8.6. Testing the Secure Channel for a Computer
Problem
You want to test the secure channel of a computer.
Solution
Using a command-line interface
> nltest /server:<ComputerName
> /sc_query:<DomainName
>
Discussion
Every member computer in an
Active Directory domain establishes a secure channel with a domain
controller. The computer’s password is stored
locally in the form of an LSA secret and in Active Directory. This
password is used by the NetLogon service to establish the secure
channel with a domain controller. If, for some reason, the LSA secret
and computer password become out of sync, the computer will no longer
be able to authenticate in the domain. The nltest /sc_query
command can query a computer to verify its secure
channel is working. Here is sample output from the command when
things are working:
Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\dc1.rallencorp.com Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully
If a secure channel is failing, you’ll need to reset the computer as described in Recipe 8.7. Here is sample output when things are not working:
Flags: 0 Trusted DC Name Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS The command completed successfully
See Also
Recipe 8.7 for resetting a computer and MS KB 216393 (Resetting Computer Accounts in Windows 2000 and Windows XP)
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.