Sep 13, 2007

How to reset secure channel for DCs

This post is about resetting secure channel between domain controller and PDC. Another type of secure channel resetting, much more common for most of administrators, is done between a member machine and AD, which can be achieved by:
 
netdom reset /domain:YourDomainName

Instead of running above command, many administrators will simply disjoin and rejoin domain. It should resolve the problem -*if*- it's indeed a secure channel issue. Disjoin/rejoin will reset many other things along the way therefore it's cleaner.

Now back to our topic. Resetting secure channel for a DC should be done only when the a problematic DC can't authenticated with PDC. Symptoms include:

- "The target principal name is incorrect"
- \\IP\shared folder works but not \\computerName\share
- Replication fails but network seems to be fine (all ports are open)
- User get "access denied"
- Kerberos event 3 or 4

Step-by-step:

1. Identify PDC

    "netdom query fsmo"

2. Disable the KDC service on the DC in question (the DC whose password you want to reset), (don't forget to) reboot
3. On DC in question, run

    netdom resetpwd /server:PDC_name /userd:Domain\admin /passwordd:admin_pwd

4. Reboot again regardless if step 3 is successful (you should focus on why step 3 fails though)
5. Enable and start KDC
6. Verify if this resolve the issue
7. (Optional) Even it's not required, but you are strongly encouraged to reboot the DC again. Also if the reset was for troubleshooting replication issues, it's recommended to trigger a KCC cycle to re-generate the replication topology.

You can reset secure channel as many times as you want, but it only resolves issues that are out-of-sync in nature (remember computer accounts have password too and need to authenticated to each other). It won't help you if you have underlying network or DNS issue. And most AD issues are caused by mis-configured DNS, I should say!

In short, if you have a member server/workstation that don't seem to talk to the rest of the domain, you may want to reset secure channel on the workstation. If you have a DC that doesn't replicate or doesn't talk to other DCs, you want to reset that DC's secure channel. The commands used are quite different.

Edit (2011.11.05):
Similar to what you can do with member servers, if a DC's secure channel fails to reset, you can just demote it and promote it back. However there are a few things you need to take into consideration before demote:
  • Is this DC holding any fsmo role? Can you still transfer roles(most likely you can't due to failing secure channel)? Do you need to seize its roles?
  • If you have to do a force demote, do remember to perform metadata clean up
  • Is this DC a DNS server? Remember to remove it from your zone server list. Also consider the impact to clients that are using this server as their DNS server
  • Any other services this DC provides?
Last but not least, I can't stress enough how important DNS/connectivity is. If there is something wrong with DNS/network, demote/promote won't fix the issue.