fortypoundhead.com

Repairing the Secure Channel

Posted On 2017-07-26 by dwirch
Keywords:
Tags: Tip Tutorial Windows Windows 7
Views: 58


This seems to be a recurring problem in some environments. In my experience, it usually happens when a machine has been offline for more than 30 days.

The error in question reads like this:

The Security Database on the server does not have a computer account for this workstation trust relationship

So what happens is, a user or users will request some workstations for a remote site. My team does a great job of imaging the new machines, and shipping them off. The users receive them, and promptly put them in a closet for four months.

When a workstation has been offline, and has not checked in with the domain for more than 30 days, the secure channel between it and the domain gets severed. Basically, the Kerberos secrets no longer match, and need to be reset.

The easiest way is to rejoin the machine to the domain, usually by using the netbios name of the domain, rather than the fully qualified domain. Instead of mydomain.com, you'd use mydomain.

Assuming you have access to the machine, you check the secure channel between it and the domain a couple different ways.

First, with PowerShell, it's simply a cmdlet:

Test-ComputerSecureChannel

The output of this will be a simple True or False. If you are averse to PowerShell, you can also use the NLTest command:

C:\>nltest /sc_verify:MyDomain
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \\domaincontroller.domain.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully

NLTest is a bit more verbose, showing you not only the trust verification status, among other things.

If either of these methods shows you a bad trust relationship, you can reset the secure channel with PowerShell or NetDom:

Powershell:

if(!(Test-ComputerSecureChannel)) {Test-ComputerSecureChannel -Repair}

NetDom:

netdom reset /d:<domain>

Hope this helps someone.

Any questions on this, leave them in the comments below, or you can make a post in the forums.

NetDom is pretty powerful, by the way. More information on NetDom can be found here.


About the Author

dwirch has posted a total of 185 articles.

You can find more information from dwirch by visiting http://www.derekwirch.com.


Comments On This Post

No comments on this post yet!


Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.


Your IP address is:54.166.188.64

Before you can post, you need to prove you are human. If you log in, this test goes away.




Recent Forum Posts

Advanced search added
dwirch posted on September 23, 2017 at about 13:44 in Site News

Job Spammer: Gaurav Mehta - AgreeYa Solutions
dwirch posted on September 22, 2017 at about 10:35 in Spammers

Job Spammer: Prutha Siri - Javelin Systems
dwirch posted on September 10, 2017 at about 6:15 in Spammers

New security implemented
dwirch posted on September 7, 2017 at about 7:16 in Site News

Malicious IP Checker Companion Tool
dwirch posted on August 12, 2017 at about 20:24 in Site News

Job Spammer: Steve Adams
dwirch posted on August 8, 2017 at about 7:44 in Spammers