How to Reset Secure Channel On Active Directory Domain Controller

When you’re a little too careless about virtualizing your domain controllers, cloning, migrating, backing up and restoring, returning from vacation and deciding that having a single box holding all the FSMO roles is dangerous to the network, you will inevitably find yourself in the same situation I’ve found myself in.

A tell-tale sign that you need to manually reset the KDC secure channel on your problematic domain controller can be diagnosed with the following symptoms:

  • Any mechanism that relies on Kerberos authentication tickets will fail
  • Practically all subsystem services and listening endpoints will cease to function (non KDC-related services like DNS and DHCP aren’t affected)
  • Active Directory replication will fail on the affected DC (you can view this with repadmin /replsummaryand repadmin /showrepl)
  • nltest /sc_query:domain.local and nltest /sc_verify:domain.local writes stderr access denied
  • Being fired for incompetence

Strangely enough, Microsoft tells you exactly what the issue is. However even though this is strictly Kerberos and Security related, the event source “Security-Kerberos” ID 4 only shows up in the System event log for some reason. Who was the genius behind that logic?

How to Reset Secure Channel On Active Directory Domain Controller

  1. Open an administrative command prompt directly on the affected controller
  2. Run the following commands in the same sequence:
    NET STOP KDC
    KLIST PURGE
    NETDOM RESETPWD /Server:<YourGoodDomainController> /UserD:<domain\username> /PasswordD:<YourPassword>
    NET START KDC
  3. Once again we have backwards Microsoft logic, so pay attention to input your known good and functional DC after the /Server: parameter
  4. Remember to run these commands on the broken domain controller, I don’t care if you use a PS-Session/CIM/WinRM or RDP direct to a cmd

Before:

C:\>repadmin /replsummary
Replication Summary Start Time: 2019-04-21 06:46:35

Beginning data collection for replication summary, this may take awhile:
  .....

Source DSA          largest delta    fails/total %%   error
 WIN2016CORE-1     19d.14h:05m:37s    5 /   5  100  (2148074274) The target principal name is incorrect.

Destination DSA     largest delta    fails/total %%   error
 WIN2016CORE-2     19d.14h:05m:39s    5 /   5  100  (2148074274) The target principal name is incorrect.

Experienced the following operational errors trying to retrieve replication information:
        8341 - win2016core-1.ad.sysinfo.io

C:\>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Site1\WIN2016CORE-1
DSA Options: IS_GC
Site Options: IS_GROUP_CACHING_ENABLED
DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a
DSA invocationID: 00cd928c-063f-439d-a13a-9183ac18e684

==== INBOUND NEIGHBORS ======================================

DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-2 via RPC
        DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431
        Last attempt @ 2019-04-21 04:46:06 failed, result -2146893022 (0x80090322):
            The target principal name is incorrect.
        1422 consecutive failure(s).
        Last success @ 2019-04-03 01:11:03.

CN=Configuration,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-2 via RPC
        DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431
        Last attempt @ 2019-04-21 04:46:06 failed, result -2146893022 (0x80090322):
            The target principal name is incorrect.
        1423 consecutive failure(s).
        Last success @ 2019-04-03 01:09:26.

CN=Schema,CN=Configuration,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-2 via RPC
        DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431
        Last attempt @ 2019-04-21 04:46:06 failed, result -2146893022 (0x80090322):
            The target principal name is incorrect.
        1423 consecutive failure(s).
        Last success @ 2019-04-03 01:09:26.

DC=DomainDnsZones,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-2 via RPC
        DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431
        Last attempt @ 2019-04-21 04:46:06 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
        1423 consecutive failure(s).
        Last success @ 2019-04-03 01:09:26.

DC=ForestDnsZones,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-2 via RPC
        DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431
        Last attempt @ 2019-04-21 04:46:06 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
        1423 consecutive failure(s).
        Last success @ 2019-04-03 01:09:26.

Source: Site1\WIN2016CORE-2
******* 1422 CONSECUTIVE FAILURES since 2019-04-03 01:11:03
Last error: -2146893022 (0x80090322):
            The target principal name is incorrect.

C:\>nltest /sc_query:ad.sysinfo.io
I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED

C:\>nltest /sc_verify:ad.sysinfo.io
I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED

 

After:

NET stop kdc && klist purge && netdom resetpwd /Server:win2016core-1 /UserD:SYSINFO\visualblind /passwordD: && net start kdc

The Kerberos Key Distribution Center service was stopped successfully.

Current LogonId is 0:0x298f46b
        Deleting all tickets:
        Ticket(s) purged!

The machine account password for the local machine has been successfully reset.

The command completed successfully.

The Kerberos Key Distribution Center service is starting.
The Kerberos Key Distribution Center service was started successfully.

C:\>repadmin /replsummary
Replication Summary Start Time: 2019-04-21 08:27:02

Beginning data collection for replication summary, this may take awhile:
  .....

Source DSA          largest delta    fails/total %%   error
 WIN2016CORE-1             04m:10s    0 /   5    0
 WIN2016CORE-2             10m:55s    0 /   5    0

Destination DSA     largest delta    fails/total %%   error
 WIN2016CORE-1             10m:55s    0 /   5    0
 WIN2016CORE-2             04m:10s    0 /   5    0

C:\>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Site1\WIN2016CORE-2
DSA Options: IS_GC
Site Options: IS_GROUP_CACHING_ENABLED
DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431
DSA invocationID: 51035491-a911-4e10-8704-5c4f69d4a54c

==== INBOUND NEIGHBORS ======================================

DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-1 via RPC
        DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a
        Last attempt @ 2019-04-21 08:26:47 was successful.

CN=Configuration,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-1 via RPC
        DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a
        Last attempt @ 2019-04-21 08:22:52 was successful.

CN=Schema,CN=Configuration,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-1 via RPC
        DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a
        Last attempt @ 2019-04-21 08:22:52 was successful.

DC=DomainDnsZones,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-1 via RPC
        DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a
        Last attempt @ 2019-04-21 08:22:52 was successful.

DC=ForestDnsZones,DC=ad,DC=sysinfo,DC=io
    Site1\WIN2016CORE-1 via RPC
        DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a
        Last attempt @ 2019-04-21 08:22:52 was successful.

 


References:

https://glennopedia.com/2016/02/25/how-to-reset-secure-channel-on-a-domain-controller/

Share
Disqus Comments Loading...

Recent Posts

FreeNAS Error Creating Pool

command '('gpart', 'create', '-s', 'gpt', '/dev/da8')' returned non-zero exit status 1. If you get this error while trying to create… Read More

June 7, 2019 3:44 pm

Change Grub Default Boot Entry on Linux Mint

I'm dual booting Windows and Linux Mint on my laptop. The grub default is to boot into Linux Mint, however… Read More

April 23, 2019 7:45 pm

Run Systemd Script Before System Shutdown

I tried to retain the NGINX FastCGI cache and have it persist across system reboots instead of being ephemeral by… Read More

April 20, 2019 10:14 am

Learn Systemctl Usage to Manage Systemd Service in Linux

Systemd is new service manager for Linux. It's a replacement for all previous init systems (SysV/SysVinit & Ubuntu's Upstart) and… Read More

April 20, 2019 7:55 am

Force Delete Windows Server DHCP Failover Relationship

If you've found yourself here then chances are you messed up one of your domain controllers or at least one… Read More

April 20, 2019 5:54 am

Determine Your Upstream DNS Resolver

The following one-liner Bash will output your upstream DNS resolver. You will need to install the whois package for this… Read More

April 7, 2019 11:00 am