You are currently offline, waiting for your internet to reconnect

Resetting Domain Member Secure Channel

This article was previously published under Q175024
SYMPTOMS
The domain member Netlogon service may log error 3210 or 5721, but theNetlogon service logs error 5722 in the system event log of the domaincontroller.

You may also receive the following logon message when you attempt to log onto your Windows NT domain from a computer running Windows NT Workstation orWindows NT Server that is a member of the domain:

   The system cannot log you on to this domain because the system's   computer account in its primary domain is missing or the password on   that account is incorrect.				


These problems may occur if any of the following conditions is true:

  • The name of the domain member was recently changed.
  • The Emergency Repair Disk was used, but it contained old information.
  • The domain member computer account was removed.
The procedure described in this article resets the member secure channelusing a single command line instead of many operations within the ServerManager. This procedure requires the NETDOM utility that is provided withWindows NT 4.0 Resource Kit Supplement 2.
RESOLUTION
CAUTION: The solution included in this article has not been extensivelytested in large installations. Microsoft cannot guarantee that modificationof domains as recommended herein will accomplish the objective described inthis article under all circumstances and in all configurations.

For each member, there is a discrete communication channel (that is, thesecure channel) with a domain controller. The secure channel is used by theNetlogon service on the member and on the domain controller to communicate.The NETDOM command line utility makes it possible to reset the securechannel of the member.

Suppose you have a domain member named DOMAINMEMBER. You can reset themember secure channel by using the following command:
   NETDOM MEMBER \\DOMAINMEMBER /JOINDOMAIN				

You can run the command above on the member DOMAINMEMBER or on any othermember or domain controller of the domain, provided that you are logged onwith an account that has administrator access to DOMAINMEMBER.

The output received from the command should be similar to the following:
   Searching PDC for domain DOMAIN ...   Found PDC \\DOMAINPDC   Querying domain information on PDC \\DOMAINPDC ...   Querying domain information on computer \\DOMAINMEMBER ...   Computer \\DOMAINMEMBER is already a member of domain DOMAIN.   Verifying secure channel on \\DOMAINMEMBER ...   Verifying the computer account on the PDC \\DOMAINPDC ...   Resetting secure channel ...   Changing computer account on PDC \\DOMAINPDC ...   Stopping service NETLOGON on \\DOMAINMEMBER .... stopped.   Starting service NETLOGON on \\DOMAINMEMBER .... started.   Querying user groups of \\DOMAINMEMBER ...   Adding DOMAIN domain groups on \\DOMAINMEMBER ...   The computer \\DOMAINMEMBER joined the domain DOMAIN successfully.   Logoff/Logon \\DOMAINMEMBER to take modifications into effect.				
MORE INFORMATION

Assume you have the following configuration:
Domain = DOMAIN
DC = DOMAINDC (domain controller)
MEMBER = DOMAINMEMBER

When a member server joins a domain, a computer account is created (you canuse Server Manager to see the computer account). A default password isgiven to the computer account, and the member stores the password in theLocal Security Authority (LSA) secret storage $MACHINE.ACC. By default, thepassword is changed every seven days.

Each member maintains such an LSA secret, which is used by the Netlogonservice to establish a secure channel. If, for some reason, the computeraccount's password and the LSA secret are not synchronized, the Netlogonservice logs the following error:
   NETLOGON Event ID 3210:   Failed to authenticate with \\DOMAINDC, a Windows NT domain controller   for domain DOMAIN.				

If the computer account has been deleted, the following error is logged bythe member Netlogon service:
   NETLOGON Event ID 5721:   The session setup to the Windows NT Domain Controller <Unknown> for the   domain DOMAIN failed because the Windows NT Domain Controller does not   have an account for the computer DOMAINMEMBER.				

Similarly, the Netlogon service on the domain controller logs the followingerror when the password is not synchronized:
   NETLOGON Event 5722   The session setup from the computer DOMAINMEMBER failed to authenticate.   The name of the account referenced in the security database is   DOMAINMEMBER$. The following error occurred: Access is denied.				

In all cases, the event data contains the error. For example, error0xC0000022 means that the computer account's password is invalid; error0xC000018B means that the computer account has been deleted, and so on.

For more information about secure channels, see the following articles inthe Microsoft Knowledge Base:

ARTICLE-ID: 131366
TITLE : Event Error 5712 with Status Access Denied

ARTICLE-ID: 142869
TITLE : Event ID 3210 and 5722 Appear When Synchronizing Entire Domain

ARTICLE-ID: 149664
TITLE : Verifying Domain Netlogon Synchronization

ARTICLE-ID: 158148
TITLE : Domain Secure Channel Utility -- Nltest.exe
prodnt reskit util resource 4.00
Properties

Article ID: 175024 - Last Review: 10/31/2006 19:02:48 - Revision: 1.1

  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
  • kbprb KB175024
Feedback