Mystery Over Broken Secure Channel
Posted by Awinish on December 24, 2010
Secure channel is used for secure communication between client-client-server or vice-versa, but when secure channel is broken lot of issues are encountered. If secure channel of domain controller is broken, it can be reset using netdom utility but if the secure channel is broken for domain member clients/server, the only way to reset is disjoing the client/server from the domain and rejoining it back.
The question is why secure channel breaks and there can be various reasons like connectivity issues, machine is prepared from image/clone but NewSid/Sysprep tool has not be executed to assign new SID to the system. All the domain system maintains unique SID and it it is either duplicated or there is any conflict leads to broken secure channel. The secure channel can also be broken if domain systems are not able to refresh their password due to duplicate SPN or host name.
What’s a Secure Channel
Like domain users, each domain machine account maintains their own password and authenticate to the AD same way users in the domain does. Machine password refresh is initiated by machine not by AD and there is no password expiry date for domain machine account like AD users. Machine can be disconnected from the domain for the long time, becasue when it is connected back to domain it refresh its password. The issues arises when machine is contacting DC for refreshing password found there is already system running on the domain with same host name or SID, then password refresh doesn’t happen and due to conflict secure channel is broken.
How To Use Netdom.exe to Reset Machine Account Passwords of a Windows 2000 Domain Controller(Article is Applicable from 2000-2008 R2)
Machine Account Password Process
Password Age for Machine Accounts do not expire
Windows machine account passwords and VM snapshots
Typical Symptoms when secure channel is broken
Impact of Cloning and Virtualization on Active Directory Domain Services by Dean Wells(AD Expert, An Ex MVP, Now MS employee)
Sorry, the comment form is closed at this time.