Campus Active Directory - Reset Secure Channel

Problems with a host's secure channel can be responsible for a number of authentication issues.

Each host that is joined to Active Directory maintains a local secret, or password, that is created by the client and stored in Active Directory. The client will initiate a password change every 30 days by default. Active Directory will store the current password as well as the previous password in the computer object for the joined host. Each time the client creates a new password, it creates the new password locally and stores it in the registry and then attempts to update the password in Active Directory. If the Active Directory password update is unsuccessful, the client keeps the newly created password and continues to attempt updating the Active Directory password.

If the client attempts to authenticate and Active Directory does not have the most recent password it will utilize the previous password. If the password used by the client to authenticate to Active Directory is newer than both passwords stored in the computer object, or the computer object is deleted, the authentication request will fail and the client will show the following error: "The trust relationship between this workstation and the primary domain failed."

It is possible to reset the computer password using the nltest.exe, dsmod.exe, netdom.exe, or the PowerShell cmdlets Test-ComputerSecureChannel and Reset-MachineAccountPassword. The netdom command and the PowerShell cmdlets will be covered in this document.

Netdom

In order to use the netdom tool you must have Remote Server Administration Tools (RSAT) installed.

To reset the computer's password:

PowerShell v2 - Test-ComputerSecureChannel

PowerShell v3 or higher - Reset-MachineAccountPassword

References