🟑 Medium   ⏱ 5–30 min  Last verified: 29 May 2026
Affected versions: Windows Server 2019

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Servers report trust relationship failures and cannot authenticate against the domain after snapshot rollback.

Environment & Reproduction

Common on virtualized Windows Server 2019 systems reverted to older checkpoints.

Test-ComputerSecureChannel -Verbose
nltest /sc_verify:contoso.local

Root Cause Analysis

Machine account password diverges from AD due to snapshot state older than secure channel password updates.

Quick Triage

Confirm DC connectivity, DNS resolution, and time synchronization.

Resolve-DnsName dc01.contoso.local
w32tm /query /status

Step-by-Step Diagnosis

Identify trust errors and validate whether the issue is isolated or fleet-wide.

Get-WinEvent -LogName System -MaxEvents 80 | Where-Object Id -in 5719,5722
Test-ComputerSecureChannel
Illustrative mockup for windows-server-2019 β€” terminal_or_powershell
Secure channel diagnostics β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Repair the secure channel using domain credentials and reboot.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

$cred = Get-Credential
Test-ComputerSecureChannel -Repair -Credential $cred
Reset-ComputerMachinePassword -Server dc01.contoso.local -Credential $cred
Restart-Computer -Force
Illustrative mockup for windows-server-2019 β€” event_or_log_viewer
Netlogon trust errors in Event Viewer β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

If repair fails, remove and rejoin the domain during approved downtime.

Remove-Computer -UnjoinDomainCredential $cred -Restart
Add-Computer -DomainName contoso.local -Credential $cred -Restart

Verification & Acceptance Criteria

Secure channel tests pass and Kerberos tickets can be issued.

Test-ComputerSecureChannel
klist get krbtgt/contoso.local

Rollback Plan

Revert to backup image if rejoin causes application dependency failures.

wbadmin get versions

Prevention & Hardening

Avoid snapshots for domain controllers and prefer backup-based recovery workflows.

Get-ADDomainController -Filter * | Select HostName,IsReadOnly

Often appears with Kerberos pre-auth failures and stale SPN records.

Related tutorial: View the step-by-step tutorial for Windows Server 2019.

View all Windows Server 2019 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: secure channel repair and AD-safe virtualization restore guidance.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.