PCs losing secure channel with Domain

-message: "the trust relationship between this workstation and the primary domain failed"

-Secure Channel Is Breaking

  Using Powershell, run Test-ComputerSecureChannel

    Working machines return True

    Broken machines return 'Logon failure. Unknown user name or bad password'   

    Unjoined machines return the message "the local computer is not joined to a domain or the domain cannot be contacted."

so the machines are still joined, but no secure channel. I know 'system restore' can cause this on a pc, I've seen it. startup repair can cause it on a pc. I've seen it. but I don't believe that's always the case. It happens on all our images, all hardware models, win 7 64 bit and 32 bit, all sites/buildings in our company.

running the command 'set' returns \\machinename on a broken machine. of course, working machines return \\domaincontroller...

i'm at a loss. I know joining a workgroup and rejoining the domain fixes it, but I need a long-term solution! Could it be a domain-side, server-side issue?

Thanks in advance!

February 19th, 2015 10:22am

If you have reimaged these systems, You may need to perform Sysprep operation on these systems.

As a best practice, Run sysprep if you are reimaging the systems.

Free Windows Admin Tool Kit Click here and download it now
February 19th, 2015 10:59am

There was a similar issue in my company. We found out that while doing an AD cleanup by using auto-script, the KRBTGT account was deleted. There will be krbtgt account for each DCs and krbtgt_xxxxxx accounts for each RODCs. These accounts will be in disabled state, but these are the accounts which are used to authenticate clients with domain. 

It may not be applicable in your case, its just FYI.

Thanks,


  • Edited by durgesh7 19 hours 16 minutes ago spelling
February 19th, 2015 11:11am

You need to make sure that your reference machines are sysprepped before proceeding to the deployment.

Also, you need to make sure that your AD replication and DC health status are fine. You can achieve that using dcdiag and repadmin commands. You can also refer to my article here: http://www.ahmedmalek.com/web/fr/articles.asp?artid=23

The issue can also be caused by security software you are running on your machines.

Free Windows Admin Tool Kit Click here and download it now
February 19th, 2015 11:44am

Hello,

please see https://support.microsoft.com/kb/976494?wa=wsignin1.0 and assure that all images you use are prepared with sysprep, the only supported option from Microsoft when working with images/clones to install computers.

February 20th, 2015 3:05am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics