通过

Typical Symptoms when secure channel is broken

  • 项目

The secure channel is used to validate the member servers or workstations membership in the domain, based upon its hashed password. This discrete communication channel helps provide a more secure communication path between the domain controller and the member servers or workstations. It can also be used to change the accounts password, and to retrieve domain-specific information, handling NTLM authentication pass-through to the domain controller, or from DC to DC for the same.  

When you join a computer to a domain, a computer account is created, and a password is shared between the computer and the domain. By default, this password is changed every 30 days. The secure channel's password is stored together with the computer account on the domain controllers. Upon starting, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC. After the machine account is verified, the workstation establishes a secure channel with that DC. If it is a DC, when you start a PDC, Netlogon builds a list of all the BDCs in the domain, and a list of trusted domains. At this time, Netlogon attempts to set up a secure channel with a DC from each trusted domain, and if this attempt does not succeed, Netlogon does not make another attempt until a secure channel with that domain is explicitly needed. The BDC's behavior is similar. While Netlogon on a BDC does not enumerate other BDCs, it does contact the DC and sets up secure channels with trusted domains as needed.

 

Therefore, the Netlogon service on a workstation sets up a secure channel to a DC in its primary domain. The Netlogon service on a BDC sets up a secure channel to the PDC in its domain. The Netlogon service on a PDC sets up a secure channel to a DC in each of it trusted domains.

If there are problems with system time, DNS configuration or other settings, secure channel’s password between domain members and DCs may not synchronize with each other. AD replication issue, other electronic problems may cause secure channel broken to member servers. To DCs, the secure may broken due to communication issues.

 

When secure channel is broken, it may cause a lot of problems to Active Directory. Here we summarize some symptoms which indicate secure channel is broken. If you see the behavior, you can first check the secure channel before performing any further troubleshooting.

 

1. Replication error

When you use the Active Directory Sites and Services snap-in to manually replicate data between domain controllers, you may receive one of the following error messages:

The Target Principal Name is incorrect

-or-

Access is denied

You may get Netlogon event ID 3210, 5722 or NTDS KCC event 1925. For example, the following event ID messages may be logged in the system log:

Event Source: Netlogon
Event Category: None Event ID: 3210
User: N/A Event Description:
Failed to authenticate with \\DOMAINDC, a Windows NT domain controller for domain DOMAIN.

-and-

Event Source: Netlogon
Event ID: 5722
Event Category: None User: N/A Event Description:
The session setup from the computer 1 failed to authenticate. The name of the account referenced in the security database is 2. The following error occurred: n3

When you try to replicate changes between replica partners, you may receive the following error message:

The following error occurred during the attempt to synchronize the domain controllers.
The naming context is in the process of being removed or is not replicated from the specified server.

2. Logon error

The client may be unable to log on to the domain. You may receive the following error message:

“Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable or because your computer account was not found.”

Or

"The system could not log you on. Make sure your username and domain are correct."

3. Accessing resource

When you attempt to access shares on a server, you may get error:

"System error 1396 - Logon Failure: The target account name is incorrect."

  

4. Running nltest

nltest /sc_query: <domain_name>

-- Access is denied.

If you encounter the above behavior or error messages, suggest first reset secure channel. On the computer that are experiencing this issue, disable the Kerberos Key Distribution Center service (KDC) and then restart the computer. After the computer restarts, use the Netdom utility to reset the secure channels between the computer and the PDC Emulator operations master role holder. To do so, run the following command from the computer other than the PDC Emulator operations master role holder:

netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password

Where server_name is the name of the server that is the PDC Emulator operations master role holder.

Note: This method only works for DC. If it’s member server, we have to disjoin and rejoin domain.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

260575 How to Use Netdom.exe to Reset Machine Account Passwords

(https://support.microsoft.com/kb/260575/EN-US/)

If the problem is not resolved or secure channel keeps being broken, you may need to find the root cause by performing further diagnosing or troubleshooting.

Comments

  • Anonymous
    January 01, 2003
    yeah good post thanks . how can i subscribe like these pages for future reference.

  • Anonymous
    March 06, 2008
    Hello, of course I came to visit your site and thanks for letting me know about it. I just read this post and wanted to say it is full of number one resources. Some I am familiar with. For those who don’t know these other sites they are in for a treat as there is a lot to learn there.

  • Anonymous
    October 28, 2008
    hi, above described phenomens (secure channel is broken) happened to us with a (virtual, hyper-v-based) root certificate server (Win2K3). So the root certificate server is a member server  - i cannot rejoin the domain. Could you give us any hints plz?

  • Anonymous
    February 14, 2011
    The comment has been removed

  • Anonymous
    July 23, 2012
    What is the cause of the secure channel break?

  • Anonymous
    January 03, 2014
    Pingback from The Security Account Manager failed a KDC request - Active Directory

  • Anonymous
    May 15, 2014
    Pingback from Como restabelecer o Secure Channel para Domain Controllers | Directory Services in Depth

  • Anonymous
    May 16, 2014
    Pingback from Como restabelecer o Secure Channel para Domain Controllers | Directory Services in Depth

  • Anonymous
    May 25, 2014
    Pingback from Chieu's space | The trust relationship between this workstation and the primary domain failed

  • Anonymous
    June 02, 2014
    Anyone knows if the security channel practice is still appliable with Kerberos? If not, what the change?

  • Anonymous
    September 04, 2014
    Troubleshooting CRM-AD Secure Channels and Trust Relationships

    It is very important to understand

  • Anonymous
    October 22, 2014
    We have a Patent Encryption process @ www.securechannels.com

  • Anonymous
    October 22, 2014
    Patent Encryption

  • Anonymous
    April 13, 2015
    Can I apply this solution remotely to a domain controller that reside in a remote site? I can only access it using remote desktop connection.