Forum Discussion

UnguidedWizard's avatar
UnguidedWizard
Copper Contributor
Mar 02, 2022

AD/DNS Server losing secure channel

Hi guys,

 

We have a single DC environment (Windows Server 2019) which keeps losing its secure channel with itself. We get DNS errors 4000 and 4007.

 

We run the following command, and reboot:

 

netdom resetpwd /server:AD.IPP.ADDR /userd:Domain\domain_admin /passwordd:*

 

The issue resolves itself, however re-appears after any further reboots. 

 

This was originally in a dual DC environment, and the other has recently been removed, unsure if this is related.

 

Appreciate any advice.

  • You don't have any other issues, the other DC was removed correctly? What does a "dcdiag.exe /v" show?
    • UnguidedWizard's avatar
      UnguidedWizard
      Copper Contributor

      Harm_Veenstra Please see below output from dcdiag /v. I believe the DC was removed correctly, but I can't be sure.

       

      Directory Server Diagnosis

      Performing initial setup:
      Trying to find home server...
      * Verifying that the local machine AD-SERVER, is a Directory Server.
      Home Server = AD-SERVER
      * Connecting to directory service on server AD-SERVER.
      * Identified AD Forest.
      Collecting AD specific global data
      * Collecting site info.
      Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
      The previous call succeeded
      Iterating through the sites
      Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
      Getting ISTG and options for the site
      * Identifying all servers.
      Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
      The previous call succeeded....
      The previous call succeeded
      Iterating through the list of servers
      Getting information for the server CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
      objectGuid obtained
      InvocationID obtained
      dnsHostname obtained
      site info obtained
      All the info for the server collected
      * Identifying all NC cross-refs.
      * Found 1 DC(s). Testing 1 of them.
      Done gathering initial info.

      Doing initial required tests

      Testing server: Default-First-Site-Name\AD-SERVER
      Starting test: Connectivity
      * Active Directory LDAP Services Check
      Determining IP4 connectivity
      * Active Directory RPC Services Check
      ......................... AD-SERVER passed test Connectivity

      Doing primary tests

      Testing server: Default-First-Site-Name\AD-SERVER
      Starting test: Advertising
      The DC AD-SERVER is advertising itself as a DC and having a DS.
      The DC AD-SERVER is advertising as an LDAP server
      The DC AD-SERVER is advertising as having a writeable directory
      The DC AD-SERVER is advertising as a Key Distribution Center
      The DC AD-SERVER is advertising as a time server
      The DS AD-SERVER is advertising as a GC.
      ......................... AD-SERVER passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
      * The File Replication Service Event log test
      Skip the test because the server is running DFSR.
      ......................... AD-SERVER passed test FrsEvent
      Starting test: DFSREvent
      The DFS Replication Event Log.
      There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
      replication problems may cause Group Policy problems.
      An error event occurred. EventID: 0xC00004B2
      Time Generated: 03/02/2022 12:08:53
      Event String:
      The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

      Additional Information:
      Error: 160 (One or more arguments are not correct.)
      An error event occurred. EventID: 0xC00004B2
      Time Generated: 03/02/2022 12:13:53
      Event String:
      The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

      Additional Information:
      Error: 160 (One or more arguments are not correct.)
      An error event occurred. EventID: 0xC00004B2
      Time Generated: 03/02/2022 12:26:06
      Event String:
      The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

      Additional Information:
      Error: 160 (One or more arguments are not correct.)
      An error event occurred. EventID: 0xC00004B2
      Time Generated: 03/02/2022 14:15:02
      Event String:
      The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

      Additional Information:
      Error: 160 (One or more arguments are not correct.)
      An error event occurred. EventID: 0xC00004B2
      Time Generated: 03/02/2022 14:20:03
      Event String:
      The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

      Additional Information:
      Error: 160 (One or more arguments are not correct.)
      An error event occurred. EventID: 0xC00004B2
      Time Generated: 03/02/2022 14:30:04
      Event String:
      The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

      Additional Information:
      Error: 160 (One or more arguments are not correct.)
      An error event occurred. EventID: 0xC00004B2
      Time Generated: 03/02/2022 14:35:05
      Event String:
      The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

      Additional Information:
      Error: 160 (One or more arguments are not correct.)
      An error event occurred. EventID: 0xC00004B2
      Time Generated: 03/02/2022 14:53:07
      Event String:
      The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

      Additional Information:
      Error: 160 (One or more arguments are not correct.)
      An error event occurred. EventID: 0xC00004B2
      Time Generated: 03/02/2022 14:58:08
      Event String:
      The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

      Additional Information:
      Error: 160 (One or more arguments are not correct.)
      ......................... AD-SERVER failed test DFSREvent
      Starting test: SysVolCheck
      * The File Replication Service SYSVOL ready test
      File Replication Service's SYSVOL is ready
      ......................... AD-SERVER passed test SysVolCheck
      Starting test: KccEvent
      * The KCC Event log test
      Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
      ......................... AD-SERVER passed test KccEvent
      Starting test: KnowsOfRoleHolders
      Role Schema Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
      Role Domain Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
      Role PDC Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
      Role Rid Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
      Role Infrastructure Update Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
      ......................... AD-SERVER passed test KnowsOfRoleHolders
      Starting test: MachineAccount
      Checking machine account for DC AD-SERVER on DC AD-SERVER.
      * SPN found :LDAP/AD-SERVER.our-domain-name.com/our-domain-name.com
      * SPN found :LDAP/AD-SERVER.our-domain-name.com
      * SPN found :LDAP/AD-SERVER
      * SPN found :LDAP/AD-SERVER.our-domain-name.com/our-domain-name
      * SPN found :LDAP/ae2dfa24-4f30-4909-a5e3-079f70b6b83e._msdcs.our-domain-name.com
      * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ae2dfa24-4f30-4909-a5e3-079f70b6b83e/our-domain-name.com
      * SPN found :HOST/AD-SERVER.our-domain-name.com/our-domain-name.com
      * SPN found :HOST/AD-SERVER.our-domain-name.com
      * SPN found :HOST/AD-SERVER
      * SPN found :HOST/AD-SERVER.our-domain-name.com/our-domain-name
      * SPN found :GC/AD-SERVER.our-domain-name.com/our-domain-name.com
      ......................... AD-SERVER passed test MachineAccount
      Starting test: NCSecDesc
      * Security Permissions check for all NC's on DC AD-SERVER.
      * Security Permissions Check for
      DC=ForestDnsZones,DC=our-domain-name,DC=com
      (NDNC,Version 3)
      * Security Permissions Check for
      DC=DomainDnsZones,DC=our-domain-name,DC=com
      (NDNC,Version 3)
      * Security Permissions Check for
      CN=Schema,CN=Configuration,DC=our-domain-name,DC=com
      (Schema,Version 3)
      * Security Permissions Check for
      CN=Configuration,DC=our-domain-name,DC=com
      (Configuration,Version 3)
      * Security Permissions Check for
      DC=our-domain-name,DC=com
      (Domain,Version 3)
      ......................... AD-SERVER passed test NCSecDesc
      Starting test: NetLogons
      * Network Logons Privileges Check
      Verified share \\AD-SERVER\netlogon
      Verified share \\AD-SERVER\sysvol
      [AD-SERVER] User credentials does not have permission to perform this operation.
      The account used for this test must have network logon privileges
      for this machine's domain.
      ......................... AD-SERVER failed test NetLogons
      Starting test: ObjectsReplicated
      AD-SERVER is in domain DC=our-domain-name,DC=com
      Checking for CN=AD-SERVER,OU=Domain Controllers,DC=our-domain-name,DC=com in domain DC=our-domain-name,DC=com on 1 servers
      Object is up-to-date on all servers.
      Checking for CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com in domain CN=Configuration,DC=our-domain-name,DC=com on 1 servers
      Object is up-to-date on all servers.
      ......................... AD-SERVER passed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
      * Replications Check
      [Replications Check,AD-SERVER] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105
      "Replication access was denied."
      ......................... AD-SERVER failed test Replications
      Starting test: RidManager
      * Available RID Pool for the Domain is 12602 to 1073741823
      * AD-SERVER.our-domain-name.com is the RID Master
      * DsBind with RID Master was successful
      * rIDAllocationPool is 1602 to 2101
      * rIDPreviousAllocationPool is 1602 to 2101
      * rIDNextRID: 1666
      ......................... AD-SERVER passed test RidManager
      Starting test: Services
      * Checking Service: EventSystem
      * Checking Service: RpcSs
      * Checking Service: NTDS
      Could not open NTDS Service on AD-SERVER, error 0x5 "Access is denied."
      * Checking Service: DnsCache
      * Checking Service: DFSR
      * Checking Service: IsmServ
      * Checking Service: kdc
      * Checking Service: SamSs
      * Checking Service: LanmanServer
      * Checking Service: LanmanWorkstation
      * Checking Service: w32time
      * Checking Service: NETLOGON
      ......................... AD-SERVER failed test Services
      Starting test: SystemLog
      * The System Event log test
      Found no errors in "System" Event log in the last 60 minutes.
      ......................... AD-SERVER passed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
      The system object reference (serverReference) CN=AD-SERVER,OU=Domain Controllers,DC=our-domain-name,DC=com and
      backlink on CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com are
      correct.
      The system object reference (serverReferenceBL)
      CN=AD-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=our-domain-name,DC=com and
      backlink on
      CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
      are correct.
      The system object reference (msDFSR-ComputerReferenceBL)
      CN=AD-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=our-domain-name,DC=com and
      backlink on CN=AD-SERVER,OU=Domain Controllers,DC=our-domain-name,DC=com are correct.
      ......................... AD-SERVER passed test VerifyReferences
      Test omitted by user request: VerifyReplicas

      Test omitted by user request: DNS
      Test omitted by user request: DNS

      Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
      ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
      ......................... ForestDnsZones passed test CrossRefValidation

      Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
      ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
      ......................... DomainDnsZones passed test CrossRefValidation

      Running partition tests on : Schema
      Starting test: CheckSDRefDom
      ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
      ......................... Schema passed test CrossRefValidation

      Running partition tests on : Configuration
      Starting test: CheckSDRefDom
      ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
      ......................... Configuration passed test CrossRefValidation

      Running partition tests on : our-domain-name
      Starting test: CheckSDRefDom
      ......................... our-domain-name passed test CheckSDRefDom
      Starting test: CrossRefValidation
      ......................... our-domain-name passed test CrossRefValidation

      Running enterprise tests on : our-domain-name.com
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Starting test: LocatorCheck
      GC Name: \\AD-SERVER.our-domain-name.com
      Locator Flags: 0xe003f1fd
      PDC Name: \\AD-SERVER.our-domain-name.com
      Locator Flags: 0xe003f1fd
      Time Server Name: \\AD-SERVER.our-domain-name.com
      Locator Flags: 0xe003f1fd
      Preferred Time Server Name: \\AD-SERVER.our-domain-name.com
      Locator Flags: 0xe003f1fd
      KDC Name: \\AD-SERVER.our-domain-name.com
      Locator Flags: 0xe003f1fd
      ......................... our-domain-name.com passed test LocatorCheck
      Starting test: Intersite
      Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
      provided.
      ......................... our-domain-name.com passed test Intersite

      • Harm_Veenstra's avatar
        Harm_Veenstra
        MVP
        Could you run it in an Administrator Command prompt? There are errors like "Could not open NTDS Service on AD-SERVER, error 0x5 "Access is denied." " which indicate you're not running the dcdiag command as an admin/in a elevated prompt

Resources