Just like domain member computers, DCs use a secure channel password that is updated every 30 days to communicate with each other. If your inter-site link has been down for a while (ISP issues, new hardware, etc…) this password can become out of sync and replication will stop. But it’s pretty easy to fix – especially if you can reboot the misbehaving DC.
Some fun errors caused by this being broken include:
- The trust relationship between this workstation and the primary domain failed
- The Target Principal Name is incorrect
- The following error occurred during the attempt to synchronize the domain controllers.
- The naming context is in the process of being removed or is not replicated from the specified server.
- Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable or because your computer account was not found.”
- “System error 1396 – Logon Failure: The target account name is incorrect.”
All of this info is from this technet article. Also has instruction for a workaround if you can’t reboot your DCs. https://blogs.technet.microsoft.com/reference_point/2012/12/03/secure-channel-broken-continuation-of-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/
But here, (and so I can find it quickly) are the distilled steps
- Stop KDC service and set to disabled on erroring DC
- Log in, Kerberos ticket will be created by other DC
- Run this to reset computer account on PDC Emulator (NETDOM requires installation of Support Tools for your server OS version here are the 2003 x86 ones)
netdom resetpwd /server:<PDC_emulator_name> /userd:<Domain\admin> /passwordd:<admin_pwd>
- Set KDC back to automatic startup and reboot