🟑 Medium   ⏱ 5–30 min  Last verified: 29 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Servers fail domain authentication with trust relationship errors after reverting VM snapshots. Scheduled tasks and service accounts fail.

Environment & Reproduction

Windows Server 2022 build 20348 member servers or DCs restored from stale snapshots.

Test-ComputerSecureChannel -Verbose
nltest /sc_verify:contoso.local
klist sessions

Root Cause Analysis

Machine account password mismatch occurs when snapshot rollback predates recent secure channel password updates.

Quick Triage

Check DC reachability and time sync before reset operations.

w32tm /query /status
Resolve-DnsName _ldap._tcp.dc._msdcs.contoso.local -Type SRV
Test-NetConnection dc01.contoso.local -Port 389

Step-by-Step Diagnosis

Confirm trust breakage and isolate whether issue is local or domain-wide.

Get-WinEvent -LogName System -MaxEvents 80 | Where-Object Id -in 5719,5722
Get-EventLog -LogName Security -Newest 40
Test-ComputerSecureChannel
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
Secure channel validation commands β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Reset machine secure channel against a healthy DC.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

$cred = Get-Credential
Test-ComputerSecureChannel -Repair -Credential $cred
Reset-ComputerMachinePassword -Server dc01.contoso.local -Credential $cred
Restart-Computer -Force
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
Netlogon and Kerberos errors in Event Viewer β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

If repair fails, rejoin domain with controlled service outage.

Remove-Computer -UnjoinDomainCredential $cred -PassThru -Verbose -Restart
Add-Computer -DomainName contoso.local -Credential $cred -Restart

Verification & Acceptance Criteria

Secure channel tests and Kerberos ticketing should pass.

Test-ComputerSecureChannel
nltest /sc_query:contoso.local
klist get krbtgt/contoso.local

Rollback Plan

If domain rejoin causes app impact, restore VM backup and schedule maintenance.

wbadmin get versions
wbadmin start recovery -version: -itemType:Volume -items:C: -recoveryTarget:D:

Prevention & Hardening

Avoid snapshot restores for DCs and enforce backup-based recovery patterns.

Get-ADDomainController -Filter * | Select HostName,IsReadOnly
wevtutil qe System /q:'*[System[(EventID=5722)]]' /f:text /c:10

Can appear with Kerberos pre-auth failures, stale SPNs, and DNS alias misuse.

Related tutorial: View the step-by-step tutorial for Windows Server 2022.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: secure channel repair, VM-Generation ID, and AD-safe restore practices for Windows Server 2022.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.