If a secure channel gets out of synch, NETDOM ( netdom.exe ) can reset it automatically. Prior to Windows NT SP4, to check a secure channel remotely, NETDOM established a connection with the PDC using the computer account and the password found in the LSA secret $MACHINE.ACC. With SP 4, LSA secret values are no longer returned to clients over the network and it prevented NETDOM from working.
Microsoft has released a new version that is compatible with Windows NT SP4 and later. Secure channels are no longer checked by comparing passwords on both sides of the secure channel. The new release of NETDOM relies on the NETLOGON service to query secure channels status.
When the secure channel fails, you will only be able to logon using local accounts since the NETLOGON service has stopped itself. The NETDOM utility which shipped with Windows NT Resource Kit is version 1.7 and will fix the secure channel failure. When run against a Windows NT SP4 or later, you get the error message:
The newer Windows NT Resource Kit supplements should have the fixed version of NETDOM. My tip Resource Kit Support Tools Updates has links to the updated supplement and to the download site where you can get updated executables. Click to download the new netdom.exe .
The new NETDOM adds the ability to force partial synchronization from a BDC to a PDC:
NETDOM BDC \\BDCNAME /PARTIALSYNC a ability to force full synchronization from a BDC to a PDC
NETDOM BDC \\BDCNAME /FULLSYNC For related information:
Resource Kit Support Tools Updates
How to Join a Domain From the Command Line
Resetting Domain Member Secure Channel
NetLogon Service Fails when Secure Channel Not Functioning
How to Build and Reset a Trust Relationship from a Command Line