Close
Menu
security-kerberos-eventid4

How to Reset Secure Channel On Active Directory Domain Controller

, , , , , , , , 0

When you’re a little too careless about virtualizing your domain controllers, cloning, migrating, backing up and restoring, returning from vacation and deciding that having a single box holding all the FSMO roles is dangerous to the network, you will inevitably find yourself in the same situation I’ve found myself in.

A tell-tale sign that you need to manually reset the KDC secure channel on your problematic domain controller can be diagnosed with the following symptoms:

  • Any mechanism that relies on Kerberos authentication tickets will fail
  • Practically all subsystem services and listening endpoints will cease to function (non KDC-related services like DNS and DHCP aren’t affected)
  • Active Directory replication will fail on the affected DC (you can view this with repadmin /replsummary and repadmin /showrepl
  • nltest /sc_query:domain.local and nltest /sc_verify:domain.local writes standard error access denied
  • Being fired for incompetence

Strangely enough, Microsoft tells you exactly what the issue is. However even though this is strictly Kerberos and Security related, the event source “Security-Kerberos” ID 4 only shows up in the System event log for some reason. Who was the genius behind that logic?

How to Reset Secure Channel On Active Directory Domain Controller

  1. Open an administrative command prompt directly on the affected controller
  2. Run the following commands in the same sequence: 
    NET STOP KDC
KLIST PURGE
NETDOM RESETPWD /Server:<YourGoodDomainController> /UserD:<domain\username> /PasswordD:<YourPassword>
NET START KDC
  3. Once again we have backwards Microsoft logic, so pay attention to input your known good and functional DC after the /Server: parameter
  4. Remember to run these commands on the broken domain controller, I don’t care if you use a PS-Session/CIM/WinRM or RDP direct to a cmd

Before:

C:\>repadmin /replsummary
Replication Summary Start Time: 2019-04-21 06:46:35

Beginning data collection for replication summary, this may take awhile:
  .....

Source DSA          largest delta    fails/total %%   error
 WIN2016CORE-1     19d.14h:05m:37s    5 /   5  100  (2148074274) The target principal name is incorrect.

Destination DSA     largest delta    fails/total %%   error
 WIN2016CORE-2     19d.14h:05m:39s    5 /   5  100  (2148074274) The target principal name is incorrect.

Experienced the following operational errors trying to retrieve replication information:
        8341 - win2016core-1.ad.blog.travisrunyard.us

C:\>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Site1\WIN2016CORE-1
DSA Options: IS_GC
Site Options: IS_GROUP_CACHING_ENABLED
DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a
DSA invocationID: 00cd928c-063f-439d-a13a-9183ac18e684

==== INBOUND NEIGHBORS ======================================

DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-2 via RPC
        DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431
        Last attempt @ 2019-04-21 04:46:06 failed, result -2146893022 (0x80090322):
            The target principal name is incorrect.
        1422 consecutive failure(s).
        Last success @ 2019-04-03 01:11:03.

CN=Configuration,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-2 via RPC
        DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431
        Last attempt @ 2019-04-21 04:46:06 failed, result -2146893022 (0x80090322):
            The target principal name is incorrect.
        1423 consecutive failure(s).
        Last success @ 2019-04-03 01:09:26.

CN=Schema,CN=Configuration,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-2 via RPC
        DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431
        Last attempt @ 2019-04-21 04:46:06 failed, result -2146893022 (0x80090322):
            The target principal name is incorrect.
        1423 consecutive failure(s).
        Last success @ 2019-04-03 01:09:26.

DC=DomainDnsZones,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-2 via RPC
        DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431
        Last attempt @ 2019-04-21 04:46:06 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
        1423 consecutive failure(s).
        Last success @ 2019-04-03 01:09:26.

DC=ForestDnsZones,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-2 via RPC
        DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431
        Last attempt @ 2019-04-21 04:46:06 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
        1423 consecutive failure(s).
        Last success @ 2019-04-03 01:09:26.

Source: Site1\WIN2016CORE-2
******* 1422 CONSECUTIVE FAILURES since 2019-04-03 01:11:03
Last error: -2146893022 (0x80090322):
            The target principal name is incorrect.

C:\>nltest /sc_query:ad.blog.travisrunyard.us
I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED

C:\>nltest /sc_verify:ad.blog.travisrunyard.us
I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED

 

After:

NET stop kdc && klist purge && netdom resetpwd /Server:win2016core-1 /UserD:SYSINFO\visualblind /passwordD: && net start kdc

The Kerberos Key Distribution Center service was stopped successfully.

Current LogonId is 0:0x298f46b
        Deleting all tickets:
        Ticket(s) purged!

The machine account password for the local machine has been successfully reset.

The command completed successfully.

The Kerberos Key Distribution Center service is starting.
The Kerberos Key Distribution Center service was started successfully.

C:\>repadmin /replsummary
Replication Summary Start Time: 2019-04-21 08:27:02

Beginning data collection for replication summary, this may take awhile:
  .....

Source DSA          largest delta    fails/total %%   error
 WIN2016CORE-1             04m:10s    0 /   5    0
 WIN2016CORE-2             10m:55s    0 /   5    0

Destination DSA     largest delta    fails/total %%   error
 WIN2016CORE-1             10m:55s    0 /   5    0
 WIN2016CORE-2             04m:10s    0 /   5    0

C:\>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Site1\WIN2016CORE-2
DSA Options: IS_GC
Site Options: IS_GROUP_CACHING_ENABLED
DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431
DSA invocationID: 51035491-a911-4e10-8704-5c4f69d4a54c

==== INBOUND NEIGHBORS ======================================

DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-1 via RPC
        DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a
        Last attempt @ 2019-04-21 08:26:47 was successful.

CN=Configuration,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-1 via RPC
        DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a
        Last attempt @ 2019-04-21 08:22:52 was successful.

CN=Schema,CN=Configuration,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-1 via RPC
        DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a
        Last attempt @ 2019-04-21 08:22:52 was successful.

DC=DomainDnsZones,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-1 via RPC
        DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a
        Last attempt @ 2019-04-21 08:22:52 was successful.

DC=ForestDnsZones,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-1 via RPC
        DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a
        Last attempt @ 2019-04-21 08:22:52 was successful.

 

References:

https://glennopedia.com/2016/02/25/how-to-reset-secure-channel-on-a-domain-controller/

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *