Recipe 16.20. Resetting a Computer AccountProblemYou want to test the secure channel of a computer and reset the computer account if it is failing. SolutionUse the following command to test a secure channel for a computer: > nltest /server:<ComputerName> /sc_query:<DomainName> If this command returns errors, such as ERROR_NO_LOGON_SERVERS, try resetting the secure channel using the following command: > nltest /server:<ComputerName> /sc_reset If that doesn't help, you'll need to reset the computer account as described next. Using a graphical user interface
Using a command-line interfaceYou can use the dsmod utility to reset a computer's password. You will need to rejoin the computer to the domain after doing this: > dsmod computer "<ComputerDN>" -reset > dsmod computer "cn=rallen-wxp,cn=computers,dc=rallencorp,dc=com" Another option is to use the netdom command, which can reset the computer so that you do not need to rejoin it to the domain: > netdom reset <ComputerName> /Domain <DomainName> /UserO <UserUPN> /PasswordO * > netdom reset rallen-wxp /Domain rallencorp.com /UserO rallen@rallencorp.com /PasswordO * Using VBScript' This resets an existing computer object's password to the initial default. ' You'll need to rejoin the computer to the domain after doing this. set objComputer = GetObject("LDAP://<ComputerDN>") objComputer.SetPassword "<ComputerName>" DiscussionEvery member computer in an Active Directory domain establishes a secure channel with a domain controller. The computer's password is stored locally in the form of an LSA secret and in Active Directory. This password is used by the NetLogon service to establish the secure channel with a domain controller. If for some reason the LSA secret and computer password become out of sync, the computer will no longer be able to authenticate in the domain. The nltest /sc_query command can query a computer to verify its secure channel is working. Here is sample output from the command when things are working: Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\dc1.rallencorp.com Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully Here is sample output when things are not working: Flags: 0 Trusted DC Name Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS The command completed successfully When you've identified that a computer's secure channel has failed, you'll need to reset the computer, which consists of setting the computer object password to the name of the computer. This is the default initial password for new computers. Every 30 days Windows 2000 and newer systems automatically change their passwords in the domain. After you've set the password, rejoin the computer to the domain since it will no longer be able to communicate with a domain controller due to unsynchronized passwords (the domain controller doesn't know the password has been reset). However, if you use the netdom reset command, it tries to reset the password on both the computer and in Active Directory, which if successful, means you do not need to rejoin it to the domain. See AlsoRecipe 16.18, MS KB 216393 (Resetting Computer Accounts in Windows 2000 and Windows XP), and MS KB 325850 (HOW TO: Use Netdom.exe to Reset Machine Account Passwords of a Windows Server 2003 Domain Controller) |