In my forest, I have a 2 way transitive trust with another forest. The trust is set to allow forest-wide authentication. We have an RODC in the data center where the remote forest is located. In the System event log on the RODC, I see frequent instances of Event ID 5723, followed a few minutes later by event ID 5805, both from netlogon. The Events read as follows:
Log Name: System Source: NETLOGON Date: 12/27/2015 6:11:33 AM Event ID: 5723 Task Category: None Level: Error Keywords: Classic User: N/A Computer: RODC.mydomain.com Description: The session setup from computer 'OtherDC1' failed because the security database does not contain a trust account 'OtherDomain.Internal.' referenced by the specified computer. USER ACTION If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. If this is a Read-Only Domain Controller and 'OtherDomain.Internal.' is a legitimate machine account for the computer 'OtherDC1' then 'OtherDC1' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller capable of servicing the request (for example a writable domain controller). Otherwise, the following steps may be taken to resolve this problem: If 'OtherDomain.Internal.' is a legitimate machine account for the computer 'OtherDC1', then 'OtherDC1' should be rejoined to the domain. If 'OtherDomain.Internal.' is a legitimate interdomain trust account, then the trust should be recreated. Otherwise, assuming that 'OtherDomain.Internal.' is not a legitimate account, the following action should be taken on 'OtherDC1': If 'OtherDC1' is a Domain Controller, then the trust associated with 'OtherDomain.Internal.' should be deleted. If 'OtherDC1' is not a Domain Controller, it should be disjoined from the domain. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="NETLOGON" /><EventID Qualifiers="0">5723</EventID><Level>2</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2015-12-27T12:11:33.000000000Z" /><EventRecordID>116817</EventRecordID><Channel>System</Channel><Computer>RODC.mydomain.com</Computer><Security /></System><EventData><Data>OtherDC1</Data><Data>OtherDomain.Internal.</Data><Binary>8B0100C0</Binary></EventData></Event>
Log Name: System Source: NETLOGON Date: 12/27/2015 6:21:01 AM Event ID: 5805 Task Category: None Level: Error Keywords: Classic User: N/A Computer: RODC.mydomain.com Description: The session setup from the computer OtherDC1 failed to authenticate. The following error occurred: Access is denied. Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="NETLOGON" /><EventID Qualifiers="0">5805</EventID><Level>2</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2015-12-27T12:21:01.000000000Z" /><EventRecordID>116819</EventRecordID><Channel>System</Channel><Computer>RODC.mydomain.com</Computer><Security /></System><EventData><Data>OtherDC1</Data><Data>%%5</Data><Binary>220000C0</Binary></EventData></Event>
These events appear several times a day, at intervals anywhere from about 1-5 hours apart.
Based on the text in event 5723, I added OtherDC1.OtherDomain.Internal to the "Allowed RODC Password Replication Group" in mydomain, but this did not make a difference.
What would cause this and how can I resolve the issue?