Pages

Thursday, August 14, 2025

Windows Server 2025 Domain Join Issue – Fix for “Secure Channel Broken” Error

Microsoft released Windows Server 2025 for public back in November 2024. Following our organizations policy to introduce latest available Operating Systems, I was tasked with introducing Windows Server 2025 to the environment.

I started working on automating the installation using Packer which is an open source tool for automating OS Image creation. Ater the OS installation, when tried to join the server to an Active Directory (AD) domain I ran into login or trust issues after reboot.

As a standard system hardening procedure, we have a set of checks that is based on CIS Benchmarks and according to that we modify several OS settings to harden the OS Image.

After trying to join the server to domain from System Properties It shows successful but after reboot, when I try to login using a Domain ID, It does not allow logon and gives following error while trying from console:

"The Sign-in method you're trying to use isn't allowed"

 I got into the server using Local Administrator credentials and launched a Command Prompt as Administrator. Tried to see local group membership using

net localgroup administrators

No domain ids/Groups are listed as members (Domain Admins should be part of the group by default) 

 

When I try adding a Group manually it gives error that the secure channel is broken/not working properly.

 

 

Symptoms of the Problem

After installing Windows Server 2025 and attempting a domain join from System Properties:

  • The join process completes successfully with no errors.
  • After reboot:
    • Cannot log in with any domain account.
    • Only the local Administrator account works.
  • Trying to add a domain group (e.g., Domain Admins) to the local Administrators group fails with:
    • The trust relationship between this workstation and the primary domain failed
    • or The secure channel between this workstation and the domain controller is broken
  • Re-joining the domain does not fix the problem.

 

Why This Happens

With the latest CIS Benchmark checks, there is a check that prevents NTLM authentications from happening. This was set to Deny all which I updated to Audit all (allow but audit events)

Error Messages You Might See

These are the common errors linked to this problem:

  • The trust relationship between this workstation and the primary domain failed
  • The secure channel between this workstation and the domain controller is broken

Solution – Update Group Policy Settings

The fix is to update a specific Group Policy setting so that Windows Server 2025 can establish a compatible secure channel with your Domain Controllers.

  1. Open the Group Policy Management Console (GPMC) on a Domain Controller.
  2. Navigate to:
  3. Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options

'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' set it to Audit all

  

  1. Apply the updated Group Policy.
  2. Run gpupdate /force

 

 After this change, new Windows Server 2025 machines should:

  • Join the domain without trust issues.
  • Already joined machines should show Domain groups within the Local administrators group automatically.
  • Allow domain logins normally
  • Maintain a healthy secure channel with Domain Controllers

Friday, April 5, 2024

A high-severity issue has occurred at the Power-On Self-Test (POST) phase which has resulted in the system BIOS to abruptly stop functioning.

Issue : "A high-severity issue has occurred at the Power-On Self-Test (POST) phase which has resulted in the system BIOS to abruptly stop functioning."

Today I am going to post a rare error for my fellow system admins which I encountered while working on a Dell Physical server.

Recently I was working on firmware upgrade of a Dell PowerEdge R750 server.

After the update I initiated a reboot of the system keeping my fingers crossed 😉. 

I was monitoring the server continuously via an active iDRAC session and the moment came when I noticed that "The system halted at the POST screen" and stayed like this for more than an hour as I patiently waited hoping it would progress from here 😎but nothing happened.

Post Error Code : 0xD2

Screenshot below:

I rushed to the System Event Logs on iDRAC and found that there was a scary error waiting for me as below 😥

PST0210

A high-severity issue has occurred at the Power-On Self-Test (POST) phase which has resulted in the system BIOS to abruptly stop functioning.


Upon expanding the error it looked something like this:

2024-04-02 08:12:28

PST0210

A high-severity issue has occurred at the Power-On Self-Test (POST) phase which has resulted in the system BIOS to abruptly stop functioning.

Log Sequence Number:

353

Detailed Description:

A high-severity issue has occurred at the Power-On Self-Test (POST) phase which has resulted in the system BIOS to abruptly stop functioning. BIOS is unable to report the issue on the POST screen.

Recommended Action:

Power cycle the system. If the issue persists, collect the Trouble Shooting Report (TSR) and contact technical support. Refer to the product documentation to choose a convenient contact method.

 

Troubleshooting :

At this moment my inner system admin woke up and I started working on troubleshooting steps as follows.
 
  1. First of all I started with a normal reboot of the server (did not work)
  2. Tried Cold boot of the server. (did not work)
  3. Did a reset of iDRAC thinking it might clear the error (did not work)
  4. Went to Job queue and noticed that a BIOS update job was still waiting to start.
  5. Deleted the BIOS update job from job queue on iDRAC.
  6. Cold Booted the server again (did not work)
  7. Tried with a iDRAC Restart as well (did not work)
  8. Headed onto support.dell.com and punched in the Service tag to find applicable downloads.
  9. Downloaded iDRAC Lifecycle Controller from Dell
    1. iDRAC-with-Lifecycle-Controller_Firmware_HV310_WN64_7.10.30.00_A00.EXE
  10. Uploaded it from System Update tab on iDRAC 
  11. Attempted to update the iDRAC lifecycle controller and waited for some time.
  12. Lost access to iDRAC as part of the iDRAC update.
  13. Waited patiently until the server came back and thankfully it progressed past the screen and the server booted normally. (Worked !!!)

Happy troubleshooting !!!
 
Stay Tuned for more :)