Microsoft released Windows Server 2025 for public back in November 2024. Following our organizations policy to introduce latest available Operating Systems, I was tasked with introducing Windows Server 2025 to the environment.
I started working on automating the installation using Packer which is an open source tool for automating OS Image creation. Ater the OS installation, when tried to join the server to an Active Directory (AD) domain I ran into login or trust issues after reboot.
As a standard system hardening procedure, we have a set of checks that is based on CIS Benchmarks and according to that we modify several OS settings to harden the OS Image.
After trying to join the server to domain from System Properties It shows successful but after reboot, when I try to login using a Domain ID, It does not allow logon and gives following error while trying from console:
"The Sign-in method you're trying to use isn't allowed"
I got into the server using Local Administrator credentials and launched a Command Prompt as Administrator. Tried to see local group membership using
net localgroup
administrators
No domain ids/Groups are listed as members (Domain Admins should be part of the group by default)
When I try adding a Group manually it gives error that the secure channel is broken/not working properly.
Symptoms of the Problem
After installing Windows Server 2025 and attempting a domain join from System Properties:
- The join process completes successfully with no errors.
- After reboot:
- Cannot log in with any domain account.
- Only the local Administrator account works.
- Trying to add a domain group (e.g., Domain Admins) to the local Administrators group fails with:
- The trust relationship between this workstation and the primary domain failed
- or The secure channel between this workstation and the domain controller is broken
- Re-joining the domain does not fix the problem.
Why This Happens
With the latest CIS Benchmark checks, there is a check that prevents NTLM authentications from happening. This was set to Deny all which I updated to Audit all (allow but audit events)
Error Messages You Might See
These are the common errors linked to this problem:
- The trust relationship between this workstation and the primary domain failed
- The secure channel between this workstation and the domain controller is broken
Solution – Update Group Policy Settings
The fix is to update a specific Group Policy setting so that Windows Server 2025 can establish a compatible secure channel with your Domain Controllers.
- Open the Group Policy Management Console (GPMC) on a Domain Controller.
- Navigate to:
- Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options
'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' set it to Audit all
- Apply the updated Group Policy.
- Run gpupdate /force
After this change, new Windows Server 2025 machines should:
- Join the domain without trust issues.
- Already joined machines should show Domain groups within the Local administrators group automatically.
- Allow domain logins normally
- Maintain a healthy secure channel with Domain Controllers
No comments:
Post a Comment