I have run across the situation a few times where I needed to reset secure channel for the computer account of a domain controller. Before I get into how to do this, let me present a few of the symptoms that would require resetting secure channel.
- You receive an access denied error when access the DNS management console on the problem domain controller.
- You run nltest /sc_query:domain.local and receive access denied.
- You run nltest /sc_verify:domain.local and receive access denied.
Here is how you reset secure channel on a domain controller:
- Open an administrative command line
- Run the following commands*:
- net stop kdc
- klist purge
- netdom resetpwd /server:<DCName> /userD:<domain\username> /passwordD:*
- net start kdc
- net stop DNS & net start DNS
*In the netdom resetpwd command replace <DCName> with the name of a peer DC, or in the case of a single domain controller, the server itself.