I woke up this morning to an email that read: Password Hash Synchronization heartbeat was skipped in last 120 minutes. While this happens for no apparent reason from time to time, I logged in four hours after the email came in and noticed the issue had not been resolved. I went to log into my Entra Connect server… and was rebuffed! Neither my Active Directory nor my Entra ID account would allow me in, with a message about NLA and not being able to reach the domain controller.
I logged in with my local administrator account without issue, and received a message that read “‘”the trust relationship between this workstation and domain failed.” Cr@p. In a workstation this is usually pretty easy to fix, but I was concerned that for a server that was running a utility that directly required connectivity to the Active Directory domain there might be complications. Before I simply unjoined and then rejoined the domain, I tried some troubleshooting steps.
I ran the Test-ComputerSecureChannel cmdlet in PowerShell. Not surprisingly, it returned False. We knew that was going to happen, right? Okay, I then tried the Reset-ComputerMachinePassword cmdlet, which should have fixed the issue. Unfortunately, that did not solve the issue.
I was going to have to unjoin and then rejoin the domain. No problem, right? Wrong. It blocked me from doing so. I realized I might need to clean up my Active Directory, deleting the previous computer account. That should work, right?
Wrong. This was getting sticky. I did not want to spend any time today on this, let alone the time I would need to build a new server, clean out the cloud side of the connection, and then reestablish the link. Please, don’t make me do that!
Before doing that, I tried one more thing. I renamed the computer. I first tried to rename the computer and join the domain in the same step, but that did not work. As a last resort, I renamed the computer, rebooted, and then tried to join the domain. Success. Phew!
I went through several troubleshooting steps for the connection, and realized it was synchronizing properly. Double Phew!
(I did take the opportunity to upgrade my Entra Connect Sync to the latest version, but only once I knew that the issue was resolved).
Conclusion
Active Directory is and has been for over two decades a rock-solid LDAP-based directory infrastructure tool, but occasionally issues can arise that, if you do not know what you are doing, can be quite time consuming to resolve. While I did not really have the time on this particular day to deal this problem, I know that if that connection was broken, my infrastructure might be one step closer to crashing completely… and if I did not want to spend thirty minutes dealing with this issue, I certainly did not have the time on this day to spend the eight hours that it would require to rebuild my entire home lab from the ground up.
A stitch in time saves nine, as the saying goes. Don’t ignore little problems and wait for them to become major problems.
The World According to Mitch 
Leave a comment