Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Server 2012Secure channel broken on single DC

  • Filter
  • Time
  • Show
Clear All
new posts

  • Server 2012Secure channel broken on single DC

    I have been a long time reader, first time poster.

    Long story short, we renamed the domain because we can no longer get ssl certs with servers named .local. I hope you have your thinking hats on....

    Before we jumped off the cliff we tested in a lab, followed all the steps and we thought everything was fine (and it was) until we made changes to a few group policies.

    We had 3 DC's dc1,2&3. We first noticed that gpupdate /force wouldnt work on workstations. The user configs wouldnt apply. The error was: Windows could not determine if the user and the computer accounts are in the same forest.

    We figured easy fix, disjoin/rejoin domain. That didnt work. Then we disjoined (changed the computer name) then rejoined, that didnt work either. We created a new user (one that didn't exist before the rename) and they got the same error! FYI, The computer and user is in the same OU.

    gpresult shows that the group policy is being applied from a server that was decommissioned years ago. We deleted the registry keys for GP history and that didnt help. (HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Group Policy\History)

    After messing that that for a few days we decided to dig deeper and noticed the event logs were reporting that dc2 couldn't create a secure channel to dc1 or 2 and vice versa. After messing with that for a few days we decided to demote dc1 and 2 so we could focus on fixing 1 dc.

    First we transferred the fsmo roles to dc3 (it was dc2). netdom query showed dc3 was the new role holder on all 3 dc's. Demotion went smooth and we updated the dhcp server to only hand out dc3 as the dns server.

    Now dc3 is the only dc running dns & GC. We left dhcp on dc1&2 since it was running failover dhcp.

    After much fighting, nltest / ran from dc1&2 now show nerr_sucess to dc3.

    The same test from dc3 fails. No logon servers! 1311 0x51F

    I tried to reset the channel by running nltest /, same error. No logon servers.

    I ran set logonserver from dc3 and it says logonserver=\\dc3. Server reboots and restarts of netlogon doesn't fix anything. running set logonserver from dc1&2 both return: logonserver=\\dc3

    All 3 servers are 2012. dc1 is 2012r2. I am running out of things to try.

    To recap i have 1 problem that lead to finding another problem:

    Group policy updates are not being applied to user policies. Computer policies work fine. I think the issue is gp is being applied from a non existing server. I cant figure out how to fix that.

    The second issue is schannel broken from the only DC.

    metadata cleanup shows no traces of old DC. DNS is clean of old DC as well.

    What have I missed?

  • #2
    Re: Server 2012Secure channel broken on single DC

    70 views and no bites. Feeling lonely here. Here is an update:

    After we demoted 2 of the DC's the schannel appeared to start working. nltest /sc_verify = nerr success.

    So i figured why not just promote the server back to DC, transfer the fsmo roles, then demote and fix schannel on DC3?

    Initially Once MS1 (member server) was again DC1, the nltest /sc_verify: test fails, no logon servers.

    12 hours later the test passes. Either it fixed itself or nltest isnt a very reliable test.

    After the test passed i tried to reset schannel by running:

    nltest /server:dc3 / | error no logon servers

    I didn't feel safe only running 1 DC so I have left DC1 and DC3 as DC's.

    Same problem persists. I guess i can't fix the schannel issue until i fix the logon server issue.

    Running set logonserver from DC1 says DC3
    Running set logonserver from DC3 says DC3
    Running set logonserver from random workstations give either DC3 or DC1 which is the way it is supposed to work. The server chosen from the same site is random.

    What i dont get is if the server knows where the logonserver is, why does it say there isnt one?


    • #3
      Re: Server 2012Secure channel broken on single DC

      I wonder if the clue is in the fact that the original GPO's were being 'applied by a non-existent server', and which you emphasised.

      I wonder if previous adding/removing servers and upgrading servers has left some detritus in Active Directory and that you need to clean it up.

      I would determine what is leftover from previous setups and AD versions and perform a metadata clean-up removing all traces of DC's that no longer exist. Hopefully you will only need to remove the one that AD claims the GPO's are being applied from.

      Backup your GPO's first and (preferably) make sure that you have a full working backup you can restore to in case the unexpected happens.
      A recent poll suggests that 6 out of 7 dwarfs are not happy