Recipe2.10.Testing and Resetting the Secure Channel


Recipe 2.10. Testing and Resetting the Secure Channel

Problem

You want to test the secure channel of a server in a domain.

Solution

The following command tests the secure channel for a computer:

> nltest /server:<ComputerName> /sc_query:<DomainName>

The following command resets the secure channel for a computer:

> nltest /server:<ComputerName> /sc_reset:<DomainName>

The following solutions describe how to reset a computer account.

Using a graphical user interface

  1. Open the Active Directory Users and Computers snap-in.

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, right-click on the domain and select Find.

  4. Beside Find, select Computers.

  5. Type the name of the computer and click Find Now.

  6. In the Search Results, right-click on the computer and select Reset Account.

  7. Click Yes to verify.

  8. Click OK.

  9. Rejoin the computer to the domain as I described in Recipe 2.5.

Using a command-line interface

You can use the dsmod.exe utility to reset a computer's password. You will need to rejoin the computer to the domain after doing this.

> dsmod computer  "<ComputerDN>" -reset

Another option is to use the netdom.exe command, which can reset the computer so that you do not need to rejoin it to the domain.

> netdom reset <ComputerName> /Domain <DomainName> /UserO <UserUPN> /PasswordO *

Using VBScript
' This code resets an existing computer object's password to the  ' initial default. You'll need to rejoin the computer after doing this. set objComputer = GetObject("LDAP://<ComputerDN>") objComputer.SetPassword "<ComputerName>"

Discussion

Every member computer in an Active Directory domain establishes a secure channel with a domain controller. The computer's password is stored locally on the machine in the form of a Local Security Authority (LSA) secret and also in Active Directory with the computer's account. The NetLogon service on the computer uses this password to establish the secure channel with a domain controller. If for some reason the LSA secret and computer password become out of sync, the computer will no longer be able to authenticate in the domain. The nltest /sc_query:<DomainName> and nltest /sc_verify:<DomainName> commands can query a computer to verify its secure channel is working. Here is sample output from the nltest /sc_query command when things are working:

Flags: 30 HAS_IP  HAS_TIMESERV Trusted DC Name \\dc1.rallencorp.com Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully

If its secure channel is failing, you'll need to reset the secure channel. If that doesn't work, you'll need to reset the computer account. Here is sample output when things are not working or if you are logged in with cached credentials:

Flags: 0 Trusted DC Name Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS The command completed successfully

To reset the computer, set the computer account password to the name of the computer. This is the default initial password for new computers. Every 30 days Windows 2000 and newer systems automatically change their passwords in the domain. After you've set the password, you'll need to rejoin the computer to the domain since it will no longer be able to communicate with a domain controller due to unsynchronized passwords. However, the netdom reset command will try to reset the password on both the computer and in Active Directory. If successful, you won't have to manually rejoin the computer to the domain. Unfortunately, the actions executed by netdom reset cannot be done either from the GUI or from VBScript.

See Also

Recipe 2.9 for joining a computer to a domain, MS KB 156684 (How to Use NLTEST to Force a New Secure Channel), MS KB 216393 (Resetting Computer Accounts in Windows 2000 and Windows XP), and MS KB 325850 (HOW TO: Use Netdom.exe to Reset Machine Account Passwords of a Windows Server 2003 Domain Controller)



Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net