Testing and Resetting the Secure Channel

The following command tests the secure channel for a computer:

> nltest /server:<ComputerName> /sc_query:<DomainName>

The following command resets the secure channel for a computer:

> nltest /server:<ComputerName> /sc_reset:<DomainName>

The following solutions describe how to reset a computer account.

Using a graphical user interface

  • Open the Active Directory Users and Computers snap-in.
  • If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
  • In the left pane, right-click on the domain and select Find.
  • Beside Find, select Computers.
  • Type the name of the computer and click Find Now.
  • In the Search Results, right-click on the computer and select Reset Account.
  • Click Yes to verify.
  • Click OK.
  • Rejoin the computer to the domain.

Using a command-line interface

You can use the dsmod.exe utility to reset a computer’s password. You will need to rejoin the computer to the domain after doing this.

> dsmod computer  "<ComputerDN>" -reset

Another option is to use the netdom.exe command, which can reset the computer so that you do not need to rejoin it to the domain.

> netdom reset <ComputerName> /Domain <DomainName> /UserO <UserUPN> /PasswordO *

Using VBScript

‘ This code resets an existing computer object’s password to the ‘ initial default. You’ll need to rejoin the computer after doing this. set objComputer = GetObject(“LDAP://<ComputerDN>“) objComputer.SetPassword “<ComputerName>

Every member computer in an Active Directory domain establishes a secure channel with a domain controller. The computer’s password is stored locally on the machine in the form of a Local Security Authority (LSA) secret and also in Active Directory with the computer’s account. The NetLogon service on the computer uses this password to establish the secure channel with a domain controller. If for some reason the LSA secret and computer password become out of sync, the computer will no longer be able to authenticate in the domain. The nltest /sc_query:<DomainName> and nltest /sc_verify:<DomainName> commands can query a computer to verify its secure channel is working. Here is sample output from the nltest /sc_query command when things are working:

Flags: 30 HAS_IP  HAS_TIMESERVTrusted DC Name \\dc1.rallencorp.comTrusted DC Connection Status Status = 0 0x0 NERR_Success

The command completed successfully

If its secure channel is failing, you’ll need to reset the secure channel. If that doesn’t work, you’ll need to reset the computer account. Here is sample output when things are not working or if you are logged in with cached credentials:

Flags: 0Trusted DC NameTrusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS

The command completed successfully

To reset the computer, set the computer account password to the name of the computer. This is the default initial password for new computers. Every 30 days Windows 2000 and newer systems automatically change their passwords in the domain. After you’ve set the password, you’ll need to rejoin the computer to the domain since it will no longer be able to communicate with a domain controller due to unsynchronized passwords. However, the netdom reset command will try to reset the password on both the computer and in Active Directory. If successful, you won’t have to manually rejoin the computer to the domain. Unfortunately, the actions executed by netdom reset cannot be done either from the GUI or from VBScript.