Saturday, 24 November 2012

Resetting secure channel between DCs


Secure channel is used for secure communication between the Primary Domain controller and the member servers or workstations. This channel is used to validate the membership of the member servers or workstations. It also enables secure exchange of Challenge/Response messages and pass-through authentication in an NT LAN Manager (NTLM) authentication sequence. The Netlogon service is responsible for setting up a secure channel. During a system startup the Netlogon service creates a secure channel between the first DC that respond to the secure channel request. When you join a computer to a domain a password is shared between the computer and DC and it is stored in the DC along with the computer account. This password helps to authenticate the computer account to the DC and it is changed every 30 days. When the computer authenticate with the DC a secure channel got created between the DC and the computer. In case of a backup DC, during startup the netlogon service try to create a secure channel between the PDC and if this attempt doesn't succeed the secure channel will be broken. This happens due to communication issue, DNS misconfiguration and system time issue.
  • This post will show you how to reset the secure channel between a Backup DC and PDC. 

Typical errors when the secure channel is broken

1. Replication error:
CALLBACK MESSAGE: Error contacting server (network error): 5 (0x5):
Access is denied.
SyncAll exited with fatal Win32 error: 8440 (0x20f8):
The naming context specified for this replication operation is invalid.

The following error occurred during the attempt to contact the Domain Controller PDC001
Access is denied.

You may get Netlogon event ID 3210, 5722, 5723 or NTDS KCC event 1925.
Event Source: Netlogon
Event Category: None Event ID: 3210
User: N/A Event Description:
Failed to authenticate with \\PDC, a Windows NT domain controller for domain DOMAIN. 
Event Source: Netlogon
Event ID: 5722
Event Category: None User: N/A Event Description:
The session setup from the computer 1 failed to authenticate. The name of the account referenced in the security database is 2. The following error occurred: n3
2. Logon error:
Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable or because your computer account was not found.”

"The system could not log you on. Make sure your username and domain are correct."
3. Nltest error:
nltest /sc_query:
access is denied:

Secure Channel Reset

There are two ways to work around the above problems:

Method 1:

Perform the below steps to reset the secure channel between a DC and PDC.

1. Find out the problematic DC and stop the KDC (Key Distribution Center) Service. To do so either go to services.msc and locate Kerberos Key Distribution Service and click stop or use the command net stop KDC on command prompt. 
2. Now locate kerbtray.exe from the below location :
C:\Program Files\Windows Resource Kits\Tools\Kerbtray.exe.
Double click the exe file and you will find a green ticket icon on the lower right corner of your desktop.

3. Right click the green ticket icon on your desktop and click purge ticket. You should get a confirmation message that the ticket cache is purged. Click OK.

4. Reset the problematic DC password on the PDC. To do so open command prompt in PDC and type the command :
netdom resetpwd /server:Replication_Partner_Server_Name /userd:domainname\administrator_id /passwordd:password

5. Restart the problematic server. After the restart check the KDC services status. If it is not started then start the service manually.

6. Now synchronize the domain to verify the successful DC replication. To do so open a command prompt and type 'repadmin /syncall'

Method 2

Forcefully demote the faulty DC followed by metadata cleanup and promote the server back as DC,but consider this as last point of restore.

3. Change and Seize FSMO Roles :

PS: To reset secure channel between a Computer and Domain Controller

1 comment: