In my support role, we would get nightly alerts showing disconnection to the PDC from other DCs and Exchange Servers, giving the following events:
DC02
10/31/2018 23:20:28 5719
NETLOGON
This computer was not able to set up a secure session with a domain controller in domain LDLNET due to the following:
The remote procedure call was cancelled.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the
secure session to any domain controller in the specified domain.
DC03
10/31/2018 23:18:58 5783
NETLOGON
The session setup to the Windows NT or Windows 2000 Domain Controller \\DC01.LDLNET.ORG for the domain LDLNET is not responsive. The current RPC call from Netlogon on \\DC03 to \\DC01.ldlnet.org has been cancelled.
In order to validate the secure channel, you normally run the nltest command (you can also run the Test-ComputerSecureChannel PowerShell cmdlet) to verify the connectivity to the PDC on the secure channel. The scenario is though that multiple DCs or Exchange servers are having multiple events at a similar time due to a network hiccup that brought the secure channel offline between the two Servers.
Our team at the time was getting a lot of alerts generated and it was taking an inordinate amount of time to validate and test. In an effort to provide an efficient solution for this issue, I compiled a PowerShell ps1 script to first validate the events posted in the past three hours, and then secondly, test all the DCs and Exchange Servers for the Secure Channel Connectivity:
NOTE: This script needs to be run on a server that has the Exchange and Active Directory RSAT tools for PowerShell.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 | #Start Script #Import Active Directory Module Write-Host Write-Host "Importing the Active Directory Module" -ForegroundColor Green Import-Module ActiveDirectory #Import Exchange Module Write-Host "Loading the Exchange Snap-In" Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction SilentlyContinue . $env:ExchangeInstallPath\bin\RemoteExchange.ps1 Connect-ExchangeServer -auto -AllowClobber #Get the list of DCs in the domain Write-Host Write-Host "Getting the list of DCs for LDLNET" -ForegroundColor Magenta $DCList = Get-ADDomainController -Filter * | Sort-Object Name | Select-Object Name #Get the list of Exchange Servers in the domain Write-Host Write-Host "Getting the list of Exchange Servers for LDLNET" -ForegroundColor Magenta $EXList = Get-ExchangeServer | Sort-Object Name | Select-Object Name #Run the command against each server to pull the Events from Event Logging. Make sure you have the StartTime;Endtime parameters correct. This gets events for the past three hours. Write-Host Write-Host "Getting a list of 5719 and 5783 Events from the DCs for the past three hours." -ForegroundColor DarkCyan foreach ($DC in $DCList) { try{ echo $DC.name $Event = Get-Winevent -ComputerName $DC.name -FilterHashTable @{LogName="System";StartTime=((get-date).addhours(-3));id='5719','5783'} -ErrorAction Stop | foreach {[string]$_.timecreated + "`t" + [string] $_.id + "`n" + $_.ProviderName + "`n" + $_.message + "`n"} Write-Host "$Event" -ForegroundColor Red } Catch{Write-Host "No Events Found For This Server" -ForegroundColor Green Write-Host} } #Run the command against each server to pull the Events from Event Logging. Make sure you have the StartTime;Endtime parameters correct. This gets events for the past three hours. Write-Host Write-Host "Getting a list of 5719 and 5783 Events from the Exchange Servers for the past three hours." -ForegroundColor DarkCyan foreach ($EX in $EXList) { try{ echo $EX.Name $Event = Get-Winevent -ComputerName $EX.name -FilterHashTable @{LogName="System";StartTime=((get-date).addhours(-3));id='5719','5783'} -ErrorAction Stop | foreach {[string]$_.timecreated + "`t" + [string] $_.id + "`n" + $_.ProviderName + "`n" + $_.message + "`n"} Write-Host "$Event" -ForegroundColor Red } Catch{Write-Host "No Events Found For This Server" -ForegroundColor Green Write-Host} } #Run the Secure Channel Test for the DCs. Make sure you modify the nltest command for your domain fqdn. Start-Sleep -Seconds 2 Write-Host Write-Host "Testing Secure Channel for the DCs in LDLNET" -ForegroundColor Cyan foreach ($DC in $DCList) { try{ echo $DC.name $Test = Invoke-Command -ComputerName $DC.Name -ScriptBlock {nltest /sc_verify:ldlnet.org} -ErrorAction Stop | Out-String -Stream Write-Host "$Test" -ForegroundColor Yellow } Catch{Write-Host "Secure Channel Test Failed For This Server" -ForegroundColor Red} } #Run the Secure Channel Test for the Exchange Servers. Make sure you modify the nltest command for your domain fqdn. Start-Sleep -Seconds 2 Write-Host Write-Host "Testing Secure Channel for the Exchange Servers in LDLNET" -ForegroundColor Cyan foreach ($EX in $EXList) { try{ echo $EX.name $Test = Invoke-Command -ComputerName $EX.Name -ScriptBlock {nltest /sc_verify:ldlnet.org} -ErrorAction Stop | Out-String -Stream Write-Host "$Test" -ForegroundColor Yellow } Catch{Write-Host "Secure Channel Test Failed For This Server" -ForegroundColor Red} } #End of Script |
I can’t really put out the output since it will have customer PII, but you will see where it will list the DC/Exchange Server Name, show the events, then run the test. You can then troubleshoot from there. Also, know that the secure channel test will FAIL when run on the PDC Emulator DC. The PDC Emulator cannot run a secure channel test on itself.
Please, if you have any questions or comments, please leave some feedback! Happy Troubleshooting!
