[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Secure channel Broken Recovery

Published on
11,869 Points
3 Endorsements
Last Modified:
There were some Jr engineers who always used to come up to me with an error stating they are unable to login and getting some trust relationship error. First I used to suggest them either use sysprep to the machines if they are created using Image, or, let me know further if they faced the same issue again after sysprep. So after dedicated haunting of 1Hr I got the resolution relating to Secure channel state.

When Secure Channel between A worksation/Member Server /DC /PDC is broken you may experience an error in login. The most comman error is "Eror (Login): The security Database on the server does not have a computer account for this workstation Trust relationship"

Please use the command below to verify the secure channel state
C:\>nltest /server:DC1 /sc_query:Domain.com

Open in new window

Note:- Replace DC1 with the computer name in question and domain.com with the domain name

Output should come as "success"

For More examples and error messages I would recommend you to see http://support.microsoft.com/kb/158148

If not "Success", then you need to come up to recover the Secure Channels

When You find secure channel between DC is in broken State follow below procedures to recover:

1) Stop the KDC service you can achieve the same using "net stop KDC"
2) Download the windows resouce kit tool and run kerbtray.exe this exe will start as a green icon near by the clock in taskbar
3) Right click on this icon and click "Purge Tickets" and then click OK for confirmation
4) Now reset the DC A/C password using below command (Modify according to your naming convections) "netdom /resetpwd /server:DC /userd:domain.com\administrator /password:password" and hit Enter with full Confidence and make sure you are not breaking the enter Key
5) Now run command repadmin /syncall /ADeP
6) Now start the KDC service using "net start KDC"

And Bingo...you are done

Comments and Feedback are welcome
Remember to Mark as Helpful if it works for you
  • 2
LVL 10

Expert Comment

When you run nltest /server:DC1 /sc_query:Domain.com on PDCe role holder you'll see this error "I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN". It is a known error, you can ignore it. For more info check this link. http://support.microsoft.com/kb/253096
LVL 18

Author Comment

That applies to windows 2000 ...I would edit this soon to applicable OS's
LVL 10

Expert Comment

KB article is just for reference, but it applies to all the OS up to 2008. You can try that.
LVL 21

Expert Comment

If you get a broken secure channel message isn't this usually a sign the computers password in AD and its local cache are out of sync. Since the workstation / computer initiate the password reset I usually reset the AD computer account then the workstation reboot the workstation and I am good to go

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Join & Write a Comment

This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month