Recipe 2.10. Testing and Resetting the Secure ChannelProblemYou want to test the secure channel of a server in a domain. SolutionThe following command tests the secure channel for a computer: > nltest /server:<ComputerName> /sc_query:<DomainName> The following command resets the secure channel for a computer: > nltest /server:<ComputerName> /sc_reset:<DomainName> The following solutions describe how to reset a computer account. Using a graphical user interface
Using a command-line interfaceYou can use the dsmod.exe utility to reset a computer's password. You will need to rejoin the computer to the domain after doing this. > dsmod computer "<ComputerDN>" -reset Another option is to use the netdom.exe command, which can reset the computer so that you do not need to rejoin it to the domain. > netdom reset <ComputerName> /Domain <DomainName> /UserO <UserUPN> /PasswordO * Using VBScript' This code resets an existing computer object's password to the ' initial default. You'll need to rejoin the computer after doing this. set objComputer = GetObject("LDAP://<ComputerDN>") objComputer.SetPassword "<ComputerName>" DiscussionEvery member computer in an Active Directory domain establishes a secure channel with a domain controller. The computer's password is stored locally on the machine in the form of a Local Security Authority (LSA) secret and also in Active Directory with the computer's account. The NetLogon service on the computer uses this password to establish the secure channel with a domain controller. If for some reason the LSA secret and computer password become out of sync, the computer will no longer be able to authenticate in the domain. The nltest /sc_query:<DomainName> and nltest /sc_verify:<DomainName> commands can query a computer to verify its secure channel is working. Here is sample output from the nltest /sc_query command when things are working: Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\dc1.rallencorp.com Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully If its secure channel is failing, you'll need to reset the secure channel. If that doesn't work, you'll need to reset the computer account. Here is sample output when things are not working or if you are logged in with cached credentials: Flags: 0 Trusted DC Name Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS The command completed successfully To reset the computer, set the computer account password to the name of the computer. This is the default initial password for new computers. Every 30 days Windows 2000 and newer systems automatically change their passwords in the domain. After you've set the password, you'll need to rejoin the computer to the domain since it will no longer be able to communicate with a domain controller due to unsynchronized passwords. However, the netdom reset command will try to reset the password on both the computer and in Active Directory. If successful, you won't have to manually rejoin the computer to the domain. Unfortunately, the actions executed by netdom reset cannot be done either from the GUI or from VBScript. See AlsoRecipe 2.9 for joining a computer to a domain, MS KB 156684 (How to Use NLTEST to Force a New Secure Channel), MS KB 216393 (Resetting Computer Accounts in Windows 2000 and Windows XP), and MS KB 325850 (HOW TO: Use Netdom.exe to Reset Machine Account Passwords of a Windows Server 2003 Domain Controller) |