Event-o-Pedia EventID 536 - The NetLogon component is not active

	Event Details
	Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 536 - The NetLogon component is not active

EventID 536 - The NetLogon component is not active

This event record indicates that a logon attempt was made and rejected because the Net Logon service was not running. The Net Logon service supports pass-through authentication of account log ons and is used when the workstation participates in a domain. This is a significant error that should be immediately investigated.

Check to ensure that the NetLogon service is operational. Otherwise, this event may prompt investigation.

Sample:

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows 2000 Windows XP Windows 2003
Source	Security
Category	Logon/Logoff
EventId	536

Field Matching

Field	Description	Stored in	Sample Value
DateTime	Date/Time of event origination in GMT format.	DateTime	10.10.2000 19:00:00
Source	Name of an Application or System Service originating the event.	Source	Security
Type	Warning, Information, Error, Success, Failure, etc.	Type	Success
User	Domain\Account name of user/service/computer initiating event.	User	RESEARCH\Alebovsky
Computer	Name of server workstation where event was logged.	Computer	DC1
EventID	Numerical ID of event. Unique within one Event Source.	EventId	576
Description	The entire unparsed event message.	Description	Special privileges assigned to new logon.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)	LogName	Security
Category	A name for a subclass of events within the same Event Source.	Category	Logon/Logoff
Domain	Domain of the account for which logon is requested.	InsertionString2	RESEARCH
User Name	Account name of the user logging in	InsertionString1
Logon Type	Interactive, Network, Batch, etc. Please find the code descriptions here.	InsertionString3
Logon Process	The program executable that processed the logon. Please find full logon processes list here.	InsertionString4
Authentication Package	The name of the authentication package (method) used to check user credentials (e.g. NTLM or Kerberos). Please find full authentication packages list here.	InsertionString5
Workstation Name	The NetBIOS name of the remote computer that originated the logon request	InsertionString6
Caller User Name	Account name of the user requesting the logon (not the user that attempted logon). Normally it is empty or displays the service principal name.	InsertionString7
Caller Domain	Domain name of the account mentioned in the "Caller User Name" field	InsertionString8
Caller Logon ID	ID of the logon session of the account mentioned in the "Caller User Name" field. Useful for tracking other activity of this account within the same logon session.	InsertionString9
Caller Process ID	ID of the process initiating the logon request	InsertionString10
Transited Services	Indicates which intermediate services have participated in this logon request	InsertionString11
Source Network Address	The IP address of the remote computer that originated the logon request	InsertionString12
Source Port	The source TCP port of the remote computer that originated the logon request	InsertionString13