EPFL > VPSI > IT > EXAPP - Site d'information: WinAD (Windows Active Directory)
 

  Affiche tous les articles

 Mode d'emploi du moteur de recherche  Rechercher : 
Moteur de recherche
Home page
Accréditation
Activation MS
AD c'est quoi ?
AD PowerShell
Authentifications
Autorisations DHCP
bugs
Conseils AD
DCs Sécurité
Délégations OUs
Domaine SC
Gaspar
GPO
Grp-Staff
KMS
Migrations
Outils
Procès verbaux
Profiles Itinérants
PWAD
Règles de nommage
Restaurations DC Fac
ServerAD2003
ServerAD2008
Seven
Students
synchro
toto1
Trucs et Astuces
· SSL/TLS Alert Protocol & the Alert Codes
· Intégration d'un serveur et Workstation Linux dans AD
· How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows
· Remove Windows.old From a Server
· Erreur slui.exe résoudre l'activation MS
· Enable the Disk Cleanup tool 2012R2
· Sysprep échoue Windows 10
· Échec d'ouverture de session par le service Service de profil utilisateur. Impossible de charger le profil utilisateur
· Installer la version UEFI de Windows 7 ou 8/10
· Check Secure Channel d'une machine
· Rearming Sysprep
· Windows 10 / 8 / 7 Search Indexer
· Comment supprimer un service orphelin proprement
· Rejoindre une machine qui a perdu sa relation d'approbation au domaine
· Changer le profil réseau sur 2012R2
· Comment utiliser l’Enregistreur d’actions utilisateur
· Impossible d'installer/supprimer un programme
· Nettoyer le dossier "WinSxS"
· MBR ou GPT ???
· Couches de transition IPV4-IPV6
· Un profil temporaire est chargé à la place du profil local ou itinérant
· Enregistrement des événements de diagnostic d'Active Directory
· Windows 2008 et 7 « God Mode »
· AD Users & Computers : afficher l'onglet "additional account info" sur OS 64 bits
· Compter les objets d'AD
· DNS Devolution
· Profil temporaire impossible de créer un nouveau !
· Account Lockout and Management Tools
· Les smilies au clavier
· Vérifier le Secure Channel pour une machine dans l'AD
· Faire une query AD en GUI sur Vista sans ouvrir une console dsa
· CheckblockerVistaSp1-XPsp3-IE8
· Failure code kerberos
· Afficher l'appartenance des groupes universels multi domaine pour un utilisateur
· checkIE7Blocker
· Les Groupes...!
· Ajout d'un ordinateur Macintosh dans un domaine AD
· Ouvrir une invité de commande à partir d'un dossier
· Déléguer la gestion des services
· Voir les périphériques cachés dans le Device Manager
· ProblèmesMulti-CartesRéseauxSurUnSrvDCouNonDC
Win 8.1
WinAD
Windows 10
Windows 8
Windows Server
Wins
Work Shop
  Afficher une version imprimable de ce document dans une nouvelle fenêtre
 
Rejoindre une machine qui a perdu sa relation d'approbation au domaine
 


Votre machine n'est plus connectée au domaine intranet depuis plus de 90 jours,

Pas de problème votre Administrateur local (ADSCIPER) pourra, vous réparez ça !

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Ouvrir "CMD" en mode Administrateur

  1. netdom.exe resetpwd /s:ad2 /ud:intranet\adsciper /pd:*
  2. Reboot computer


http://blogs.technet.com/b/reference_point/archive/2012/12/03/secure-channel-broken-continuation-of-quot-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed-quot.aspx

___________________-


ou à la main>>>>


001-Resetting-a-Windows-Client-Secure-Channel-Password

"The trust relationship between this workstation and the primary Domain Controller has failed. That’s the primary symptom of your Secure Channel Password has failed.

If a user has logged onto this machine before, they’ll be able to log on to this machine with their cached credentials. In this case the only person that’s logged into this machine is the Administrator Account.

A couple of things I want to show you is the way we can verify it was the Secure Channel Password that causes our problem.

I’m going to bring up the Event Viewer.

002-event-viewer-Resetting-a-Windows-Client-Secure-Channel-Password

What we specifically want to look at is our Systems Log.

003-system-event-viewer-Resetting-a-Windows-Client-Secure-Channel-Password

Notice I got a Winlogon event. It says, "Your notification was unable to login,” in other words it wouldn’t logon.

If I scroll down, I will see that there was a Group Policy error, "The process Group Policy failed due to the lack of network connectivity of the Domain Controller.”

004-GroupPolicy-error-viewer-Resetting-a-Windows-Client-Secure-Channel-Password

If I scroll on down further, my DNS Client failed to connect.

005-GroupPolicy-error-viewer-Resetting-a-Windows-Client-Secure-Channel-Password

The other big one I’m looking for is the NETLOGON service. (This would have been when the machine restarted during this last restart).

006-NETLOGON-event-viewer-Resetting-a-Windows-Client-Secure-Channel-Password

Notice it states, "This computer cannot authenticate with the Windows domain.” and therefore this computer might be denied log on requests. This is a pure symptom of the Secure Channel Password.

One of the things that a lot of users will do in their environments, is go into Active Directory and one of the first things they would do inside Active Directory user Computers, (which is actually a bad thing) and delete the computer account. Then they would go out to the computer, un-join the computer from the Domain, re-join the computer to the Domain, and they would get a new Computer Account.

The result of doing that would be the actual computer now gets a new SID.

So if that computer was in any group, giving it permission, a privilege, a right, anywhere inside your organization, it just now lost it.

Let me show you the proper way for resetting this computers password.

Go into Active Directory users and Computers. This can be accomplished through the graphical Active Directory users or Computer or through the Active Directory Administer Center.

We could also use the Netdom.exe utility out at the machine if the Active Directory Tools have been installed.

We can also use PowerShell out at the machine if the Active Directory Tools have been installed and the Nltest utility.

Anyone of these utilities will help us reset that computer password.

I’m going to do it through the graphical interface. This would be the quickest way. This would allow the user then to be out at the machine and be able to reset their password.

Go into Active Directory Users and Computers.

007-ADUandC-Resetting-a-Windows-Client-Secure-Channel-Password

The computer I used earlier is a Windows 7 box. It doesn’t matter if it’s a Windows XP, Vista, Windows 7, Windows 8 or Windows 8.1 box. All of them would be done exactly the same way as I’m doing here.

Here’s my Windows 7 box.

008-Resetting-a-Windows-Client-Secure-Channel-Password

I’m going to secondary click on it, and I’m going to choose the option to Reset the Account.

009-Resetting-a-Windows-Client-Secure-Channel-Password

What this does is it tells Active Directory that this computer and Active Directory have lost the Secure Channel Negotiation of the Secure Channel Password.

I click reset the account and then select yes.

Next it says that it was successfully reset.

010-Resetting-a-Windows-Client-Secure-Channel-Password

I’ll come back to my Windows 7 box.

Now instead of un-joining and re-joining it to the Domain, I’m going to bring up My Computer Properties.

011-Resetting-a-Windows-Client-Secure-Channel-Password

Specifically the Computer Name Tab. I’m going to come down to Change settings.

012-change-settings-Resetting-a-Windows-Client-Secure-Channel-Password

Notice the computer thinks it’s already remembered the Domain. I’m not going to actually take it out of the Domain.

I’m going to use this option, Network ID.

013-Network-ID-Resetting-a-Windows-Client-Secure-Channel-Password

Instead of using Change, I’m going to use Network ID. So I click Network ID. This computer is part of a business network, not a home network.

014-Network-ID-Resetting-a-Windows-Client-Secure-Channel-Password

It is part of a Domain.

015-Network-ID-Resetting-a-Windows-Client-Secure-Channel-Password

Notice it says that I must have a user name and password inside the Domain.

016-Network-ID-Resetting-a-Windows-Client-Secure-Channel-Password

I also might want to know what this computer name is and what my Domain Name is.

I do not need to be an administrator in the Domain. What I do need to be is a Local Administrator of this box. It says I’m logged in as an Administrator.

017-Resetting-a-Windows-Client-Secure-Channel-Password

I’ll then get a prompt that says, "This computer account already exists in Active Directory. Would you like to go ahead and continue using this account?”

018-Resetting-a-Windows-Client-Secure-Channel-Password

If I say, "Yes,” my SID will not change, my GUID will not change, and everything will go back to the way it was before we reset our computer.

I’ll click Yes.

It’s now telling Active Directory that this computer has lost its Secure Channel Password. I’ll get asked if I want to add the user that I’m logged in with to my local administrators group. I’m not going to do that, because this account happens to be a member of the Domains admin group.

019-Resetting-a-Windows-Client-Secure-Channel-Password

I hit finish > OK and then I’ll restart the computer.

Now when this computer restarts and comes back up, Active Directory on this computer will negotiate a new password. That password will be good for 30 days, just like all computers have been since Windows 2000.

I’ll log back in as Rick T to show you that the password has been negotiated.

I’ll come back to the Domain Controller.

020-Resetting-a-Windows-Client-Secure-Channel-Password

Next I’ll show you the Nltest utility and the Netdom.exe utility in PowerShell. If you do a [Netdom /?], you’ll see there’s an option to VERIFY the TRUST relationship. Then there’s also the RESET.

021-PowerShell-resetting-a-Windows-Client-Secure-Channel-Password

The reset password is what resets the computer password.

So I’ll use [netdom resetpwd /?]

022-PowerShell-resetting-a-Windows-Client-Secure-Channel-Password

It says "What’s the name of the Domain Controller, user ID and password?” Then that will send off the password.

If I’m out at the actual Domain Controller and I run netdom it’s going to ask me what the name of the computer is that I want to reset the password on. So I want to do this out at the actual client machine. This will only require one restart.

If I go into PowerShell and import-module activedirectory.

023-PowerShell-resetting-a-Windows-Client-Secure-Channel-Password

Then I run [get-help channel]

024-PowerShell-resetting-a-Windows-Client-Secure-Channel-Password

Notice I’ve got the option to Test my computer Secure Channel, get the Secure Channel Data, Update Secure Channel… This is the one we want to use: Update-SubMultichannelConnection. This will let us reset our Secure Channel Connection. The test Secure Channel will also allow us to test it and reset it if it’s broken.

I’ll login to my Windows7 box, I can actually log in as Rick T from the Domain.








Article N° 214, du 19.03.2015, par Alain Gremaud
URL de cet article : http://winad.epfl.ch/?article=214

© 2017 VPSI - EXAPP - TC