****
*
*
*
*







*
*
                                      
*
*
Windows Server



    

Secure Channel    

*
*

*
*

Secure Channel


Categories:


Tags:


Apr
21

Secure Channel

Secure Channel is an encrypted channel for communication with-in a domain. The channel is encrypted with the machine account password for the machine that is communicating with the Domain Controller. There are Domain Controllers that have a secure channel with each other and there are domain member machines that communicate with the Domain Controller.

Every machine that is in the domain (* i.e. which is joined to the domain) have a machine account in active directory; the machine account in Active Directory also has a password (which is the machine account password). The first machine account password is the Machine NetBIOS name followed by a $ sign.

The Secure Channel is setup using this machine account password only.

Secure Channel is used in scenarios when there is a need for communication between the machine and the Domain Controller. So suppose when a user logs-in into Active Directory Domain, the data for the commu8nication is sent through the Secure Channel; Even the Domain Controllers have a Secure Channel Setup with one another.

 

If the Secure Channel is broken then you will get errors:

Errors while logging-in; errors while AD Replication and others.

 

One error that you will see the most is:

·        Target account name is incorrect

·        Target Principal Name is Incorrect

 

As a result of this scenario; sometimes the Active Directory Replication (AD Replication) might stop functioning; i.e. the AD Replication might be broken in case of a broken secure channel.

 

By default: Secure Channel (SC) is maintained for at max. 30 days.

 

Kerberos Tickets:

10 hrs.

And can be refreshed for 7 days

 

Kerberos Tickets are valid for 10 hrs. And can be refreshed for 7 days.

 

// If Currupt    -->    SC is broken.

 

            If the Kerberos Tickets are corrupt, then the Secure Channel is Broken.

 

 

To correct this situation we have to reset the Secure Channel.

 

 

{

We Purge the kerberos Tickets by 'Klist'/'Kerbtray'

}

And then we again try to re-establish the session with the server so that new tickets can be re-issued.

 

 

To reset Secure Channel:

Use either

a) NETDOM   

-->    If you use NETDOM then a REBOOT is Required.

b) NLTEST   

-->    If you use NLTEST to reset the Secure Channel then you don't REBOOT; i.e. a rreboot is not required if the Secure Channel is reset using NLTEST.

 

 

 

Resetting Domain Member Secure Channel   Article ID: 175024

 

http://support.microsoft.com/kb/175024

 

   NETDOM MEMBER \\DOMAINMEMBER /JOINDOMAIN

 

 

It was on a case we were on, and then

 

>> We ran dcdiag and got Error.

>> We tried to open ADUC, AD Sites and Services on TS and got message Target Principal Incorrect.

>> We verified from other Server that AD Replication is not working between TS and TSLS and its secure channel is not intact.

>> We downloaded the Klist (donload.microsoft.com) and purged all the Kerberos Tickets.

>> We stopped and disabled KDC Service on Terminal Server.

>> We Reset the Secure Channel of TS with itself and PDC (KB 260575)

>> How to Use Netdom.exe to Reset Machine Account Passwords of a Windows 2000 Domain Controller. (Use the Link: - http://support.microsoft.com/kb/260575)

>> The command is:- netdom resetpwd /server:servername /userd:domainname\administrator /passwordd:*--secure channel reset command.

          

           Here servername is the replication partner and the Machine Account password is resetted for the machine on which the command is Run.

 

 

In some cases, when you use the net view \\computername to attempt to connect to the domain controller that has the PDC Emulator operations master role from another domain controller, you may receive an "Access denied" error message. However, if you use the Internet protocol (IP) address, the command may succeed.

 

 

SOX070112700002

 

Purge all the kerberos tickets and reset trust password from parent DC by executing following command

 

1) klist purge

2) netdom trust <child domain> /domain:<parent domain> /userd:<parent

domain>\administrator /passwordd:* /userO:<child domain>\administrator /passwordO:*

/reset

 

Type the parent domain's administrator password for the first prompt and child domain admin password for the second prompt

 

Syntax for netdom

==============

netdom trust <trusting domain> /domain:<trusted domain> /UserD:<admin of trusted

domain> /PasswordD:* /UserO:<admin of trusting domain> PasswordO:* /reset

 

 

 

One More Case:

In this case we will reset the secure channel of the PDC and one another DC with a DC.

Reset the secure channel for PDC Themis w.r.t Leto in the following steps:

================================================================================

+ Stopped the KDC

+ Purged the tickets with klist

+ netdom resetpwd /server:leto /userd:ciis.edu\rlgadmin /passwordd:* (Article ID : 329721 )

+ rebooted the PDC

================================================================================

+ resetted the secure channel for chronos w.r.t Leto

================================================================================

+ Stopped the KDC

+ Purged the tickets with klist

+ netdom resetpwd /server:leto /userd:ciis.edu\rlgadmin /passwordd:* (Article ID : 329721 )

+ rebooted the PDC

================================================================================

 

 

ANOTHER CASE:

 

ISSUE:

server name is not accessible

logon failure

Target account name is incorrect

 

 

netdom query fsmo

netdom query dc

 

set u

===============

Domain Functionality Level:

WIN SER 2003

Forest Functionality Level:

WIN 2000

================

Description

=================

When from any computer on the domain we try to access ADC (FASVR4)

We get the following error message:

--------------------------------

Server name is not accessible

Logon failure

Target account name is incorrect

=================

On PDC

=========

Event Type: Error

Event Source: NETLOGON

Event Category: None

Event ID: 5719

Date:  6/11/2008

Time:  10:34:11

User:  N/A

Computer: FASVR1

Description:

This computer was not able to set up a secure session with a domain controller in domain NYLB due to the following:

The parameter is incorrect.

This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 0d 00 00 c0               ...À  

=========

===========

Event Type: Error

Event Source: NETLOGON

Event Category: None

Event ID: 5722

Date:  6/10/2008

Time:  16:40:15

User:  N/A

Computer: FASVR1

Description:

The session setup from the computer FASVR4 failed to authenticate. The name(s) of the account(s) referenced in the security database is FASVR4$.  The following error occurred:

Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 22 00 00 c0               "..À  

=============

=============

Event Type: Warning

Event Source: NTDS KCC

Event Category: Knowledge Consistency Checker

Event ID: 1925

Date:  6/11/2008

Time:  13:35:46

User:  NT AUTHORITY\ANONYMOUS LOGON

Computer: FASVR1

Description:

The attempt to establish a replication link for the following writable directory partition failed.

 

Directory partition:

DC=bklyn,DC=local

Source domain controller:

CN=NTDS Settings,CN=FASVR4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bklyn,DC=local

Source domain controller address:

00969cf4-bc21-4170-a97c-06d2b058ed21._msdcs.bklyn.local

Intersite transport (if any):

 

 

This domain controller will be unable to replicate with the source domain controller until this problem is corrected.

 

User Action

Verify if the source domain controller is accessible or network connectivity is available.

 

Additional Data

Error value:

8524 The DSA operation is unable to proceed because of a DNS lookup failure.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

==============

==============

Event Type: Error

Event Source: NTDS General

Event Category: Global Catalog

Event ID: 1126

Date:  6/11/2008

Time:  13:30:32

User:  NT AUTHORITY\ANONYMOUS LOGON

Computer: FASVR1

Description:

Active Directory was unable to establish a connection with the global catalog.

 

Additional Data

Error value:

1355 The specified domain either does not exist or could not be contacted.

Internal ID:

3200cf3

 

User Action:

Make sure a global catalog is available in the forest, and is reachable from this domain controller.  You may use the nltest utility to diagnose this problem.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

===============

 

+ promoted the PDC as a GC

=============

NTDS General

Event id: 1110

================

===============

NTDS General

Event ID: 1119

=================

 

 

// Followed the following on the ADC(FASVR4) after the PDC was successfully promoted as GC

Followed kb Article ID: 288167 :>

To Reset the Secure Channel of ADC (FASVR4) with the PDC:

 

+ Stopped the KDC Service, set the startup type to Disabled, and then restart the computer ADC(FASVR4).

+ Ping PDC by IP 172.22.48.31 : successful

+ netdom resetpwd /server:172.22.48.31 /userd:BKLYN.LOCAL\administrator /passwordd:*

+ restart the computer ADC(FASVR4).

+ Start the KDC Service, set the startup type to Automatic

+ tried to access the shares on ADC(FASVR4) from PDC : Successful

// Issue Resolved

 

 

One another case:

 

+ Stopped KDC

+ Purged tickets using Kerbtray

+ ran start run \\Winstondc2 \c$\

+ Tickets Reissued 

 

 

 

 

In some cases, when you use the net view \\computername to attempt to connect to the domain controller that has the PDC Emulator operations master role from another domain controller, you may receive an "Access denied" error message. However, if you use the Internet protocol (IP) address, the command may succeed.

 

net view \\192.168.16.16 & net view \\winstondc2

 

 



No TrackBacks

TrackBack URL: http://www.skar.us/site/mt-tb.cgi/3225

Leave a comment








*
*

ebhakt
Author Bio          ★★★★★

Author Name:         ebhakt
Author Location:    India
Author Rank:          Writer
Author Status:        
The Green leave stands!!


*
*
*
*
****



*****



    Desktop
  • eBooks
  • Games
  • Softwares
  • Tools
  • Tweaks
  • Wallpapers
  • Warez
    PDA
  • Games
  • Tools
  • Wallpapers
    System Administration
  • dll Center
  • Scripts
  • Tools
  • .extensions database
  • Write-up
    more...
  • Download Database
  • Jobs
  • Lists
  • Polls
  • Glossary

01000011 01110010 01100001 01100011 01101011 01111010 01101000 01100001 01100011 01101011