I'm having problems with secure channels on two of my four domain controllers. The primary DC (DC03) is logging Event ID 5722, indicating that DC01 failed to authenticate. The error seems to be 'Access is denied.'
On the troubled DCs, I see messages indicating they can't authenticate with DC03 and suspect it could be due to a duplicate computer name on the network or an unrecognized password for the computer account. Running `test-computersecurechannel -verbose` returns false, and `nltest /sc_query:domain.local` results in an access denied error.
I managed to repair one of the DCs using the command `netdom resetpwd /server:DC03 /userd:domainadmin /passwordd:*`, but the other one is still having issues, and `test-computersecurechannel -repair` hasn't worked either after multiple reboots. Replication seems fine, but these errors keep popping up in the logs.
5 Answers
Consider rotating your KRGBT key if it hasn’t been changed in several years. It might be a factor in the authentication issue.
Just out of curiosity, are those two problematic domain controllers running Server 2025?
Are your domain controllers hosted in Azure by any chance?
Try stopping and disabling the KDC service on all but one of your DCs. Make sure each DC's DNS client is set up to communicate with each other as the primary lookup source, using localhost as a fallback. After that, restart the DCs where the KDC service is disabled and run `Test-ComputerSecureChannel` again. It might help get everything back in sync before you turn the KDC services back on again.
Thanks, I can give that a go during the next maintenance window!
All of my DCs are actually on Server 2019.