For each Windows 2000 or Windows XP workstation or server that is a member of a domain, there is a discrete communication channel, known as the security channel, with a domain controller.
The security channel's password is stored along with the computer account on all domain controllers. For Windows 2000 or Windows XP, the default computer account password change period is every 30 days. If, for some reason, the computer account's password and the LSA secret are not synchronized, the Netlogon service logs one or both of the following error messages:
NETLOGON Event ID 5723:
The session setup from the computer DOMAINMEMBER failed to authenticate.
The name of the account referenced in the security database is
DOMAINMEMBER$.
The following error occurred:
Access is denied.
NETLOGON Event ID 3210:
Failed to authenticate with \\DOMAINDC, a Windows NT domain controller
for domain DOMAIN.
The Netlogon service on the domain controller logs the following error message when the password is not synchronized:
NETLOGON Event ID 5722:
The session setup from the computer ComputerName failed to authenticate. The name of the account referenced in the security database is AccountName$.
The following error occurred:
Access is denied.
This article describes four ways of resetting computer accounts in Windows 2000 or Windows XP. These methods are as follows:
- Using the Netdom.exe command-line tool
- Using the Nltest.exe command-line tool
Note The Netdom.exe and Nltest.exe tools are located on the Windows Server CD-ROM in the Support\Tools folder. To install these tools, run Setup.exe or extract the files from the Support.cab file. - Using the Active Directory Users and Computers Microsoft Management Console (MMC)
- Using a Microsoft Visual Basic script
These tools allow for remote and non-remote administration.
Netdom.exe and Nltest.exe are command-line tools that reset a successfully established security channel. You cannot use these tools when the security channel is broken, and communication is not working correctly.
Netdom.exe
For each member, there is a discrete communication channel (the security channel) with a domain controller. The security channel is used by the Netlogon service on the member and on the domain controller to communicate. Netdom makes it possible to reset the security channel of the member. You can reset the member security channel by using the following command:
netdom reset 'machinename' /domain:'domainname
where 'machinename' = the local computer name and 'domainname' = the domain where the computer/machine account is stored.
Suppose you have a domain member named DOMAINMEMBER in a domain called MYDOMAIN. You can reset the member security channel by using the following command:
netdom reset domainmember /domain:mydomain
You can run this command on the member DOMAINMEMBER or on any other member or domain controller of the domain, provided that you are logged on with an account that has administrator access to DOMAINMEMBER.
Nltest.exe
Nltest.exe can be used to test the trust relationship between a computer running Windows 2000 or Windows XP that is a member of a domain and a domain controller on which its machine account resides.
C:\Ntreskit\Nltest.exe
Usage: nltest [/OPTIONS]
/SC_QUERY:DomainName - Query security channel for domain on ServerName
/SERVER:ServerName
/SC_VERIFY:DomainName - Verifies the security channel in the specified domain for a local or remote workstation, server, or domain controller.
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\server.windows2000.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
Active Directory Users and Computers (DSA)
With Windows 2000 or Windows XP, you can also reset the machine account from within the graphical user interface (GUI). In the Active Directory Users and Computers MMC (DSA), you can right-click the computer object in the Computers or appropriate container and then click
Reset Account. This resets the machine account. Resetting the password for domain controllers using this method is not allowed. Resetting a computer account breaks that computer's connection to the domain and requires it to rejoin the domain.
Note This will prevent an established computer from connecting to the domain and should only be used for a computer that has just been rebuilt.
Microsoft Visual Basic script
You can use a script to reset the machine account. You need to connect to the computer account using the IADsUser interface. You can then use the SetPassword method to set the password to an initial value. The initial password of a computer is always "computername$".
The following sample scripts may not work in all environments and should be tested before implementation. The first example is for Windows NT 4.0 computer accounts and the second is for Windows 2000 or Windows XP computer accounts.
Sample 1
Dim objComputer
Set objComputer = GetObject("WinNT://WINDOWS2000/computername$")
objComputer.SetPassword "computername$"
Wscript.Quit
Sample 2
Dim objComputer
Set objComputer = GetObject("LDAP://CN=computername,DC=WINDOWS2000,DC=COM")
objComputer.SetPassword "computername$"
Wscript.Quit
For more information about how to determine whether the date and the time of event 5722 match the decoded date and time, click the following article numbers to view the articles in the Microsoft Knowledge Base:
175024Â
(http://kbalertz.com/Feedback.aspx?kbNumber=175024/
)
Resetting Domain Member Secure Channel
810977Â
(http://kbalertz.com/Feedback.aspx?kbNumber=810977/
)
Event ID 5722 is logged on your Windows 2000 Server-based domain controller