This computer was not able to set up a secure session with a domain controller in domain

Andreas 1,296 Reputation points
2022-02-14T13:08:38.88+00:00

Hi,

We have added a third domain controller, and everything seems ok, but I now and then get this message in the system event log

Event ID 5719

This computer was not able to set up a secure session with a domain controller in domain XXX due to the following:
We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

Dont see this message on the other domain controllers. I dont have any issues logging into the domain controller.
Suggestions ?

Thanks for reply

/R
Andy

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,801 questions
0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426K Reputation points MVP
    2022-02-16T20:30:42.13+00:00

    All looks good, dcdiag is clean. The only issues I see

    On DC1 add server's own static address (192.168.200.15) listed for DNS, then do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service

    On DC2 add server's own static address (192.168.200.14) listed for DNS, then do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service

    On DC3 add server's own static address (192.168.200.50) listed for DNS, then do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service

    and also confirm from PowerShell 

    Test-ComputerSecureChannel

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    2 people found this answer helpful.
  2. Dave Patrick 426K Reputation points MVP
    2022-02-14T13:45:17.297+00:00

    Please run;

    Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log
    repadmin /showrepl >C:\repl.txt
    ipconfig /all > C:\dc1.txt
    ipconfig /all > C:\dc2.txt
    ipconfig /all > C:\dc3.txt
    ipconfig /all > C:\problemworkstation.txt

    then put unzipped text files up on OneDrive and share a link.

  3. Andreas 1,296 Reputation points
    2022-02-16T11:10:12.643+00:00

    Hi @Dave Patrick

    Thanks for reply.

    Hope this link works
    https://1drv.ms/u/s!Ambg-la71z4_aaPXauqbcckQ6n8?e=b2cNFc

    /R
    Andy

  4. Andreas 1,296 Reputation points
    2022-02-17T08:06:24.86+00:00

    Hi,

    DNS records registerd.

    Thanks that solved the problem DC3. I did the Test-ComputerSecureChannel but first it reported Failed. Then I did a repair and it was a success and not NETLOGON service reports ok.

    But one other strange thing, on DC1 that I have not had any issues with, I get the following message when I tried the Test-ComputerSecureChannel command

    PS C:\Temp> Test-ComputerSecureChannel
    Test-ComputerSecureChannel : Cannot verify the secure channel for the local computer. Operation failed with the followi
    ng exception: The specified domain either does not exist or could not be contacted.
    At line:1 char:1

    • Test-ComputerSecureChannel
    • ~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : OperationStopped: (AAJDC1:String) [Test-ComputerSecureChannel], InvalidOperationExceptio
      n
    • FullyQualifiedErrorId : FailToTestSecureChannel,Microsoft.PowerShell.Commands.TestComputerSecureChannelCommand

    But is this correct since DC1 has the FSMO roles ?

    /R
    Andy

    0 comments
  5. Andreas 1,296 Reputation points
    2022-02-17T09:17:02.62+00:00

    Hi,

    It seems, I was a bit fast.... the error is still showing.... But I noticed something else... Our domain is called "DOMAIN", but the error message is saying it cannot connet with "DOMAIN-B", I dont know why it is trying another domain ?

    This computer was not able to set up a secure session with a domain controller in domain DOMAIN-B due to the following:
    We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.
    This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

    ADDITIONAL INFO
    If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

    /R
    Andy

    0 comments