Typical Symptoms when secure channel is broken

The secure channel is used to validate the member servers or workstations membership in the domain, based upon its hashed password. This discrete communication channel helps provide a more secure communication path between the domain controller and the member servers or workstations. It can also be used to change the accounts password, and to retrieve domain-specific information, handling NTLM authentication pass-through to the domain controller, or from DC to DC for the same.  

When you join a computer to a domain, a computer account is created, and a password is shared between the computer and the domain. By default, this password is changed every 30 days. The secure channel's password is stored together with the computer account on the domain controllers. Upon starting, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC. After the machine account is verified, the workstation establishes a secure channel with that DC. If it is a DC, when you start a PDC, Netlogon builds a list of all the BDCs in the domain, and a list of trusted domains. At this time, Netlogon attempts to set up a secure channel with a DC from each trusted domain, and if this attempt does not succeed, Netlogon does not make another attempt until a secure channel with that domain is explicitly needed. The BDC's behavior is similar. While Netlogon on a BDC does not enumerate other BDCs, it does contact the DC and sets up secure channels with trusted domains as needed.

 

Therefore, the Netlogon service on a workstation sets up a secure channel to a DC in its primary domain. The Netlogon service on a BDC sets up a secure channel to the PDC in its domain. The Netlogon service on a PDC sets up a secure channel to a DC in each of it trusted domains.

If there are problems with system time, DNS configuration or other settings, secure channel’s password between domain members and DCs may not synchronize with each other. AD replication issue, other electronic problems may cause secure channel broken to member servers. To DCs, the secure may broken due to communication issues.

 

When secure channel is broken, it may cause a lot of problems to Active Directory. Here we summarize some symptoms which indicate secure channel is broken. If you see the behavior, you can first check the secure channel before performing any further troubleshooting.

 

1. Replication error

When you use the Active Directory Sites and Services snap-in to manually replicate data between domain controllers, you may receive one of the following error messages:

The Target Principal Name is incorrect

-or-

Access is denied

You may get Netlogon event ID 3210, 5722 or NTDS KCC event 1925. For example, the following event ID messages may be logged in the system log:

Event Source: Netlogon
Event Category: None Event ID: 3210
User: N/A Event Description:
Failed to authenticate with \\DOMAINDC, a Windows NT domain controller for domain DOMAIN.

-and-

Event Source: Netlogon
Event ID: 5722
Event Category: None User: N/A Event Description:
The session setup from the computer 1 failed to authenticate. The name of the account referenced in the security database is 2. The following error occurred: n3

When you try to replicate changes between replica partners, you may receive the following error message:

The following error occurred during the attempt to synchronize the domain controllers.
The naming context is in the process of being removed or is not replicated from the specified server.

2. Logon error

The client may be unable to log on to the domain. You may receive the following error message:

“Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable or because your computer account was not found.”

Or

"The system could not log you on. Make sure your username and domain are correct."

3. Accessing resource

When you attempt to access shares on a server, you may get error:

"System error 1396 - Logon Failure: The target account name is incorrect."

  

4. Running nltest

nltest /sc_query: <domain_name>

-- Access is denied.

If you encounter the above behavior or error messages, suggest first reset secure channel. On the computer that are experiencing this issue, disable the Kerberos Key Distribution Center service (KDC) and then restart the computer. After the computer restarts, use the Netdom utility to reset the secure channels between the computer and the PDC Emulator operations master role holder. To do so, run the following command from the computer other than the PDC Emulator operations master role holder:

netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password

Where server_name is the name of the server that is the PDC Emulator operations master role holder.

Note: This method only works for DC. If it’s member server, we have to disjoin and rejoin domain.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

260575 How to Use Netdom.exe to Reset Machine Account Passwords

(https://support.microsoft.com/kb/260575/EN-US/)

If the problem is not resolved or secure channel keeps being broken, you may need to find the root cause by performing further diagnosing or troubleshooting.