Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Issues with domain membership after a system restore
Article ID: 295049 - View products that this article applies to.
This article was previously published under Q295049
You may experience the following behaviors:
When you join a computer to a domain, a computername$ account is created, and a password is shared between the computer and the domain. By default, this password is changed every 30 days (MaximumPasswordAge).
The behavior that is described in the "Symptoms" section occurs because System Restore only rolls back the local computer state. Part of the information about joining domains resides in the Active Directory directory service, and System Restore does not roll back Active Directory.
For the first symptom, the delayed password change occurs because System Restore rewrites the LSA secret with the password with the same values. This rewrite updates the time stamp on the secret that the Netlogon service uses to decide about the password change time stamp. For the second symptom, there is no locally stored password that matches the machine account password in Active Directory.
To resolve the first symptom, wait for the computer to change the password, or force the comoputer to change the password immediately. To force a password change, run the nltest /sc_change_pwd:domain command. The nltest command is part of the Windows Support Tools.
To resolve the second symptom, use one of the following methods:
The passwords for a particular computer account are valid for its particular join. For each computer that is a member of a domain, there is a discrete communication channel with a domain controller. This discrete communication channel is also known as the secure channel. The password for the secure channel is stored with the computer account on all domain controllers. For Microsoft Windows 2000 or Microsoft Windows XP, the default computer account password change period is every 30 days. If the computer account's password and the Local Security Authority (LSA) secret are not synchronized, the Net Logon service logs error messages.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/216393/ )Resetting computer accounts in Windows 2000
(http://support.microsoft.com/kb/251335/ )Domain users cannot join workstation or server to a domain
(http://support.microsoft.com/kb/260575/ )How to use Netdom.exe to reset machine account passwords
(http://support.microsoft.com/kb/175468/ )Effects of machine account replication on a domain