I have an environment which consists of 10 writable domain controllers and approx 60 RODCs deployed in remote sites.
Just recently there has been a problem found where it looks like Secure Channel has been compromised or has become corrupt and DC replication looks to be failing. DC shares are not veiwable and there are kerberos errors being logged on all DCs (mainly Event ID 3 & 4).
This was first identified when DFS stopped working. I found that the namespace server DCs could not open when I ran a 'net view \\servername'.
A reboot did not resolve this, but after seeing the schannel event logs I found that after I stopped KDC, ran klist purge and then ran the "netdom /resetpwd /server:server2
/userd:domain.com\administrator /passwordd:password" command, these servers become available for shares and DFS started working again.
However the problem seems to have ramped up. After further digging and looking into the environment, I have found that all DCs are having the same problem. I cannot run 'net view \\servername' to any of them with successful results.
When I run nltest /server:hostname /sc_verify:domain.com, they come back with 'I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED'
I have fixed this on all the writable DCs by running the netdom resetpwd command, but it still has the error on all the RODCs.
What do you recommend? There are 60+ servers that are having this issue.
Surely there is a better way than logging on to each one and running this manually? And I don't really want to dcpromo them all.
To run the netdom resetpwd, it seems that it's best to stop the KDC service on ALL DCs? Is that correct? How do I do that to all DCs without logging onto all of them at the same time?
This is disastrous, and I'm hoping someone knows of a better way to fix the environment.
Root cause comes at a later date and is irrelevant at the moment. I just want this fixed before jumping into that.