Secure channel Broken Recovery

Sarang TinguriaTechnical Lead
There were some Jr engineers who always used to come up to me with an error stating they are unable to login and getting some trust relationship error. First I used to suggest them either use sysprep to the machines if they are created using Image, or, let me know further if they faced the same issue again after sysprep. So after dedicated haunting of 1Hr I got the resolution relating to Secure channel state.

When Secure Channel between A worksation/Member Server /DC /PDC is broken you may experience an error in login. The most comman error is "Eror (Login): The security Database on the server does not have a computer account for this workstation Trust relationship"

Please use the command below to verify the secure channel state
C:\>nltest /server:DC1 /

Open in new window

Note:- Replace DC1 with the computer name in question and with the domain name

Output should come as "success"

For More examples and error messages I would recommend you to see

If not "Success", then you need to come up to recover the Secure Channels

When You find secure channel between DC is in broken State follow below procedures to recover:

1) Stop the KDC service you can achieve the same using "net stop KDC"
2) Download the windows resouce kit tool and run kerbtray.exe this exe will start as a green icon near by the clock in taskbar
3) Right click on this icon and click "Purge Tickets" and then click OK for confirmation
4) Now reset the DC A/C password using below command (Modify according to your naming convections) "netdom /resetpwd /server:DC /\administrator /password:password" and hit Enter with full Confidence and make sure you are not breaking the enter Key
5) Now run command repadmin /syncall /ADeP
6) Now start the KDC service using "net start KDC"

And are done

Comments and Feedback are welcome
Remember to Mark as Helpful if it works for you
Sarang TinguriaTechnical Lead

Comments (4)

Venkat SureshArchitect

When you run nltest /server:DC1 / on PDCe role holder you'll see this error "I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN". It is a known error, you can ignore it. For more info check this link.
Sarang TinguriaTechnical Lead
Top Expert 2012


That applies to windows 2000 ...I would edit this soon to applicable OS's
Venkat SureshArchitect

KB article is just for reference, but it applies to all the OS up to 2008. You can try that.
If you get a broken secure channel message isn't this usually a sign the computers password in AD and its local cache are out of sync. Since the workstation / computer initiate the password reset I usually reset the AD computer account then the workstation reboot the workstation and I am good to go

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.