failed to authenticate to DC (event ID 3210)

Im troubleshooting different Workstation slowness scenarios, and one of the conserning event ID is 3210 which indicates some authorization issues between Client Computer and Domain. Also group policy errors (lack of connectivity to domain controller) follows this error.

Im tryng to solve this event ID 3210 issue without succsess, so far Ive done:

- Ports are opened between Client and DC (I ran portQui tests)
- Computer is patched 100%, also KB2958122 included.
- Computer account deleted, Computer re-joined to domain


  • Edited by yannara Friday, May 22, 2015 8:06 AM
May 22nd, 2015 8:05am

Hello,

How is your DNS configured on client machine & on DOmain controller. Check your Sites & Subents are configured correctly.

If possible enable debug logs for netlogon on client machine.

Enable : nltest /dbflag:0x2080ffff

Disabled: nltest /dbflag:0x0Ref: https://support.microsoft.com/en-us/kb/109626

enable the debug log then reboot the computer and you can ask user to login to machine. Once user is loged on to machine you can see there is log file %systemroot%\Debug. Upload the log file here

Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2015 9:11am

Hello,

How is your DNS configured on client machine & on DOmain controller. Check your Sites & Subents are configured correctly.

If possible enable debug logs for netlogon on client machine.

Enable : nltest /dbflag:0x2080ffff

Disabled: nltest /dbflag:0x0Ref: https://support.microsoft.com/en-us/kb/109626

enable the debug log then reboot the computer and you can ask user to login to machine. Once user is loged on to machine you can see there is log file %systemroot%\Debug. Upload the log file here

I forgot to mention, that our sites and services are up to date, every subnet is binded to a site and DC. Client gets DNS settings from DHCP scope, DNS servers veries depending on site, closest DC acts as DNS.

I'll get this logs and get back to this, thanks!

May 22nd, 2015 9:58am

Hi,

 Try to take Wiresharke and filter any NTLM authentication method is coming out. If so, you should be add your nearest domain controller ip address on the "Exception list" in network device. It could be either riverbed, etc...and let me know.

Please share your answers.

Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2015 10:46am

Hi,

You are gettting envetid 3210 on machine. This is typically secure channel broken issue on lcient machine.

Try resetting the password for computer from below command. 

netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password

http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/02/use-powershell-to-reset-the-secure-channel-on-a-desktop.aspx

May 22nd, 2015 11:25am

Try resetting the password for computer from below command. 

netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password

As stated from the article,

netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password

Where server_name is the name of the server that is the PDC Emulator operations master role holder.

Note: This method only works for DC. If its member server, we have to disjoin and rejoin domain.

So, should I still try this command on a Client machine?

Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2015 1:11pm

For client machine you can directly do it from ADUC.

Go to Active Directory Users and Computers MMC (DSA), you can right-click the computer object in the Computers or appropriate container and then click Reset Account. Reboot the client machine.

May 22nd, 2015 1:20pm

For client machine you can directly do it from ADUC.

Go to Active Directory Users and Computers MMC (DSA), you can right-click the computer object in the Computers or appropriate container and then click Reset Account. Reboot the client machine.


I did this test, after reboot I cannot logon (the trust relationship between this Workstation and the primary DC failed). I also wonder, what this would help, if brand new fresh domain Computer account does the same thing (3210). As I wrote in first post, I already tried with fresh account. But thanks for your help and share more thoughts :)
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2015 1:31pm

How about Debug logs from client machine. ? have you collected if yes can you upload to one drive etc or common area.
May 22nd, 2015 1:35pm

Hi,

What OS version did you talk about?

Please check the similar thread that has been discussed:

Event ID 3210

https://social.technet.microsoft.com/Forums/windowsserver/en-US/6aa6d977-03d6-4e73-9ff4-51cc2275903b/event-id-3210?forum=winserverDS

Regards.

Free Windows Admin Tool Kit Click here and download it now
May 24th, 2015 3:41am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics