secure channel between the local computer and the domain is broken

Question

Hi, I am running into a situation where all endpoints and VMs have run into this issue with the secure channel between the local computer and the domain being broken. Our users are unable to RDP using IP, we are receiving the message that the Windows Domain controller cannot be contacted to perform Network Level Authentication (NLA). We are oddly enough able to RDP using hostname.

Two DC's are currently live. A third DC was decommissioned a few days ago and this is when the issue started. This old DC was the FMSO role master, but all roles were transferred to one of the current DC more than a year ago. The decommissioning was neglected up until today. The old decommissioned DC has been removed from AD.

Getting the following when running Test-ComputerSecureChannel -Verbose:

VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "<computer>".
False
VERBOSE: The secure channel between the local computer and the domain <domain> is broken.

When I switch a device to a test Workgroup, reboot, and then join the domain again, the secure channel is in good condition; however, if the device is rebooted the secure channel gets broken again.

If I however switch a device to a test Workgroup, reboot, go to AD and delete the device and then join the domain, the secure channel remains in good condition.

Clearly it would be not possible to manually remove - delete and join the domain again for each device. I have to believe that there is a better way.

Please help.

Answer 1

I'd check the event logs on both for more details. There are many "DFS Replication service failed" events.

Plus the others I mentioned. There are many "The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account. For more information about why this was denied, please visit https://go.microsoft.com/fwlink/?linkid=2133485 "

--please don't forget to Accept as answer if the reply is helpful--