Secure channel lost - ERROR_NO_LOGON_SERVERS

Giorgio Busoni 1 Reputation point
2022-09-11T23:56:42.357+00:00

Hi,
I have a single production server with several VM running. 2 VM are DC, there are other VM for other services, and one VM actus as a router between internal network and extenal, with 2 ethernet connections, running RRAS and DHCP server.
I have communication problems between this machine and the DCs. One month ago I had to de-join and re-join it to the domain, because it lost the secure channel and the DHCP stopped working. To add it back to the domain, I had to disable the external network connection, otherwise it would give error. After disableing the external connection, it joined, and I re-enabled the external connection. However, it looks like that when the external connection is enabled, it is unable to communicate with DCs.
When I try to run "nltest /query" the error "1311 0x51f ERROR_NO_LOGON_SERVERS"

I should mention that time ago the network had a second site, with 2 DC there as well, and that this machine was running a site to site VPN. Later on we had a machine failure on the other site, and the site was abandoned, had to remove the 2 DCs with nsutil. SO it might be that it is trying to connect to those DCs, even if they have been removed from AD, and even though its IP is on the local site?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,432 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
535 questions
{count} votes

5 answers

Sort by: Most helpful
  1. Anonymous
    2022-09-12T01:35:46.343+00:00

    Simplest solution may be to stand up a new one for replacement.


  2. Anonymous
    2022-09-12T13:10:30.423+00:00

    Its a virtual machine right? Replacing it seems like the simplest / quickest solution. Having a single windows instance that does VPN, the routing role and DHCP server may be problematic. If you can't stand up a new one (or more) for replacement then I'd suggest starting a case here with product support.
    https://support.microsoft.com/hub/4343728/support-for-business

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  3. Limitless Technology 39,591 Reputation points
    2022-09-13T08:14:03.387+00:00

    Hello there,

    Check the port requirements, Active Directory and Active Directory Domain Services Port Requirements

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN

    It would be great if you can share the output for ipconfig /all and dcdiag /v.

    This issue could also occur because the Netlogon secure channel is a special case for RPC Endpoint Mapper. It can be used to authenticate RPC Endpoint Mapper itself. In some cases, the Netlogon secure channel is not honored, and this causes a deadlock that takes time to resolve.

    You can look into this article https://support.microsoft.com/en-us/topic/lost-secure-channel-takes-a-long-time-to-be-reestablished-when-rpc-endpoint-mapper-is-secured-on-windows-server-2012-domain-controllers-c0f84698-91a1-aa4f-f211-d7f735e60ee3

    I hope this information helps. If you have any questions please let me know and I will be glad to help you out.

    -------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--


  4. Anonymous
    2022-09-19T12:34:26.867+00:00

    When NLA starts to detect the network location, the machine will contact a domain controller via port 389. If this detection is successful, it will get the domain firewall profile (allowing for correct ports) and we cannot change the network location profile.
    If the domain was not found or process failed, NLA will let you to determine which firewall profile will be used, private or public.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  5. Anonymous
    2022-09-19T12:37:17.807+00:00

    to be able to move the DHCP I will need to rejoin the machine, at least for some time, right?

    You could export / import DHCP scopes via PowerShell.
    https://learn.microsoft.com/en-us/powershell/module/dhcpserver/export-dhcpserver?view=windowsserver2022-ps
    https://learn.microsoft.com/en-us/powershell/module/dhcpserver/import-dhcpserver?view=windowsserver2022-ps

    --please don't forget to upvote and Accept as answer if the reply is helpful--


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.