Secure Channel issue
When secure channel is broken, it may cause a lot of problems to Active Directory. Here we summarize some symptoms which indicate secure channel is broken. If you see the behavior, you can first check the secure channel before performing any further troubleshooting.
1. Replication error
When you use the Active Directory Sites and Services snap-in to manually replicate data between domain controllers, you may receive one of the following error messages:
The Target Principal Name is incorrect
-or-
Access is denied
You may get Netlogon event ID 3210, 5722 or NTDS KCC event 1925. For example, the following event ID messages may be logged in the system log:
Event Source: Netlogon
Event Category: None Event ID: 3210
User: N/A Event Description:
Failed to authenticate with \\DOMAINDC, a Windows NT domain controller for domain DOMAIN.
-and-
Event Source: Netlogon
Event ID: 5722
Event Category: None User: N/A Event Description:
The session setup from the computer 1 failed to authenticate. The name of the account referenced in the security database is 2. The following error occurred: n3
When you try to replicate changes between replica partners, you may receive the following error message:
The following error occurred during the attempt to synchronize the domain controllers.
The naming context is in the process of being removed or is not replicated from the specified server.
2. Logon error
The client may be unable to log on to the domain. You may receive the following error message:
“Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable or because your computer account was not found.”
Or
“The system could not log you on. Make sure your username and domain are correct.”
3. Accessing resource
When you attempt to access shares on a server, you may get error:
“System error 1396 – Logon Failure: The target account name is incorrect.”
4. Running nltest
nltest /sc_query: <domain_name>
— Access is denied.
If you encounter the above behavior or error messages, suggest first reset secure channel. On the computer that are experiencing this issue, disable the Kerberos Key Distribution Center service (KDC) and then restart the computer. After the computer restarts, use the Netdom utility to reset the secure channels between the computer and the PDC Emulator operations master role holder. To do so, run the following command from the computer other than the PDC Emulator operations master role holder:
netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password
Where server_name is the name of the server that is the PDC Emulator operations master role holder.
Note: This method only works for DC. If it’s member server, we have to disjoin and rejoin domain.
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
260575 How to Use Netdom.exe to Reset Machine Account Passwords