"The trust relationship between this workstation and the primary Domain Controller has failed. That’s the primary symptom of your Secure Channel Password has failed.
If a user has logged onto this machine before, they’ll be able to log on to this machine with their cached credentials. In this case the only person that’s logged into this machine is the Administrator Account.
A couple of things I want to show you is the way we can verify it was the Secure Channel Password that causes our problem.
I’m going to bring up the Event Viewer.
What we specifically want to look at is our Systems Log.
Notice I got a Winlogon event. It says, "Your notification was unable to login,” in other words it wouldn’t logon.
If I scroll down, I will see that there was a Group Policy error, "The process Group Policy failed due to the lack of network connectivity of the Domain Controller.”
If I scroll on down further, my DNS Client failed to connect.
The other big one I’m looking for is the NETLOGON service. (This would have been when the machine restarted during this last restart).
Notice it states, "This computer cannot authenticate with the Windows domain.” and therefore this computer might be denied log on requests. This is a pure symptom of the Secure Channel Password.
One of the things that a lot of users will do in their environments, is go into Active Directory and one of the first things they would do inside Active Directory user Computers, (which is actually a bad thing) and delete the computer account. Then they would go out to the computer, un-join the computer from the Domain, re-join the computer to the Domain, and they would get a new Computer Account.
The result of doing that would be the actual computer now gets a new SID.
So if that computer was in any group, giving it permission, a privilege, a right, anywhere inside your organization, it just now lost it.
Let me show you the proper way for resetting this computers password.
Go into Active Directory users and Computers. This can be accomplished through the graphical Active Directory users or Computer or through the Active Directory Administer Center.
We could also use the Netdom.exe utility out at the machine if the Active Directory Tools have been installed.
We can also use PowerShell out at the machine if the Active Directory Tools have been installed and the Nltest utility.
Anyone of these utilities will help us reset that computer password.
I’m going to do it through the graphical interface. This would be the quickest way. This would allow the user then to be out at the machine and be able to reset their password.
Go into Active Directory Users and Computers.
The computer I used earlier is a Windows 7 box. It doesn’t matter if it’s a Windows XP, Vista, Windows 7, Windows 8 or Windows 8.1 box. All of them would be done exactly the same way as I’m doing here.
Here’s my Windows 7 box.
I’m going to secondary click on it, and I’m going to choose the option to Reset the Account.
What this does is it tells Active Directory that this computer and Active Directory have lost the Secure Channel Negotiation of the Secure Channel Password.
I click reset the account and then select yes.
Next it says that it was successfully reset.
I’ll come back to my Windows 7 box.
Now instead of un-joining and re-joining it to the Domain, I’m going to bring up My Computer Properties.
Specifically the Computer Name Tab. I’m going to come down to Change settings.
Notice the computer thinks it’s already remembered the Domain. I’m not going to actually take it out of the Domain.
I’m going to use this option, Network ID.
Instead of using Change, I’m going to use Network ID. So I click Network ID. This computer is part of a business network, not a home network.
It is part of a Domain.
Notice it says that I must have a user name and password inside the Domain.
I also might want to know what this computer name is and what my Domain Name is.
I do not need to be an administrator in the Domain. What I do need to be is a Local Administrator of this box. It says I’m logged in as an Administrator.
I’ll then get a prompt that says, "This computer account already exists in Active Directory. Would you like to go ahead and continue using this account?”
If I say, "Yes,” my SID will not change, my GUID will not change, and everything will go back to the way it was before we reset our computer.
I’ll click Yes.
It’s now telling Active Directory that this computer has lost its Secure Channel Password. I’ll get asked if I want to add the user that I’m logged in with to my local administrators group. I’m not going to do that, because this account happens to be a member of the Domains admin group.
I hit finish > OK and then I’ll restart the computer.
Now when this computer restarts and comes back up, Active Directory on this computer will negotiate a new password. That password will be good for 30 days, just like all computers have been since Windows 2000.
I’ll log back in as Rick T to show you that the password has been negotiated.
I’ll come back to the Domain Controller.
Next I’ll show you the Nltest utility and the Netdom.exe utility in PowerShell. If you do a [Netdom /?], you’ll see there’s an option to VERIFY the TRUST relationship. Then there’s also the RESET.
The reset password is what resets the computer password.
So I’ll use [netdom resetpwd /?]
It says "What’s the name of the Domain Controller, user ID and password?” Then that will send off the password.
If I’m out at the actual Domain Controller and I run netdom it’s going to ask me what the name of the computer is that I want to reset the password on. So I want to do this out at the actual client machine. This will only require one restart.
If I go into PowerShell and import-module activedirectory.
Then I run [get-help channel]
Notice I’ve got the option to Test my computer Secure Channel, get the Secure Channel Data, Update Secure Channel… This is the one we want to use: Update-SubMultichannelConnection. This will let us reset our Secure Channel Connection. The test Secure Channel will also allow us to test it and reset it if it’s broken.
I’ll login to my Windows7 box, I can actually log in as Rick T from the Domain.