICAL] [7808] [0] System Time is: 10/29/2020 13:8:43:56
    10/29 09:08:43 [CRITICAL] [7808] [0] Generating component is 2
    10/29 09:08:43 [CRITICAL] [7808] [0] Status is 1825
    10/29 09:08:43 [CRITICAL] [7808] [0] Detection location is 1750
    10/29 09:08:43 [CRITICAL] [7808] [0] Flags is 0
    10/29 09:08:43 [CRITICAL] [7808] [0] NumberOfParameters is 1
    10/29 09:08:43 [CRITICAL] [7808] Long val: 1825
    10/29 09:08:43 [SESSION] [7808] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: Unbind from server (null) (TCP) 5.
    10/29 09:08:43 [CRITICAL] [7808] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: timeout call to \FQDN_OF_DC_ON_ANOTHER_DOMAIN. Count: 4
    10/29 09:08:43 [CRITICAL] [7808] THIS_DOMAIN: ANOTHER_DOMAIN: NlpUserValidateHigher: denying access after status: 0xc0000001 1
    10/29 09:08:43 [LOGON] [7808] THIS_DOMAIN: SamLogon: Network logon of ANOTHER_DOMAIN\DC_IN_ANOTHER_DOMAIN$ from DC_IN_ANOTHER_DOMAIN Returns 0x0
    10/29 09:08:43 [LOGON] [7808] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Entered
    10/29 09:08:43 [LOGON] [7808] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Returns 0x0
    10/29 09:08:43 [CRITICAL] [7312] NlPrintRpcDebug: Dumping extended error for I_NetLogonSamLogonEx with 0xc0000001
    10/29 09:08:43 [CRITICAL] [7312] [0] ProcessID is 624
    10/29 09:08:43 [CRITICAL] [7312] [0] System Time is: 10/29/2020 13:8:43:56
    10/29 09:08:43 [CRITICAL] [7312] [0] Generating component is 2
    10/29 09:08:43 [CRITICAL] [7312] [0] Status is 1825
    10/29 09:08:43 [CRITICAL] [7312] [0] Detection location is 1750
    10/29 09:08:43 [CRITICAL] [7312] [0] Flags is 0
    10/29 09:08:43 [CRITICAL] [7312] [0] NumberOfParameters is 1
    10/29 09:08:43 [CRITICAL] [7312] Long val: 1825
    10/29 09:08:43 [SESSION] [7312] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: Unbind from server (null) (TCP) 4.
    10/29 09:08:43 [CRITICAL] [7312] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: timeout call to \FQDN_OF_DC_ON_ANOTHER_DOMAIN. Count: 5
    10/29 09:08:43 [CRITICAL] [7312] THIS_DOMAIN: ANOTHER_DOMAIN: NlpUserValidateHigher: denying access after status: 0xc0000001 1
    10/29 09:08:43 [LOGON] [7312] THIS_DOMAIN: SamLogon: Network logon of ANOTHER_DOMAIN\DC_IN_ANOTHER_DOMAIN$ from DC_IN_ANOTHER_DOMAIN Returns 0x0
    10/29 09:08:43 [LOGON] [7312] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Entered
    10/29 09:08:43 [LOGON] [7312] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Returns 0x0
    10/29 09:08:43 [CRITICAL] [864] NlPrintRpcDebug: Dumping extended error for I_NetLogonSamLogonEx with 0xc0000001
    10/29 09:08:43 [CRITICAL] [864] [0] ProcessID is 624
    10/29 09:08:43 [CRITICAL] [864] [0] System Time is: 10/29/2020 13:8:43:71
    10/29 09:08:43 [CRITICAL] [864] [0] Generating component is 2
    10/29 09:08:43 [CRITICAL] [864] [0] Status is 1825
    10/29 09:08:43 [CRITICAL] [864] [0] Detection location is 1750
    10/29 09:08:43 [CRITICAL] [864] [0] Flags is 0
    10/29 09:08:43 [CRITICAL] [864] [0] NumberOfParameters is 1
    10/29 09:08:43 [CRITICAL] [864] Long val: 1825
    10/29 09:08:43 [SESSION] [864] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: Unbind from server (null) (TCP) 3.
    10/29 09:08:43 [CRITICAL] [864] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: timeout call to \FQDN_OF_DC_ON_ANOTHER_DOMAIN. Count: 6
    10/29 09:08:43 [CRITICAL] [864] THIS_DOMAIN: ANOTHER_DOMAIN: NlpUserValidateHigher: denying access after status: 0xc0000001 1
    10/29 09:08:43 [LOGON] [864] THIS_DOMAIN: SamLogon: Network logon of ANOTHER_DOMAIN\DC_IN_ANOTHER_DOMAIN$ from DC_IN_ANOTHER_DOMAIN Returns 0x0
    10/29 09:08:43 [LOGON] [864] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Entered
    10/29 09:08:43 [LOGON] [864] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Returns 0x0
    10/29 09:08:43 [CRITICAL] [4612] NlPrintRpcDebug: Dumping extended error for I_NetLogonSamLogonEx with 0xc0000001
    10/29 09:08:43 [CRITICAL] [4612] [0] ProcessID is 624
    10/29 09:08:43 [CRITICAL] [4612] [0] System Time is: 10/29/2020 13:8:43:71
    10/29 09:08:43 [CRITICAL] [4612] [0] Generating component is 2
    10/29 09:08:43 [CRITICAL] [4612] [0] Status is 1825
    10/29 09:08:43 [CRITICAL] [4612] [0] Detection location is 1750
    10/29 09:08:43 [CRITICAL] [4612] [0] Flags is 0
    10/29 09:08:43 [CRITICAL] [4612] [0] NumberOfParameters is 1
    10/29 09:08:43 [CRITICAL] [4612] Long val: 1825
    10/29 09:08:43 [SESSION] [4612] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: Unbind from server (null) (TCP) 2.
    10/29 09:08:43 [CRITICAL] [4612] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: timeout call to \FQDN_OF_DC_ON_ANOTHER_DOMAIN. Count: 7
    10/29 09:08:43 [CRITICAL] [4612] THIS_DOMAIN: ANOTHER_DOMAIN: NlpUserValidateHigher: denying access after status: 0xc0000001 1
    10/29 09:08:43 [LOGON] [4612] THIS_DOMAIN: SamLogon: Network logon of ANOTHER_DOMAIN\DC_IN_ANOTHER_DOMAIN$ from DC_IN_ANOTHER_DOMAIN Returns 0x0
    10/29 09:08:43 [LOGON] [4612] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Entered
    10/29 09:08:43 [LOGON] [4612] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\THIS_DC$ from THIS_DC (via DC_IN_ANOTHER_DOMAIN) Returns 0x0
    10/29 09:08:43 [CRITICAL] [668] NlPrintRpcDebug: Dumping extended error for I_NetLogonSamLogonEx with 0xc0000001
    10/29 09:08:43 [CRITICAL] [668] [0] ProcessID is 624
    10/29 09:08:43 [CRITICAL] [668] [0] System Time is: 10/29/2020 13:8:43:71
    10/29 09:08:43 [CRITICAL] [668] [0] Generating component is 2
    10/29 09:08:43 [CRITICAL] [668] [0] Status is 1825
    10/29 09:08:43 [CRITICAL] [668] [0] Detection location is 1750
    10/29 09:08:43 [CRITICAL] [668] [0] Flags is 0
    10/29 09:08:43 [CRITICAL] [668] [0] NumberOfParameters is 1
    10/29 09:08:43 [CRITICAL] [668] Long val: 1825
    10/29 09:08:43 [SESSION] [668] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: Unbind from server (null) (TCP) 1.
    10/29 09:08:43 [CRITICAL] [668] THIS_DOMAIN: ANOTHER_DOMAIN: NlFinishApiClientSession: timeout call to \FQDN_OF_DC_ON_ANOTHER_DOMAIN. Count: 8
    10/29 09:08:43 [CRITICAL] [668] THIS_DOMAIN: ANOTHER_DOMAIN: NlpUserValidateHigher: denying access after status: 0xc0000001 1
    10/29 09:08:43 [LOGON] [668] THIS_DOMAIN: SamLogon: Network logon of ANOTHER_DOMAIN\DC_IN_ANOTHER_DOMAIN$ from DC_IN_ANOTHER_DOMAIN Returns 0x0
    10/29 09:08:43 [LOGON] [668] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\ANOTHER_DC_IN_THIS_DOMAIN$ from ANOTHER_DC_IN_THIS_DOMAIN (via DC_IN_ANOTHER_DOMAIN) Entered
    10/29 09:08:43 [LOGON] [668] THIS_DOMAIN: SamLogon: Transitive Network logon of THIS_DOMAIN\ANOTHER_DC_IN_THIS_DOMAIN$ from ANOTHER_DC_IN_THIS_DOMAIN (via DC_IN_ANOTHER_DOMAIN) Returns 0x0
    10/29 09:08:43 [MISC] [668] THIS_DOMAIN: DsGetDcName function called: client PID=1368, Dom:ANOTHER_DOMAIN Acct:(null) Flags: DS BACKGROUND RET_DNS
    10/29 09:08:43 [MISC] [668] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c1fffff1
    10/29 09:08:43 [MAILSLOT] [668] Received ping from THIS_DC(FQDN_OF_THIS_DC) ANOTHER_DOMAIN (null) on <Local>
    10/29 09:08:43 [MAILSLOT] [668] THIS_DOMAIN: Ping response 'Sam Logon Response Ex' (null) to \THIS_DC Site: SITE_OF_THIS_DOMAIN on <Local>
    10/29 09:08:43 [MISC] [668] NetpDcAllocateCacheEntry: new entry 0x000001810DD68780 -> DC:THIS_DC DnsDomName:ANOTHER_DOMAIN Flags:0x3f1fc
    10/29 09:08:43 [MISC] [668] NetpDcDerefCacheEntry: destroying entry 0x000001810DD68780
    10/29 09:08:43 [MISC] [668] DsGetDcName: results as follows: DCName:\FQDN_OF_THIS_DC DCAddress:\THIS_DC_IP DCAddrType:0x1 DomainName:ANOTHER_DOMAIN DnsForestName:ANOTHER_DOMAIN Flags:0xe003f1fc DcSiteName:SITE_OF_THIS_DOMAIN ClientSiteName:SITE_OF_THIS_DOMAIN
    10/29 09:08:43 [MISC] [668] THIS_DOMAIN: DsGetDcName function returns 0 (client PID=1368): Dom:ANOTHER_DOMAIN Acct:(null) Flags: DS BACKGROUND RET_DNS
    10/29 09:08:44 [SITE] [668] DsrGetSiteName: Returning site name 'SITE_OF_THIS_DOMAIN' from local cache.
    10/29 09:08:44 [MISC] [4612] THIS_DOMAIN: DsGetDcName function called: client PID=1368, Dom:ANOTHER_DOMAIN Acct:(null) Flags: LDAPONLY RET_DNS
    10/29 09:08:44 [MISC] [4612] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c1fffff1
    10/29 09:08:44 [MAILSLOT] [4612] Received ping from THIS_DC(FQDN_OF_THIS_DC) ANOTHER_DOMAIN (null) on <Local>
    10/29 09:08:44 [MAILSLOT] [4612] THIS_DOMAIN: Ping response 'Sam Logon Response Ex' (null) to \THIS_DC Site: SITE_OF_THIS_DOMAIN on <Local>
    10/29 09:08:44 [MISC] [4612] NetpDcAllocateCacheEntry: new entry 0x000001810DD69A00 -> DC:THIS_DC DnsDomName:ANOTHER_DOMAIN Flags:0x3f1fc
    10/29 09:08:44 [MISC] [4612] NetpDcDerefCacheEntry: destroying entry 0x000001810DD69A00
    10/29 09:08:44 [MISC] [4612] DsGetDcName: results as follows: DCName:\FQDN_OF_THIS_DC DCAddress:\THIS_DC_IP DCAddrType:0x1 DomainName:ANOTHER_DOMAIN DnsForestName:ANOTHER_DOMAIN Flags:0xe003f1fc DcSiteName:SITE_OF_THIS_DOMAIN ClientSiteName:SITE_OF_THIS_DOMAIN
    10/29 09:08:44 [MISC] [4612] THIS_DOMAIN: DsGetDcName function returns 0 (client PID=1368): Dom:ANOTHER_DOMAIN Acct:(null) Flags: LDAPONLY RET_DNS
    10/29 09:08:44 [MISC] [4612] THIS_DOMAIN: DsGetDcName function called: client PID=9032, Dom:THIS_DOMAIN Acct:(null) Flags: DS RET_DNS
    10/29 09:08:44 [MISC] [4612] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c1fffff1
    10/29 09:08:44 [MAILSLOT] [4612] Received ping from THIS_DC(FQDN_OF_THIS_DC) ANOTHER_DOMAIN. (null) on <Local>
    10/29 09:08:44 [MAILSLOT] [4612] THIS_DOMAIN: Ping response 'Sam Logon Response Ex' (null) to \THIS_DC Site: SITE_OF_THIS_DOMAIN on <Local>
    10/29 09:08:44 [MISC] [4612] NetpDcAllocateCacheEntry: new entry 0x000001810DD69A00 -> DC:THIS_DC DnsDomName:ANOTHER_DOMAIN Flags:0x3f1fc
    10/29 09:08:44 [MISC] [4612] NetpDcDerefCacheEntry: destroying entry 0x000001810DD69A00
    10/29 09:08:44 [MISC] [4612] DsGetDcName: results as follows: DCName:\FQDN_OF_THIS_DC DCAddress:\THIS_DC_IP DCAddrType:0x1 DomainName:ANOTHER_DOMAIN DnsForestName:ANOTHER_DOMAIN Flags:0xe003f1fc DcSiteName:SITE_OF_THIS_DOMAIN ClientSiteName:SITE_OF_THIS_DOMAIN
    10/29 09:08:44 [MISC] [4612] THIS_DOMAIN: DsGetDcName function returns 0 (client PID=9032): Dom:THIS_DOMAIN Acct:(null) Flags: DS RET_DNS
    10/29 09:08:44 [MISC] [4612] THIS_DOMAIN: DsGetDcName function called: client PID=1368, Dom:ANOTHER_DOMAIN Acct:(null) Flags: LDAPONLY RET_DNS
    10/29 09:08:44 [MISC] [4612] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c1fffff1
    10/29 09:08:44 [MAILSLOT] [4612] Received ping from THIS_DC(FQDN_OF_THIS_DC) ANOTHER_DOMAIN (null) on <Local>
    10/29 09:08:44 [MAILSLOT] [4612] THIS_DOMAIN: Ping response 'Sam Logon Response Ex' (null) to \THIS_DC Site: SITE_OF_THIS_DOMAIN on <Local>
    10/29 09:08:44 [MISC] [4612] NetpDcAllocateCacheEntry: new entry 0x000001810DD68C20 -> DC:THIS_DC DnsDomName:ANOTHER_DOMAIN Flags:0x3f1fc
    10/29 09:08:44 [MISC] [4612] NetpDcDerefCacheEntry: destroying entry 0x000001810DD68C20
    10/29 09:08:44 [MISC] [4612] DsGetDcName: results as follows: DCName:\FQDN_OF_THIS_DC DCAddress:\THIS_DC_IP DCAddrType:0x1 DomainName:ANOTHER_DOMAIN DnsForestName:ANOTHER_DOMAIN Flags:0xe003f1fc DcSiteName:SITE_OF_THIS_DOMAIN ClientSiteName:SITE_OF_THIS_DOMAIN
    10/29 09:08:44 [MISC] [4612] THIS_DOMAIN: DsGetDcName function returns 0 (client PID=1368): Dom:ANOTHER_DOMAIN Acct:(null) Flags: LDAPONLY RET_DNS
    10/29 09:09:27 [DOMAIN] [8236] THIS_DOMAIN: Domain thread started
    10/29 09:09:27 [DOMAIN] [8236] THIS_DOMAIN: Domain thread started doing API timeout
    10/29 09:09:27 [DOMAIN] [8236] THIS_DOMAIN: Domain thread exitting
    10/29 09:09:29 [CHANGELOG] [2936] NlSendChangeLogNotification: sent 0 for MBLA$ Rid:0xb1f1 Obj Guid:00000002-0000-0000-0000-000000000000
    10/29 09:09:29 [MISC] [2916] NlMainLoop: Notification that trust account added (or changed) MBLA$ 0xb1f1 2
    10/29 09:09:34 [MISC] [4612] THIS_DOMAIN: DsGetDcName function called: client PID=2176, Dom:(null) Acct:(null) Flags: DS BACKGROUND
    10/29 09:09:34 [MISC] [4612] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c1fffff1
    10/29 09:09:34 [MAILSLOT] [4612] Received ping from THIS_DC(FQDN_OF_THIS_DC) ANOTHER_DOMAIN. (null) on <Local>
    10/29 09:09:34 [MAILSLOT] [4612] THIS_DOMAIN: Ping response 'Sam Logon Response Ex' (null) to \THIS_DC Site: SITE_OF_THIS_DOMAIN on <Local>
    10/29 09:09:34 [MISC] [4612] NetpDcAllocateCacheEntry: new entry 0x000001810DD68C20 -> DC:THIS_DC DnsDomName:ANOTHER_DOMAIN Flags:0x3f1fc
    10/29 09:09:34 [MISC] [4612] NetpDcDerefCacheEntry: destroying entry 0x000001810DD68C20
    10/29 09:09:34 [MISC] [4612] DsGetDcName: results as follows: DCName:\FQDN_OF_THIS_DC DCAddress:\THIS_DC_IP DCAddrType:0x1 DomainName:ANOTHER_DOMAIN DnsForestName:ANOTHER_DOMAIN Flags:0xe003f1fc DcSiteName:SITE_OF_THIS_DOMAIN ClientSiteName:SITE_OF_THIS_DOMAIN
    10/29 09:09:34 [MISC] [4612] THIS_DOMAIN: DsGetDcName function returns 0 (client PID=2176): Dom:(null) Acct:(null) Flags: DS BACKGROUND
    10/29 09:09:39 [MISC] [660] In control handler (Opcode: 4)
    10/29 09:09:39 [MISC] [660] In control handler (Opcode: 4)
    10/29 09:10:12 [DOMAIN] [7140] THIS_DOMAIN: Domain thread started
    10/29 09:10:12 [DOMAIN] [7140] THIS_DOMAIN: Domain thread started doing API timeout
    10/29 09:10:12 [DOMAIN] [7140] THIS_DOMAIN: Domain thread exitting
    10/29 09:10:13 [MISC] [864] THIS_DOMAIN: DsGetDcName function called: client PID=3500, Dom:(null) Acct:(null) Flags: GC RET_DNS
    10/29 09:10:13 [MISC] [864] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c1fffff1
    10/29 09:10:13 [MAILSLOT] [864] Received ping from THIS_DC(FQDN_OF_THIS_DC) ANOTHER_DOMAIN. (null) on <Local>
    10/29 09:10:13 [MAILSLOT] [864] THIS_DOMAIN: Ping response 'Sam Logon Response Ex' (null) to \THIS_DC Site: SITE_OF_THIS_DOMAIN on <Local>
    10/29 09:10:13 [MISC] [864] NetpDcAllocateCacheEntry: new entry 0x000001810DD690C0 -> DC:THIS_DC DnsDomName:ANOTHER_DOMAIN Flags:0x3f1fc
    10/29 09:10:13 [MISC] [864] NetpDcDerefCacheEntry: destroying entry 0x000001810DD690C0
    10/29 09:10:13 [MISC] [864] DsGetDcName: results as follows: DCName:\FQDN_OF_THIS_DC DCAddress:\THIS_DC_IP DCAddrType:0x1 DomainName:ANOTHER_DOMAIN DnsForestName:ANOTHER_DOMAIN Flags:0xe003f1fc DcSiteName:SITE_OF_THIS_DOMAIN ClientSiteName:SITE_OF_THIS_DOMAIN
    10/29 09:10:13 [MISC] [864] THIS_DOMAIN: DsGetDcName function returns 0 (client PID=3500): Dom:(null) Acct:(null) Flags: GC RET_DNS
    10/29 09:10:13 [MISC] [864] THIS_DOMAIN: DsGetDcName function called: client PID=3500, Dom:(null) Acct:(null) Flags: GC RET_DNS
    10/29 09:10:13 [MISC] [864] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c1fffff1
    10/29 09:10:13 [MAILSLOT] [864] Received ping from THIS_DC(FQDN_OF_THIS_DC) ANOTHER_DOMAIN. (null) on <Local>
    10/29 09:10:13 [MAILSLOT] [864] THIS_DOMAIN: Ping response 'Sam Logon Response Ex' (null) to \THIS_DC Site: SITE_OF_THIS_DOMAIN on <Local>
    10/29 09:10:13 [MISC] [864] NetpDcAllocateCacheEntry: new entry 0x000001810DD69EA0 -> DC:THIS_DC DnsDomName:ANOTHER_DOMAIN Flags:0x3f1fc
    10/29 09:10:13 [MISC] [864] NetpDcDerefCacheEntry: destroying entry 0x000001810DD69EA0
    10/29 09:10:13 [MISC] [864] DsGetDcName: results as follows: DCName:\FQDN_OF_THIS_DC DCAddress:\THIS_DC_IP DCAddrType:0x1 DomainName:ANOTHER_DOMAIN DnsForestName:ANOTHER_DOMAIN Flags:0xe003f1fc DcSiteName:SITE_OF_THIS_DOMAIN ClientSiteName:SITE_OF_THIS_DOMAIN
    10/29 09:10:13 [MISC] [864] THIS_DOMAIN: DsGetDcName function returns 0 (client PID=3500): Dom:(null) Acct:(null) Flags: GC RET_DNS
    10/29 09:10:13 [MISC] [864] THIS_DOMAIN: DsGetDcName function called: client PID=3500, Dom:ANOTHER_DOMAIN Acct:(null) Flags: WRITABLE LDAPONLY RET_DNS
    10/29 09:10:13 [MISC] [864] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c1fffff1
    10/29 09:10:13 [MAILSLOT] [864] Received ping from THIS_DC(FQDN_OF_THIS_DC) ANOTHER_DOMAIN (null) on <Local>
    10/29 09:10:13 [MAILSLOT] [864] THIS_DOMAIN: Ping response 'Sam Logon Response Ex' (null) to \THIS_DC Site: SITE_OF_THIS_DOMAIN on <Local>
    10/29 09:10:13 [MISC] [864] NetpDcAllocateCacheEntry: new entry 0x000001810DD69EA0 -> DC:THIS_DC DnsDomName:ANOTHER_DOMAIN Flags:0x3f1fc
    10/29 09:10:13 [MISC] [864] NetpDcDerefCacheEntry: destroying entry 0x000001810DD69EA0
    10/29 09:10:13 [MISC] [864] DsGetDcName: results as follows: DCName:\FQDN_OF_THIS_DC DCAddress:\THIS_DC_IP DCAddrType:0x1 DomainName:ANOTHER_DOMAIN DnsForestName:ANOTHER_DOMAIN Flags:0xe003f1fc DcSiteName:SITE_OF_THIS_DOMAIN ClientSiteName:SITE_OF_THIS_DOMAIN
    10/29 09:10:13 [MISC] [864] THIS_DOMAIN: DsGetDcName function returns 0 (client PID=3500): Dom:ANOTHER_DOMAIN Acct:(null) Flags: WRITABLE LDAPONLY RET_DNS
    10/29 09:10:13 [MISC] [864] THIS_DOMAIN: DsGetDcName function called: client PID=3500, Dom: Acct:(null) Flags: RET_DNS
    10/29 09:10:13 [MISC] [864] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c1fffff1
    10/29 09:10:13 [MAILSLOT] [864] Received ping from THIS_DC(FQDN_OF_THIS_DC) ANOTHER_DOMAIN. (null) on <Local>
    10/29 09:10:13 [MAILSLOT] [864] THIS_DOMAIN: Ping response 'Sam Logon Response Ex' (null) to \THIS_DC Site: SITE_OF_THIS_DOMAIN on <Local>
    10/29 09:10:13 [MISC] [864] NetpDcAllocateCacheEntry: new entry 0x000001810DD69A00 -> DC:THIS_DC DnsDomName:ANOTHER_DOMAIN Flags:0x3f1fc
    10/29 09:10:13 [MISC] [864] NetpDcDerefCacheEntry: destroying entry 0x000001810DD69A00
    10/29 09:10:13 [MISC] [864] DsGetDcName: results as follows: DCName:\FQDN_OF_THIS_DC DCAddress:\THIS_DC_IP DCAddrType:0x1 DomainName:ANOTHER_DOMAIN DnsForestName:ANOTHER_DOMAIN Flags:0xe003f1fc DcSiteName:SITE_OF_THIS_DOMAIN ClientSiteName:SITE_OF_THIS_DOMAIN
    10/29 09:10:13 [MISC] [864] THIS_DOMAIN: DsGetDcName function returns 0 (client PID=3500): Dom: Acct:(null) Flags: RET_DNS
    10/29 09:10:13 [MISC] [4612] THIS_DOMAIN: DsGetDcName function called: client PID=3500, Dom:(null) Acct:(null) Flags: GC RET_DNS
    10/29 09:10:13 [MISC] [4612] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c1fffff1
    10/29 09:10:13 [MAILSLOT] [4612] Received ping from THIS_DC(FQDN_OF_THIS_DC) ANOTHER_DOMAIN. (null) on <Local>
    10/29 09:10:13 [MAILSLOT] [4612] THIS_DOMAIN: Ping response 'Sam Logon Response Ex' (null) to \THIS_DC Site: SITE_OF_THIS_DOMAIN on <Local>
    10/29 09:10:13 [MISC] [4612] NetpDcAllocateCacheEntry: new entry 0x000001810DD68530 -> DC:THIS_DC DnsDomName:ANOTHER_DOMAIN Flags:0x3f1fc
    10/29 09:10:13 [MISC] [4612] NetpDcDerefCacheEntry: destroying entry 0x000001810DD68530

  3. Daisy Zhou 25,061 Reputation points Microsoft Vendor
    2020-11-03T06:19:09.393+00:00

    Hello @Tom Andersen ,

    Thank you for your update.

    We can check the description of event 5816 on your DC, it looks like this.

    For example:

    Log Name: System
    Source: NETLOGON
    Event ID: 5816
    Level: Error
    Description:
    Netlogon has failed an authentication request of account username in domain user domain FQDN. The request timed out before it could be sent to domain controller directly trusted domain controller FQDN in domain directly trusted domain name. This is the first failure. If the problem continues, consolidated events will be logged about every <event log frequency value> minutes. Please see http://support.microsoft.com/kb/2654097 for more information.

    We can open http://support.microsoft.com/kb/2654097 and see the cause of the issue : this issue occurs because the NTLM API throttling limit (MaxConcurrentApi) is reached.

    And for the possible resolution to this issue, on this DC with event 5816 and 5783, we can create a new DWORD value named “MaxConcurrentAPI” (no quotes).

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
    DWORD Value:MaxConcurrentApi
    Double click the MaxConcurrentApi value and set the data to the desired value (based on the tuning performed, in this case, I suggest we can set the value ---20, 30 or larger) in decimal.

    For DCs with 2012/2012 R2 operating system (or higher operating system), the maximum supported value is 150.

    After adding/modifying the registry above, we can restart the netlogon service and check if it helps.

    For more information, we can refer to the link below.
    New event log entries that track NTLM authentication delays and failures in Windows Server 2008 R2 are available
    https://support.microsoft.com/en-us/help/2654097/new-event-log-entries-that-track-ntlm-authentication-delays-and-failur

    Best Regards,
    Daisy Zhou

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.