π ~1 min read
Table of contents
Symptom & Impact
Netlogon on Windows Server 2019 reports a broken secure channel, so domain authentication fails on the member server. Users see trust relationship errors at logon, services running under domain accounts fail to start, and Group Policy stops applying.
Environment & Reproduction
Reproduce after long offline periods, restored snapshots, or password resets on the computer account. Inspect Netlogon.log and System log.
Get-Service -Name netlogon
Get-WinEvent -LogName System -MaxEvents 40
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10Root Cause Analysis
Causes include computer account password drift, time skew beyond the Kerberos tolerance, restored VM snapshots, or stale cached credentials.
Quick Triage
Capture secure channel state and time offset against the PDC emulator before changes.
sc.exe query netlogon
Get-Service -Name netlogon | Select-Object Status,StartType
Get-EventLog -LogName System -Newest 30 | Where-Object {$_.Source -match 'netlogon'}Step-by-Step Diagnosis
Test the secure channel state, check time offset, and read Netlogon events.
Get-WinEvent -LogName System -MaxEvents 50 | Where-Object {$_.ProviderName -match 'netlogon'} | Select TimeCreated,Id,LevelDisplayName,Message
sc.exe qfailure netlogon
sfc /verifyonly
Solution β Primary Fix
Reset the computer account password from the affected host using Test-ComputerSecureChannel -Repair and reboot.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Restart-Service -Name netlogon -Force
Get-Service -Name netlogon | Select-Object Status,StartType
Get-WinEvent -LogName System -MaxEvents 20 | Where-Object {$_.ProviderName -match 'netlogon'}
Solution β Alternative Approaches
If reset fails, rejoin the domain with the same name to restore a clean computer account.
sc.exe config netlogon start= auto
sc.exe failure netlogon reset= 86400 actions= restart/60000/restart/60000/run/1000
Restart-Service -Name netlogon -ForceVerification & Acceptance Criteria
Secure channel reports healthy, domain logons succeed, and Group Policy applies without trust errors.
Get-Service -Name netlogon
Get-WinEvent -LogName System -MaxEvents 25 | Where-Object {$_.ProviderName -match 'netlogon' -and $_.LevelDisplayName -eq 'Error'}
Test-NetConnection -ComputerName localhost -Port Rollback Plan
Restore the prior computer account state from backup if the rejoin or reset removes needed permissions.
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 5
wbadmin get versions
# Restore previous configuration export if availablePrevention & Hardening
Avoid restoring DC snapshots, keep time in sync via authoritative NTP, and monitor secure channel health.
Get-Service -Name netlogon | Export-Clixml C:/Temp/netlogon-baseline.xml
Get-WinEvent -LogName System -MaxEvents 50 > C:/Temp/netlogon-events.txt
Get-ScheduledTask | Where-Object {$_.TaskName -match 'netlogon'}Related Errors & Cross-Refs
Related to events 5719, 3210, and Kerberos KRB_AP_ERR_TKT_EXPIRED.
Related tutorial: View the step-by-step tutorial for Windows Server 2019.
View all Windows Server 2019 tutorials on the Tutorials Hub β
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Microsoft Learn references for Netlogon and secure channel troubleshooting on Windows Server 2019.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β we respond within one business day.
