Microsoft-Windows-Security-Netlogon

Description

Domain Controller Blocked: NTLM authentication to this domain controller is blocked.

Message #

Domain Controller Blocked: NTLM authentication to this domain controller is blocked.
Secure Channel name: %1
User name: %2
Domain name: %3
Workstation name: %4
Secure Channel type: %5

NTLM authentication within the domain %3 is blocked.

If you want to allow NTLM authentication requests in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests only to specific servers in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain as an exception to use NTLM authentication.

Fields #

Description

Domain Controller Blocked: NTLM authentication to this domain controller is blocked.

Message #

Domain Controller Blocked: NTLM authentication to this domain controller is blocked.
Secure Channel name: %1
User name: %2
Domain name: %3
Workstation name: %4
Secure Channel type: %5

NTLM authentication within the domain %3 is blocked.

If you want to allow NTLM authentication requests in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests only to specific servers in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain as an exception to use NTLM authentication.

Fields #

Description

Domain Controller Blocked: NTLM authentication to this domain controller is blocked.

Message #

Domain Controller Blocked: NTLM authentication to this domain controller is blocked.
Secure Channel name: %1
User name: %2
Domain name: %3
Workstation name: %4
Secure Channel type: %5

NTLM authentication within the domain %3 is blocked.

If you want to allow NTLM authentication requests in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests only to specific servers in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain as an exception to use NTLM authentication.

Fields #

Description

The DC DCName processed a network NTLM authentication involving an account from this domain.

Message #

The DC %1 processed a network NTLM authentication involving an account from this domain.

Client Information:
	Client Name: %2
	Client Domain: %3
	Client Machine: %4

Server Information:
	Server Name: %5
	Server Domain: %6

Forwarded From:
	Secure Channel Type: %7
	Farside Name: %8
	Farside Domain: %9
	Farside IP: %10

NTLM Security:
	NTLM Version: %11
	Service Binding: %12
	Target Machine: %13
	Target Domain: %14
	Mic Status: %15
	Flags values: %16
	Flags: %17

Status: %18

For more information, see aka.ms/ntlmlogandblock

Fields #

Description

The DC processed a network NTLM authentication involving an account from this domain.

Fields #

Description

The DC DCName processed a network NTLM authentication involving an account from this domain.

Message #

The DC %1 processed a network NTLM authentication involving an account from this domain.

Client Information:
	Client Name: %2
	Client Domain: %3
	Client Machine: %4

Server Information:
	Server Name: %5
	Server Domain: %6

Forwarded From:
	Secure Channel Type: %7
	Farside Name: %8
	Farside Domain: %9
	Farside IP: %10

NTLM Security:
	NTLM Version: %11
	Service Binding: %12
	Target Machine: %13
	Target Domain: %14
	Mic Status: %15
	Flags values: %16
	Flags: %17

Status: %18

For more information, see aka.ms/ntlmlogandblock

Fields #

Description

The DC processed a network NTLM authentication involving an account from this domain.

Fields #

Description

The DC DCName processed a forwarded NTLM authentication request originating from this domain.

Message #

The DC %1 processed a forwarded NTLM authentication request originating from this domain.

Client Information:
	Client Name: %2
	Client Domain: %3
	Client Machine: %4

Server Information:
	Server Name: %5
	Server Domain: %6
	Server IP: %7
	Server OS: %8

NTLM Security:
	NTLM Version: %9
	Service Binding: %10
	Target Machine: %11
	Target Domain: %12
	Mic Status: %13
	Flags values: %14
	Flags: %15

Status: %16
Status Message: %17

For more information, see aka.ms/ntlmlogandblock

Fields #

Description

The DC processed a forwarded NTLM authentication request originating from this domain.

Fields #

Description

The DC DCName processed a forwarded NTLM authentication request originating from this domain.

Message #

The DC %1 processed a forwarded NTLM authentication request originating from this domain.

Client Information:
	Client Name: %2
	Client Domain: %3
	Client Machine: %4

Server Information:
	Server Name: %5
	Server Domain: %6
	Server IP: %7
	Server OS: %8

NTLM Security:
	NTLM Version: %9
	Service Binding: %10
	Target Machine: %11
	Target Domain: %12
	Mic Status: %13
	Flags values: %14
	Flags: %15

Status: %16
Status Message: %17

For more information, see aka.ms/ntlmlogandblock

Fields #

Description

The DC processed a forwarded NTLM authentication request originating from this domain.

Fields #

Description

Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.

Message #

Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: %1
User name: %2
Domain name: %3
Workstation name: %4
Secure Channel type: %5

Audit NTLM authentication requests within the domain %3 that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.

If you want to allow NTLM authentication requests in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain %3 to which clients are allowed to use NTLM authentication.

Fields #

Description

Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.

Message #

Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: %1
User name: %2
Domain name: %3
Workstation name: %4
Secure Channel type: %5

Audit NTLM authentication requests within the domain %3 that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.

If you want to allow NTLM authentication requests in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain %3 to which clients are allowed to use NTLM authentication.

Fields #

Description

Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.

Message #

Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: %1
User name: %2
Domain name: %3
Workstation name: %4
Secure Channel type: %5

Audit NTLM authentication requests within the domain %3 that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.

If you want to allow NTLM authentication requests in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain %3 to which clients are allowed to use NTLM authentication.

Fields #

Description

Netlogon failed to retrieve the password for account AccountName in domain AccountDomain. Status.

Message #

Netlogon failed to retrieve the password for account %1 in domain %2. %3

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Netlogon",
    "guid": "E5BA83F6-07D0-46B1-8BC7-7E669A1D31DC",
    "event_source_name": "",
    "event_id": 9000,
    "version": 0,
    "level": 2,
    "task": 3,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-13T20:17:37.552321+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 7024
    },
    "channel": "Microsoft-Windows-Security-Netlogon/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "AccountName": ".\\domainadmin",
    "AccountDomain": "NULL",
    "Status": 3221225524
  },
  "message": ""
}

Description

The account Account cannot be used as managed service account on the local machine because not all the supported encryption types of the account are supported by the local machine.

Message #

The account %1 cannot be used as managed service account on the local machine because not all the supported encryption types of the account are supported by the local machine.

Fields #

Description

Netlogon failed to add Account as a managed service account to this local machine. Status.

Message #

Netlogon failed to add %1 as a managed service account to this local machine. %2

Fields #

Description

Netlogon failed to remove the managed service account Account from this local machine. Status.

Message #

Netlogon failed to remove the managed service account %1 from this local machine. %2

Fields #

Description

A total of RequestsRejected DC locator queries were rejected since the last reported event because they would have exceeded the configured maximum on concurrent network discovery operations.

Message #

A total of %1 DC locator queries were rejected since the last reported event because they would have exceeded the configured maximum on concurrent network discovery operations.

Fields #

Description

Secure channel setup has failed with Kerberos: Status. Falling back to Netlogon.

Message #

Secure channel setup has failed with Kerberos: %1. Falling back to Netlogon.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Netlogon",
    "event_id": 9005,
    "level": 3,
    "task": 5,
    "opcode": 0,
    "time_created": "2026-05-27T16:18:19.3522580+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Security-Netlogon"
  },
  "event_data": {
    "Status": "3221225701"
  }
}

Description

Secure channel setup has failed : Status. Protocol used: Protocol.

Message #

Secure channel setup has failed : %1. Protocol used: %2.

Fields #

Description

Netlogon is currently configured to allow mailslot messages to be used when locating domain controllers. This mode is unsecure and will be deprecated and removed in a future release.

Message #

Netlogon is currently configured to allow mailslot messages to be used when locating domain controllers. This mode is unsecure and will be deprecated and removed in a future release.

See https://aka.ms/dclocatornetbiosdeprecation for more information.

Description

Netlogon is currently configured to listen for mailslot messages sent by clients during a domain controller location operation. This mode is unsecure and will be deprecated and removed in a future release. See https://aka.ms/dclocatornetbiosdeprecation for more information.

Message #

Netlogon is currently configured to listen for mailslot messages sent by clients during a domain controller location operation. This mode is unsecure and will be deprecated and removed in a future release.

See https://aka.ms/dclocatornetbiosdeprecation for more information.

Description

Netlogon was unable to find the domain name 'DomainName' using any of the known domain name mapping sources. This may cause failures to locate domain controllers in that domain.

Message #

Netlogon was unable to find the domain name '%1' using any of the known domain name mapping sources. This may cause failures to locate domain controllers in that domain.

See https://aka.ms/dclocatornetbiosdeprecation for more information.

Fields #

Description

Netlogon discovered a DC using the Netbios protocol. This mode is unsecure and will be deprecated and removed in a future release.

Message #

Netlogon discovered a DC using the Netbios protocol. This mode is unsecure and will be deprecated and removed in a future release.

DNS domain name:%1
Netbios domain name:%2

DC:%3


See https://aka.ms/dclocatornetbiosdeprecation for more information.

Fields #

Description

Netlogon successfully downloaded the latest administrator-configured domain name mappings. Run 'nltest.exe /list_dclocmappings' to view the data.

Message #

Netlogon successfully downloaded the latest administrator-configured domain name mappings. Run 'nltest.exe /list_dclocmappings' to view the data.

See https://aka.ms/dclocatornetbiosdeprecation for more information.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Netlogon",
    "event_id": 9011,
    "level": 4,
    "task": 4,
    "opcode": 0,
    "time_created": "2026-05-27T16:39:09.7356702+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Security-Netlogon"
  },
  "event_data": {}
}

Description

Netlogon failed to download the latest administrator-configured domain name mappings.

Message #

Netlogon failed to download the latest administrator-configured domain name mappings.

See https://aka.ms/dclocatornetbiosdeprecation for more information.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Netlogon",
    "event_id": 9012,
    "level": 3,
    "task": 4,
    "opcode": 0,
    "time_created": "2026-04-28T02:33:43.2316720+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Security-Netlogon"
  },
  "event_data": {}
}

Description

Netlogon successfully downloaded the latest trusted-domain-based domain name mappings. Run 'nltest.exe /list_dclocmappings' to view the data.

Message #

Netlogon successfully downloaded the latest trusted-domain-based domain name mappings. Run 'nltest.exe /list_dclocmappings' to view the data.

See https://aka.ms/dclocatornetbiosdeprecation for more information.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Netlogon",
    "event_id": 9013,
    "level": 4,
    "task": 4,
    "opcode": 0,
    "time_created": "2026-05-27T16:39:09.8609039+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Security-Netlogon"
  },
  "event_data": {}
}

Description

Netlogon failed to download the latest trusted-domain-based domain name mappings.

Message #

Netlogon failed to download the latest trusted-domain-based domain name mappings.

See https://aka.ms/dclocatornetbiosdeprecation for more information.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Netlogon",
    "event_id": 9014,
    "level": 3,
    "task": 4,
    "opcode": 0,
    "time_created": "2026-04-28T02:33:43.2346256+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Security-Netlogon"
  },
  "event_data": {}
}

Description

Netlogon denied an RPC call. The policy is in enforce mode.

Message #

Netlogon denied an RPC call. The policy is in enforce mode.

Client Information:
	Method name: %1
	Method opnum: %2
	Client address: %3
	Client identity: %4

For more information, see https://aka.ms/dclocatorrpcpolicy

Fields #

Description

Netlogon allowed an RPC call that normally would have been denied. The policy is in audit mode.

Message #

Netlogon allowed an RPC call that normally would have been denied. The policy is in audit mode.

Client Information:
	Method name: %1
	Method opnum: %2
	Client address: %3
	Client identity: %4

For more information, see https://aka.ms/dclocatorrpcpolicy

Fields #