troubleshooting Question

Domain Replication failing - secure channel problem

Avatar of lltc78
lltc78Flag for Australia asked on
Active DirectoryWindows Server 2008
6 Comments2 Solutions2732 ViewsLast Modified:
Hi guys,

I have an environment which consists of 10 writable domain controllers and approx 60 RODCs deployed in remote sites.

Just recently there has been a problem found where it looks like Secure Channel has been compromised or has become corrupt and DC replication looks to be failing. DC shares are not veiwable and there are kerberos errors being logged on all DCs (mainly Event ID 3 & 4).

This was first identified when DFS stopped working. I found that the namespace server DCs could not open when I ran a 'net view \\servername'.

A reboot did not resolve this, but after seeing the schannel event logs I found that after I stopped KDC, ran klist purge and then ran the "netdom /resetpwd /server:server2
/userd:domain.com\administrator /passwordd:password" command, these servers become available for shares and DFS started working again.

However the problem seems to have ramped up. After further digging and looking into the environment, I have found that all DCs are having the same problem. I cannot run 'net view \\servername' to any of them with successful results.

When I run nltest /server:hostname /sc_verify:domain.com, they come back with 'I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED'

I have fixed this on all the writable DCs by running the netdom resetpwd command, but it still has the error on all the RODCs.

What do you recommend? There are 60+ servers that are having this issue.
Surely there is a better way than logging on to each one and running this manually? And I don't really want to dcpromo them all.

To run the netdom resetpwd, it seems that it's best to stop the KDC service on ALL DCs? Is that correct? How do I do that to all DCs without logging onto all of them at the same time?

This is disastrous, and I'm hoping someone knows of a better way to fix the environment.

Root cause comes at a later date and is irrelevant at the moment. I just want this fixed before jumping into that.

Thanks guys
ASKER CERTIFIED SOLUTION
lltc78

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 2 Answers and 6 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 6 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros