Just like domain member computers, DCs use a secure channel password that is updated every 30 days to communicate with each other. If your inter-site link has been down for a while (ISP issues, new hardware, etc…) this password can become out of sync and replication will stop. But it’s pretty easy to fix – especially if you can reboot the misbehaving DC.
Some fun errors caused by this being broken include:
- The trust relationship between this workstation and the primary domain failed
- The Target Principal Name is incorrect
- The following error occurred during the attempt to synchronize the domain controllers.
- The naming context is in the process of being removed or is not replicated from the specified server.
- Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable or because your computer account was not found.”
- “System error 1396 – Logon Failure: The target account name is incorrect.”
All of this info is from this technet article. Also has instruction for a workaround if you can’t reboot your DCs. https://blogs.technet.microsoft.com/reference_point/2012/12/03/secure-channel-broken-continuation-of-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/
But here, (and so I can find it quickly) are the distilled steps
-
- Stop KDC service and set to disabled on erroring DC
- Reboot
- Log in, Kerberos ticket will be created by other DC
- Run this to reset computer account on PDC Emulator (NETDOM requires installation of Support Tools for your server OS version here are the 2003 x86 ones)
netdom resetpwd /server:<PDC_emulator_name> /userd:<Domain\admin> /passwordd:<admin_pwd>
- Set KDC back to automatic startup and reboot
If your DCs have been disconnected for more than 60 days, you can force them to resync by adding the “Allow Replication With Divergent and Corrupt Partner” DWORD value to the registry. Read about it here