The secure channel is used to validate the member servers or workstations membership in the domain, based upon its hashed password. This discrete communication channel helps provide a more secure communication path between the domain controller and the member servers or workstations. It can also be used to change the accounts password, and to retrieve domain-specific information, handling NTLM authentication pass-through to the domain controller, or from DC to DC for the same.
When you join a computer to a domain, a computer account is created, and a password is shared between the computer and the domain. By default, this password is changed every 30 days. The secure channel's password is stored together with the computer account on the domain controllers. Upon starting, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC. After the machine account is verified, the workstation establishes a secure channel with that DC. If it is a DC, when you start a PDC, Netlogon builds a list of all the BDCs in the domain, and a list of trusted domains. At this time, Netlogon attempts to set up a secure channel with a DC from each trusted domain, and if this attempt does not succeed, Netlogon does not make another attempt until a secure channel with that domain is explicitly needed. The BDC's behavior is similar. While Netlogon on a BDC does not enumerate other BDCs, it does contact the DC and sets up secure channels with trusted domains as needed.
Therefore, the Netlogon service on a workstation sets up a secure channel to a DC in its primary domain. The Netlogon service on a BDC sets up a secure channel to the PDC in its domain. The Netlogon service on a PDC sets up a secure channel to a DC in each of it trusted domains.
If there are problems with system time, DNS configuration or other settings, secure channel’s password between domain members and DCs may not synchronize with each other. AD replication issue, other electronic problems may cause secure channel broken to member servers. To DCs, the secure may broken due to communication issues.
When secure channel is broken, it may cause a lot of problems to Active Directory. Here we summarize some symptoms which indicate secure channel is broken. If you see the behavior, you can first check the secure channel before performing any further troubleshooting.
1. Replication error
When you use the Active Directory Sites and Services snap-in to manually replicate data between domain controllers, you may receive one of the following error messages:
The Target Principal Name is incorrect
Access is denied
You may get Netlogon event ID 3210, 5722 or NTDS KCC event 1925. For example, the following event ID messages may be logged in the system log:
Event Source: NetlogonEvent Category: None Event ID: 3210User: N/A Event Description: Failed to authenticate with \\DOMAINDC, a Windows NT domain controller for domain DOMAIN.
Event Source: NetlogonEvent ID: 5722Event Category: None User: N/A Event Description:The session setup from the computer 1 failed to authenticate. The name of the account referenced in the security database is 2. The following error occurred: n3
When you try to replicate changes between replica partners, you may receive the following error message:
The following error occurred during the attempt to synchronize the domain controllers. The naming context is in the process of being removed or is not replicated from the specified server.
2. Logon error
The client may be unable to log on to the domain. You may receive the following error message:
“Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable or because your computer account was not found.”
"The system could not log you on. Make sure your username and domain are correct."
3. Accessing resource
When you attempt to access shares on a server, you may get error:
"System error 1396 - Logon Failure: The target account name is incorrect."
4. Running nltest
nltest /sc_query: <domain_name>
-- Access is denied.
If you encounter the above behavior or error messages, suggest first reset secure channel. On the computer that are experiencing this issue, disable the Kerberos Key Distribution Center service (KDC) and then restart the computer. After the computer restarts, use the Netdom utility to reset the secure channels between the computer and the PDC Emulator operations master role holder. To do so, run the following command from the computer other than the PDC Emulator operations master role holder:
netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password
Where server_name is the name of the server that is the PDC Emulator operations master role holder.
Note: This method only works for DC. If it’s member server, we have to disjoin and rejoin domain.
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
260575 How to Use Netdom.exe to Reset Machine Account Passwords
If the problem is not resolved or secure channel keeps being broken, you may need to find the root cause by performing further diagnosing or troubleshooting.
Hello, of course I came to visit your site and thanks for letting me know about it.
I just read this post and wanted to say it is full of number one resources. Some I am familiar with. For those who don’t know these other sites they are in for a treat as there is a lot to learn there.
hi, above described phenomens (secure channel is broken) happened to us with a (virtual, hyper-v-based) root certificate server (Win2K3). So the root certificate server is a member server - i cannot rejoin the domain. Could you give us any hints plz?
Thank you for sharing this it has a very informative content.. I hope more of this comes..
If you have time you can visit this site:
<a href="www.kidneysymptoms.net/">Kidney Symptoms</a>
God bless and more power..
What is the cause of the secure channel break?
Anyone knows if the security channel practice is still appliable with Kerberos? If not, what the change?