Forum Discussion
UnguidedWizard
Mar 02, 2022Copper Contributor
AD/DNS Server losing secure channel
Hi guys,
We have a single DC environment (Windows Server 2019) which keeps losing its secure channel with itself. We get DNS errors 4000 and 4007.
We run the following command, and reboot:
netdom resetpwd /server:AD.IPP.ADDR /userd:Domain\domain_admin /passwordd:*
The issue resolves itself, however re-appears after any further reboots.
This was originally in a dual DC environment, and the other has recently been removed, unsure if this is related.
Appreciate any advice.
- You don't have any other issues, the other DC was removed correctly? What does a "dcdiag.exe /v" show?
- UnguidedWizardCopper Contributor
Harm_Veenstra Please see below output from dcdiag /v. I believe the DC was removed correctly, but I can't be sure.
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine AD-SERVER, is a Directory Server.
Home Server = AD-SERVER
* Connecting to directory service on server AD-SERVER.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.Doing initial required tests
Testing server: Default-First-Site-Name\AD-SERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... AD-SERVER passed test ConnectivityDoing primary tests
Testing server: Default-First-Site-Name\AD-SERVER
Starting test: Advertising
The DC AD-SERVER is advertising itself as a DC and having a DS.
The DC AD-SERVER is advertising as an LDAP server
The DC AD-SERVER is advertising as having a writeable directory
The DC AD-SERVER is advertising as a Key Distribution Center
The DC AD-SERVER is advertising as a time server
The DS AD-SERVER is advertising as a GC.
......................... AD-SERVER passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... AD-SERVER passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 12:08:53
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 12:13:53
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 12:26:06
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:15:02
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:20:03
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:30:04
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:35:05
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:53:07
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.Additional Information:
Error: 160 (One or more arguments are not correct.)
An error event occurred. EventID: 0xC00004B2
Time Generated: 03/02/2022 14:58:08
Event String:
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.Additional Information:
Error: 160 (One or more arguments are not correct.)
......................... AD-SERVER failed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... AD-SERVER passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... AD-SERVER passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Role Domain Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Role PDC Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Role Rid Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
Role Infrastructure Update Owner = CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
......................... AD-SERVER passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC AD-SERVER on DC AD-SERVER.
* SPN found :LDAP/AD-SERVER.our-domain-name.com/our-domain-name.com
* SPN found :LDAP/AD-SERVER.our-domain-name.com
* SPN found :LDAP/AD-SERVER
* SPN found :LDAP/AD-SERVER.our-domain-name.com/our-domain-name
* SPN found :LDAP/ae2dfa24-4f30-4909-a5e3-079f70b6b83e._msdcs.our-domain-name.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ae2dfa24-4f30-4909-a5e3-079f70b6b83e/our-domain-name.com
* SPN found :HOST/AD-SERVER.our-domain-name.com/our-domain-name.com
* SPN found :HOST/AD-SERVER.our-domain-name.com
* SPN found :HOST/AD-SERVER
* SPN found :HOST/AD-SERVER.our-domain-name.com/our-domain-name
* SPN found :GC/AD-SERVER.our-domain-name.com/our-domain-name.com
......................... AD-SERVER passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC AD-SERVER.
* Security Permissions Check for
DC=ForestDnsZones,DC=our-domain-name,DC=com
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=our-domain-name,DC=com
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=our-domain-name,DC=com
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=our-domain-name,DC=com
(Configuration,Version 3)
* Security Permissions Check for
DC=our-domain-name,DC=com
(Domain,Version 3)
......................... AD-SERVER passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\AD-SERVER\netlogon
Verified share \\AD-SERVER\sysvol
[AD-SERVER] User credentials does not have permission to perform this operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... AD-SERVER failed test NetLogons
Starting test: ObjectsReplicated
AD-SERVER is in domain DC=our-domain-name,DC=com
Checking for CN=AD-SERVER,OU=Domain Controllers,DC=our-domain-name,DC=com in domain DC=our-domain-name,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com in domain CN=Configuration,DC=our-domain-name,DC=com on 1 servers
Object is up-to-date on all servers.
......................... AD-SERVER passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
[Replications Check,AD-SERVER] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105
"Replication access was denied."
......................... AD-SERVER failed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 12602 to 1073741823
* AD-SERVER.our-domain-name.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1602 to 2101
* rIDPreviousAllocationPool is 1602 to 2101
* rIDNextRID: 1666
......................... AD-SERVER passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
Could not open NTDS Service on AD-SERVER, error 0x5 "Access is denied."
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... AD-SERVER failed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... AD-SERVER passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=AD-SERVER,OU=Domain Controllers,DC=our-domain-name,DC=com and
backlink on CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com are
correct.
The system object reference (serverReferenceBL)
CN=AD-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=our-domain-name,DC=com and
backlink on
CN=NTDS Settings,CN=AD-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=our-domain-name,DC=com
are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=AD-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=our-domain-name,DC=com and
backlink on CN=AD-SERVER,OU=Domain Controllers,DC=our-domain-name,DC=com are correct.
......................... AD-SERVER passed test VerifyReferences
Test omitted by user request: VerifyReplicasTest omitted by user request: DNS
Test omitted by user request: DNSRunning partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidationRunning partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidationRunning partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidationRunning partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidationRunning partition tests on : our-domain-name
Starting test: CheckSDRefDom
......................... our-domain-name passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... our-domain-name passed test CrossRefValidationRunning enterprise tests on : our-domain-name.com
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f1fd
PDC Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f1fd
Time Server Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f1fd
Preferred Time Server Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f1fd
KDC Name: \\AD-SERVER.our-domain-name.com
Locator Flags: 0xe003f1fd
......................... our-domain-name.com passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
provided.
......................... our-domain-name.com passed test Intersite- Could you run it in an Administrator Command prompt? There are errors like "Could not open NTDS Service on AD-SERVER, error 0x5 "Access is denied." " which indicate you're not running the dcdiag command as an admin/in a elevated prompt