Hello @Petr Fiser ,
Thank you for posting here.
Do you have the same issue (tried to log DC with domain Administrator credential and receive the error message above) on both DCs?
We can check on the problematic DC:
1.Run command to check the secure channel: NETDOM VERIFY computer_name
2.Run command to RESET the secure channel:
Netdom resetpwd /s:<target_server> /ud:mydomain\domain_admin /pd:*
/s:<server> is the name of the domain controller to use for setting the machine account password. It's the server where the KDC is running.
/ud:<domain\User> is the user account that makes the connection with the domain you specified in the /s parameter. It must be in domain\User format. If this parameter is omitted, the current user account is used.
/pd:* specifies the password of the user account that is specified in the /ud parameter. Use an asterisk (*) to be prompted for the password. For example, the local domain controller computer is Server1 and the peer Windows domain controller is Server2. If you run Netdom.exe on Server1 with the following parameters, the password is changed locally and is simultaneously written on Server2.
And replication propagates the change to other domain controllers:
netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:*
In your case, you have two DCs, I assume one is DC1(if it is also PDC) and the other is DC2.
If you run command on DC1, you can run:
Netdom resetpwd /s:DC2 /ud:mydomain\domain_admin /pd:*
If you run command on DC2, you can run:
NETDOM VERIFY DC2
Netdom resetpwd /s:DC1 /ud:mydomain\domain_admin /pd:*
After that, check if it helps.
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
If the Answer is helpful, please click "Accept Answer" and upvote it.