Netdiag DC tests fail sometimes

Currently Netdiag is passing all tests but sometimes it fails.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed  - FAILS

Trust relationship test. . . . . . : Passed - FAILS
    Secure channel for domain 'CDS' is to '\\CDSSERVER.cds.local'.

The discovery test always passes when the other 2 fail.

Also on the Server that is the DC I have started getting a SCHANNEL Error

Event ID: 36872

No suitable default server credential exists on this system. This will
prevent server applications that expect to make use of the system default
credentials from accepting SSL connections. An example of such an application
is the directory server. Applications that manage their own credentials, such
as the internet information server, are not affected by this.

So I am wondering if anyone would have a clue where I should start looking.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are your DCs in the Domain Controllers OU?
Maybe a local policy is being applied some how that deals with secure communications.
Those policies have the option of NEVER, ALWAYS, always respond... or something like that.

Event ID: 36872:
This event is logged when a server application (for example, Active Directory) attempts to perform a Secure Sockets Layer (SSL) connection, but no server certificate is found. Server certificates are either enrolled for by hand or are automatically generated by the domain's enterprise Certificate Authority (CA). In domains where no enterprise CA exists, this is an expected event and you can safely ignore the message.

Do the computer accounts for these look OK in AD? Timestamp should have changed recently...
(Change VIEW > Advanced so the OBJECT tab shows up in ADUC)

One thing I always say.. the errors in the logs are not always representative of the problem. for instance, unplug the LAN cable... you will get lots of fun errors in the logs :) Or when a DC is coming back up from a reboot -  some services may not be able to talk yet when it is still coming up.

Maybe there is some other app on the server? Or something has been set to use SECURE when it can't?

It could also be a DNS/SRV issue. Restarting Netlogon on a DC will reregister its DNS entries and services (SRVs). Have you booted these? Problem still exists at random?

computerconAuthor Commented:
So from what I can tell , when I RDP onto the server which is just a domain machine which runs MS SQL 2008 it hangs for 30 seconds at applying settings.

That is how I know I will be getting the error. Here is the part of netdiag which errors when it happens.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Failed
    'CDS': No DCs are up.

Trust relationship test. . . . . . : Failed
    'CDS': No DCs are up (Cannot run test).
    Secure channel for domain 'CDS' is to '\\CDSSERVER.cds.local'.

Is the time correct on your servers? That would randomly cause security issues if the time is skewed more than 5mins between the servers.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

computerconAuthor Commented:
Time is correct

I have tried NLTEST as well doing a query and reset and everything comes up correct.
The server is question runs MS SQL 2008 on it only and for some reason people get random connection drops which seems to happen when this is going on.

When I login it hangs on applying settings for a minute as well and thats how I know it will fail the dc trust and list tests.

At a loss. Maybe I will leave the domain and rejoin and see what happens

Studied your issue and based on the issue there are few steps that you can try.
The reason for this error is the secure channel . Since this is not a DC you can try the below step to fix the issue .

Download and install resource kit and use KERBTRAY to purge the old kerberos tickets of the server by doing right click and further clicking on purge

Run the following command netdom /resetpwd /server:Hostname /userd:domain\user/passwordd:
where Domain is your domain,User is the admin account with which you logged in and passwordd is the password of the admin account with which you are logged in

 Restart the server after that

If this does not works then you wil have to disjoin and rejoin the Machine as to reset the secure channel on a member server it is the Last opotion.

Hope this solution Helps you  !!!!...

Suresh Kumar

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
computerconAuthor Commented:
Thanks for your help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.