Secure channel issue with single DC.

  • Thread starter Thread starter drudgester
  • Start date Start date
D

drudgester

I just ran down an interesting issue with member stations not being
able to open a secure channel to a particuliar dc. I didn't find
anything posted about this elsewhere, so I thought I would post the
information in case someone else runs into this.

Problem DC was authenticating users via kerberos and did not have
showing any errors or warnings in system, application, directory
service, and file replication service logs. I first noticed the
problem when a netdiag from a member server failed the trust test when
it attempted to open a secure channel to the DC. Further tests
confirmed the issue when a nltest /sc_reset:domain\fqdnDCname with a
I_NetLogonControl Failed: Status =1062 0x426 ERROR_SERVICE_NOT_ACTIVE.

Network traces showed the dc returning service paused responses to a
mailslot request.

The Netlogon service was running as was rpc.

Setting the hklm/currentcontrolset/services/netlogon/parameters/dbflag
to 0x2080FFF and restarting the netlogon service caused the following
lines to be written in %winroot%\debug\netlogon.log
05/30 08:46:26 [INIT] Starting RPC server.
05/30 08:46:26 [INIT] Started successfully
05/30 08:46:26 [CRITICAL] NlWaitForService: RPCSS Service start type
invalid: 3

Sure enough, the rpc on the problem dc was set to manual instead of
automatic and changing this and restarting netlogon fixed the issue.

The interesting thing is I would have expected either replication or
directory service errors in the event logs and their were neither.
 
Back
Top