Trust Relationship Issues

Eli Yammine 21 Reputation points
2020-11-19T18:46:42.563+00:00

All the computers on my domain have domain trust issues. I am able to login perfectly into the domain without cached credentials but the following always happens:
What errors do you see?
PS C:\WINDOWS\system32> test-computersecurechannel
False

The secure channel always fails. If I do decide to remove it from the domain and put it back on, it works but only for a short period of time. Sometimes minutes or hours.

What's the environment and are there recent changes?
This happens on any client computer. Windows10, 7, XP, Vista. There have been no recent changes that could cause this.

What have you tried to troubleshoot this?
I have attempted to check for duplicate computers in Active Directory. Try to check event logs for anything that I see. I've tried reseting the machine password, checking replication health between servers and everything seems fine. About a month ago, this was happening to every computer minus around 5 but now it happens on every single computer, even a new one that was just purchased brand new.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,584 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,589 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2020-11-19T20:09:42.883+00:00

    I'd read on here about CVE-2020-1472 that was deployed with August update.
    https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

    I have an Event ID 5827 for a Windows device. I thought you said Windows is not impacted?
    By default, supported versions of Windows that have been fully updated should not be using vulnerable Netlogon secure channel connections. If an event ID 5827 is logged in the system event log for a Windows device:
    Confirm that the device is running a supported versions of Windows.
    Ensure the device is fully updated from Windows Update.
    Check to ensure that Domain member: Digitally encrypt or sign secure channel data (always) is set to Enabled in a GPO linked to the OU for all your DCs, such as the default domain controllers GPO.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Anonymous
    2020-11-19T18:49:04.38+00:00

    Please run;

    Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
    repadmin /showrepl >C:\repl.txt
    ipconfig /all > C:\dc1.txt
    ipconfig /all > C:\dc2.txt
    ipconfig /all > C:\problemworkstation.txt

    then put unzipped text files up on OneDrive and share a link.

    0 comments No comments

  2. Eli Yammine 21 Reputation points
    2020-11-19T19:37:13.21+00:00
    0 comments No comments

  3. Vicky Wang 2,731 Reputation points
    2020-11-23T05:38:40.783+00:00

    Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,
    Vicky

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.