Secure Channel Problems Detected

Applies to: Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)Microsoft Windows Server 2003 R2 Datacenter x64 EditionMicrosoft Windows Server 2003 R2 Datacenter x64 Edition with Service Pack 2


Several symptoms may be seen.

·         You have ran the CSS Authentication Diagnostic and it has notified you of secure channel problems.

·         When attempting to log onto a computer you receive the message “no logon servers available to service the logon request.”  The attempted logon will not be successful.

·         When attempting to access a resource, such as a file or folder, across the network you receive a message “access denied” or “no logon servers available to service the logon request.”

·         Netlogon source events in the System event log of ID’s 5719, 5722 or 5723.

These symptoms may be intermittent or consistent.  They may also be tied to a specific network location or locations.  This condition is known as a “broken secure channel”.

The secure channel for the computer is either interrupted by network difficulties or the computer’s local copy of its password no longer matches the copy of it on the Active Directory domain controller, or both conditions exist.

To resolve this issue if the cause is only network difficulties:

Verify that the network connectivity between the local computer and the domain controller(s) has the required ports open on both client (local computer) and server (domain controller).

Many methods may be used to verify that connectivity is sufficient since there are many causes of network problems.  A common cause is network ports being inadvertently restricted.  To resolve that common concern review the ports required for Active Directory in the Knowledge Base article below and then to use the Port Query tool (PortQry.exe) to examine the ports which are in user or available for use on local computer and domain controller.

Service overview and network port requirements for Windows 

PortQry.exe is a free download from Microsoft.

Once the network concern is identified look to local network interface, firewall software, or network infrastructure to resolve the issue.

To resolve this issue if the cause is a dissimilar computer password:

To resolve this issue if the cause is network difficulties as well as a mismatched computer password first resolve the network difficulties as above and then follow the steps to resolve the dissimilar password.

On the computer that is seeing the issue, log on local and use the command below.  NLTest.exe is available in the Remote Server Administration Tools and in the Support Tools downloads from

From an elevated command prompt on the domain member computer seeing the problem run the command below (where DomainName is the domain the computer is a member of):

Nltest.exe /sc_change_pwd:[ <DomainName>]

After doing the command above restart the computer and attempt to logon to the domain.