Windows 2003  AD broken trust/wrong password ??

Posted on 2011-05-10
Last Modified: 2012-06-27
Hi all Windows AD experts

I run into a problem which I thought was easy to fix... but is not. Hence my brief posting below

1.  Running MS AD, all servers  (PDC, BDC, Members) are 2003..  All servers in VMware environment.  One forest, one domain

2   I had to restore one of the BDCs from a 6-week old backup.  As expected I am getting the Event 3210 netlogon error  

I have attempted to fix the problem by taking the following steps

      What I got

       T]he secure channel from MYBDC  to MYDOMAIN  was not reset
        Access is denied

Went back and run NETDOM RESETPWD command which completed successfully

Run NETDOM RESET again, same results as above, Access is denied

I think I am doing something wrong... can someone point me in the right direction ?



Question by:Bibecu
    LVL 7

    Expert Comment

    if all the server was doind was bdc, why restore it from a backup? If you did a system state restore you may have broken it's links in active directory and ntds.

    Would be better to do a demote, remove all references to it being a dc and promote back in again.

    Author Comment

    Thanks, let me try and get back

    LVL 59

    Accepted Solution

    Actually there is no reason to restore Active Directory you just need to run a metadata cleanup to remove lingering objects from failed DC. Once you have done that you can promote the server again no reason to restore AD.
    LVL 9

    Expert Comment

    I also agree with D3ath5tar it makes no sense to restore it just rebuild it from scratch is going to be a more precise and up to date.
    LVL 8

    Expert Comment


    Yea I agree with both Experts.  You will save more time if you  clean up active directory and then promote the server to a dc again.  Doing that will restore/recreate the secure channel.

    Author Closing Comment

    This worked , thanks

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now