Hi all.
Over the past few months we've had cases of secure channel breaking on domain controllers.
Once we had detected this we were able to manually reset the machine password using the netdom resetpwd command.
This has been fine up until now.
For some reason this is no longer fixing the errors we have seen in the past.
When performing a nltest /server:hostname /sc_verify:domainname it comes back with
I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED indicating that the password needs resetting.
I run the commands
net stop kdc
klist purge
netdom resetpwd /server:PDCe /userd:adminuser /passwordd:*
net start kdc
Normally this fixes the problem and the nltest is successful within a couple of minutes.
Now it does nothing at all.
I have also attempted the disable kdc, restart, netdom resetpwd, restart, enable kdc but still no luck.
This particular instance is occurring on a Windows 2008 R2 (SP1) RODC.
A little bit of additional history is that just a few days ago the PDCe failed and we had to seize the role.
Everything else seems to be working ok though.
dcdiag shows no faults on the domain.
When I run repadmin /showrepl on the faulty DC, everything looks fine. But on other dc's when I run repadmin /replsummary that faulty DC is not replicating.
When I attempt to force a replication using Sites & Services, it comes back with the message "The target principal name is incorrect"
At this stage I'm not trying to figure out why Secure Channel is breaking because that has been occurring for months. I just want to be able to reset it as a priority. Has anyone experience the netdom resetpwd not working?
I don't want to dcpromo these servers, because this command has always worked in the past so there must be something that is different
Is there something related to the FMSO role being seized that is not allowing this to be successful?
I have logged a support case with Microsoft Support as well but so far they are unable to help so hoping for some assistance here as well.