secure channel between the local computer and the domain is broken

Question

Hi, I am running into a situation where all endpoints and VMs have run into this issue with the secure channel between the local computer and the domain being broken. Our users are unable to RDP using IP, we are receiving the message that the Windows Domain controller cannot be contacted to perform Network Level Authentication (NLA). We are oddly enough able to RDP using hostname.

Two DC's are currently live. A third DC was decommissioned a few days ago and this is when the issue started. This old DC was the FMSO role master, but all roles were transferred to one of the current DC more than a year ago. The decommissioning was neglected up until today. The old decommissioned DC has been removed from AD.

Getting the following when running Test-ComputerSecureChannel -Verbose:

VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "<computer>".
False
VERBOSE: The secure channel between the local computer and the domain <domain> is broken.

When I switch a device to a test Workgroup, reboot, and then join the domain again, the secure channel is in good condition; however, if the device is rebooted the secure channel gets broken again.

If I however switch a device to a test Workgroup, reboot, go to AD and delete the device and then join the domain, the secure channel remains in good condition.

Clearly it would be not possible to manually remove - delete and join the domain again for each device. I have to believe that there is a better way.

Please help.

Answer 1

Please run;

Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\dc3.txt
ipconfig /all > C:\problemworkstation.txt

then put unzipped text files up on OneDrive and share a link.

Answer 2

Please excuse my ignorance here and thank you for the quick response.

For: Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log --- I substituted %computername% for my DC hostname.

For:

ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\dc3.txt
ipconfig /all > C:\problemworkstation.txt

All generated text files from the above four commands are exactly the same. What am I doing wrong?

Answer 3

Ok, I am not understanding again what you mean by “each of the mentioned.”

Unless I am really missing something you didn’t mention anything and I mentioned two domain controllers and some test workstations.

You want me to run all the six commands on domain controllers and workstations?

Not sure what printing “ipconfig /all” to text files with different names on the same device going to do.

I am just trying to understand the basics, not questioning your troubleshooting approach.

Thanks,

Answer 4

Sorry, should have said;
Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log run on any functional DC
repadmin /showrepl >C:\repl.txt run on any functional DC
ipconfig /all > C:\dc1.txt run on dc1
ipconfig /all > C:\dc2.txt run on dc2
ipconfig /all > C:\dc3.txt run on dc3
ipconfig /all > C:\problemworkstation.txt run on any problem workstation

then put unzipped text files up on OneDrive and share a link.

Answer 5

Hi @Dave Patrick ,

That was my bad entirely. Please find the requested info here.

Sincerely,

I don't believe Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log is generating the output you are looking for. I am getting this:

Command Line: "dcdiag.exe   
/v /c /d /e /s:%computername%"  
  
Directory Server Diagnosis  
  
  
Performing initial setup:  
  
   * Connecting to directory service on server %computername%.  
  
   Ldap search capability attribute search failed on server %computername%,  
  
   return value = 81  
   The host %computername% could not be resolved to an IP address. Check the  
  
   DNS server, DHCP, server name, etc.  
  
   DcDiag: uncaught exception raised, continuing search