Article ID: 216393 - View products that this article applies to.
This article was previously published under Q216393
For each Windows 2000 or Windows XP workstation or server that is a member of a domain, there is a discrete communication channel, known as the security channel, with a domain controller.
The security channel's password is stored along with the computer account on all domain controllers. For Windows 2000 or Windows XP, the default computer account password change period is every 30 days. If, for some reason, the computer account's password and the LSA secret are not synchronized, the Netlogon service logs one or both of the following error messages:
NETLOGON Event ID 5723:
The session setup from the computer DOMAINMEMBER failed to authenticate. The name of the account referenced in the security database is DOMAINMEMBER$.
The following error occurred:
Access is denied.
The Netlogon service on the domain controller logs the following error message when the password is not synchronized:
NETLOGON Event ID 3210:
Failed to authenticate with \\DOMAINDC, a Windows NT domain controller for domain DOMAIN.
This article describes four ways of resetting computer accounts in Windows 2000 or Windows XP. These methods are as follows:
NETLOGON Event ID 5722:
The session setup from the computer ComputerName failed to authenticate. The name of the account referenced in the security database is AccountName$.
The following error occurred:
Access is denied.
Netdom.exeFor each member, there is a discrete communication channel (the security channel) with a domain controller. The security channel is used by the Netlogon service on the member and on the domain controller to communicate. Netdom makes it possible to reset the security channel of the member. You can reset the member security channel by using the following command:
netdom reset 'machinename' /domain:'domainnamewhere 'machinename' = the local computer name and 'domainname' = the domain where the computer/machine account is stored.
Suppose you have a domain member named DOMAINMEMBER in a domain called MYDOMAIN. You can reset the member security channel by using the following command:
netdom reset domainmember /domain:mydomainYou can run this command on the member DOMAINMEMBER or on any other member or domain controller of the domain, provided that you are logged on with an account that has administrator access to DOMAINMEMBER.
Nltest.exeNltest.exe can be used to test the trust relationship between a computer running Windows 2000 or Windows XP that is a member of a domain and a domain controller on which its machine account resides.
Usage: nltest [/OPTIONS]
/SC_QUERY:DomainName - Query security channel for domain on ServerName
/SC_VERIFY:DomainName - Verifies the security channel in the specified domain for a local or remote workstation, server, or domain controller.
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\server.windows2000.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
Active Directory Users and Computers (DSA)With Windows 2000 or Windows XP, you can also reset the machine account from within the graphical user interface (GUI). In the Active Directory Users and Computers MMC (DSA), you can right-click the computer object in the Computers or appropriate container and then click Reset Account. This resets the machine account. Resetting the password for domain controllers using this method is not allowed. Resetting a computer account breaks that computer's connection to the domain and requires it to rejoin the domain.
Note This will prevent an established computer from connecting to the domain and should only be used for a computer that has just been rebuilt.
Microsoft Visual Basic scriptYou can use a script to reset the machine account. You need to connect to the computer account using the IADsUser interface. You can then use the SetPassword method to set the password to an initial value. The initial password of a computer is always "computername$".
The following sample scripts may not work in all environments and should be tested before implementation. The first example is for Windows NT 4.0 computer accounts and the second is for Windows 2000 or Windows XP computer accounts.
For more information about how to determine whether the date and the time of event 5722 match the decoded date and time, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/175024/ )Resetting Domain Member Secure Channel
(http://support.microsoft.com/kb/810977/ )Event ID 5722 is logged on your Windows 2000 Server-based domain controller
Article ID: 216393 - Last Review: January 2, 2008 - Revision: 6.2