Awinish's Technical Blog

Lets continue the journey of learning & Share.!!

Mystery Over Broken Secure Channel

Posted by Awinish on December 24, 2010

Secure channel is used for secure communication between client-client-server or vice-versa, but when secure channel is broken lot of  issues are encountered. If secure channel of domain controller is broken, it can be reset using netdom utility but if the secure channel is broken for domain member clients/server, the only way to reset is disjoing the client/server from the domain and rejoining it back.

The question is why secure channel breaks and there can be various reasons like connectivity issues, machine is prepared from image/clone but NewSid/Sysprep tool has not be executed to assign new SID to the system. All the domain system maintains unique SID and it it is either duplicated or there is any conflict leads to broken secure channel. The secure channel can also be broken if domain systems are not able to refresh their password due to duplicate SPN or host name.

What’s a Secure Channel

http://www.windowsitpro.com/article/domains2/what-s-a-secure-channel

Like domain users, each domain machine account maintains their own password and authenticate to the AD same way users in the domain does. Machine password refresh is initiated by machine not by AD and there is no password expiry  date for domain machine account like AD users. Machine can be disconnected from the domain for the long time, becasue when it is connected back to domain it refresh its password. The issues arises when machine is contacting DC for refreshing password found there is already system running on the domain with same host name or SID, then password refresh doesn’t happen and due to conflict secure channel is broken.

How To Use Netdom.exe to Reset Machine Account Passwords of a Windows 2000 Domain Controller(Article is Applicable from 2000-2008 R2)

http://support.microsoft.com/kb/260575

Machine Account Password Process

http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

Password Age for Machine Accounts do not expire

http://blogs.msdn.com/b/john_daskalakis/archive/2010/02/01/9956266.aspx

Windows machine account passwords and VM snapshots

http://blogs.msdn.com/b/sudhakan/archive/2010/01/07/experimenting-with-windows-machine-account-passwords-and-vm-snapshots.aspx

Typical Symptoms when secure channel is broken

http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx

Impact of Cloning and Virtualization on Active Directory Domain Services by Dean Wells(AD Expert, An Ex MVP, Now MS employee)

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM406

 

Advertisements

Sorry, the comment form is closed at this time.