Netdiag DC tests fail sometimes

Currently Netdiag is passing all tests but sometimes it fails.

DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed  - FAILS


Trust relationship test. . . . . . : Passed - FAILS
    Secure channel for domain 'CDS' is to '\\CDSSERVER.cds.local'.

The discovery test always passes when the other 2 fail.

Also on the Server that is the DC I have started getting a SCHANNEL Error

Event ID: 36872

No suitable default server credential exists on this system. This will
prevent server applications that expect to make use of the system default
credentials from accepting SSL connections. An example of such an application
is the directory server. Applications that manage their own credentials, such
as the internet information server, are not affected by this.

So I am wondering if anyone would have a clue where I should start looking.


computerconAsked:
Who is Participating?
 
v-2sukumCommented:
HI

Studied your issue and based on the issue there are few steps that you can try.
The reason for this error is the secure channel . Since this is not a DC you can try the below step to fix the issue .

Download and install resource kit and use KERBTRAY to purge the old kerberos tickets of the server by doing right click and further clicking on purge

Run the following command netdom /resetpwd /server:Hostname /userd:domain\user/passwordd:
where Domain is your domain,User is the admin account with which you logged in and passwordd is the password of the admin account with which you are logged in

 Restart the server after that

If this does not works then you wil have to disjoin and rejoin the Machine as to reset the secure channel on a member server it is the Last opotion.


Hope this solution Helps you  !!!!...

Regards
Suresh Kumar
0
 
FDiskWizardCommented:
Are your DCs in the Domain Controllers OU?
Maybe a local policy is being applied some how that deals with secure communications.
Those policies have the option of NEVER, ALWAYS, always respond... or something like that.

Event ID: 36872:
This event is logged when a server application (for example, Active Directory) attempts to perform a Secure Sockets Layer (SSL) connection, but no server certificate is found. Server certificates are either enrolled for by hand or are automatically generated by the domain's enterprise Certificate Authority (CA). In domains where no enterprise CA exists, this is an expected event and you can safely ignore the message.

Do the computer accounts for these look OK in AD? Timestamp should have changed recently...
(Change VIEW > Advanced so the OBJECT tab shows up in ADUC)

One thing I always say.. the errors in the logs are not always representative of the problem. for instance, unplug the LAN cable... you will get lots of fun errors in the logs :) Or when a DC is coming back up from a reboot -  some services may not be able to talk yet when it is still coming up.

Maybe there is some other app on the server? Or something has been set to use SECURE when it can't?

It could also be a DNS/SRV issue. Restarting Netlogon on a DC will reregister its DNS entries and services (SRVs). Have you booted these? Problem still exists at random?



0
 
computerconAuthor Commented:
So from what I can tell , when I RDP onto the server which is just a domain machine which runs MS SQL 2008 it hangs for 30 seconds at applying settings.

That is how I know I will be getting the error. Here is the part of netdiag which errors when it happens.



DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Failed
    'CDS': No DCs are up.


Trust relationship test. . . . . . : Failed
    'CDS': No DCs are up (Cannot run test).
    Secure channel for domain 'CDS' is to '\\CDSSERVER.cds.local'.



0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
FDiskWizardCommented:
Is the time correct on your servers? That would randomly cause security issues if the time is skewed more than 5mins between the servers.
0
 
computerconAuthor Commented:
Time is correct

I have tried NLTEST as well doing a query and reset and everything comes up correct.
The server is question runs MS SQL 2008 on it only and for some reason people get random connection drops which seems to happen when this is going on.

When I login it hangs on applying settings for a minute as well and thats how I know it will fail the dc trust and list tests.

At a loss. Maybe I will leave the domain and rejoin and see what happens
0
 
computerconAuthor Commented:
Thanks for your help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.