Secure channel Broken Recovery

Published on
11,717 Points
3 Endorsements
Last Modified:
Sarang Tinguria
9+ yrs of experience Sr Engineer working full time for an MNC designated AD Specialist. Email me sarangtinguria@gmail.com b4 starting live
There were some Jr engineers who always used to come up to me with an error stating they are unable to login and getting some trust relationship error. First I used to suggest them either use sysprep to the machines if they are created using Image, or, let me know further if they faced the same issue again after sysprep. So after dedicated haunting of 1Hr I got the resolution relating to Secure channel state.

When Secure Channel between A worksation/Member Server /DC /PDC is broken you may experience an error in login. The most comman error is "Eror (Login): The security Database on the server does not have a computer account for this workstation Trust relationship"

Please use the command below to verify the secure channel state
C:\>nltest /server:DC1 /sc_query:Domain.com

Open in new window

Note:- Replace DC1 with the computer name in question and domain.com with the domain name

Output should come as "success"

For More examples and error messages I would recommend you to see http://support.microsoft.com/kb/158148

If not "Success", then you need to come up to recover the Secure Channels

When You find secure channel between DC is in broken State follow below procedures to recover:

1) Stop the KDC service you can achieve the same using "net stop KDC"
2) Download the windows resouce kit tool and run kerbtray.exe this exe will start as a green icon near by the clock in taskbar
3) Right click on this icon and click "Purge Tickets" and then click OK for confirmation
4) Now reset the DC A/C password using below command (Modify according to your naming convections) "netdom /resetpwd /server:DC /userd:domain.com\administrator /password:password" and hit Enter with full Confidence and make sure you are not breaking the enter Key
5) Now run command repadmin /syncall /ADeP
6) Now start the KDC service using "net start KDC"

And Bingo...you are done

Comments and Feedback are welcome
Remember to Mark as Helpful if it works for you
  • 2
LVL 10

Expert Comment

When you run nltest /server:DC1 /sc_query:Domain.com on PDCe role holder you'll see this error "I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN". It is a known error, you can ignore it. For more info check this link. http://support.microsoft.com/kb/253096
LVL 18

Author Comment

by:Sarang Tinguria
That applies to windows 2000 ...I would edit this soon to applicable OS's
LVL 10

Expert Comment

KB article is just for reference, but it applies to all the OS up to 2008. You can try that.
LVL 20

Expert Comment

If you get a broken secure channel message isn't this usually a sign the computers password in AD and its local cache are out of sync. Since the workstation / computer initiate the password reset I usually reset the AD computer account then the workstation reboot the workstation and I am good to go

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Join & Write a Comment

This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month