NETDOM Reports Access Denied with Windows NT 4.0 SP4

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Windows NT Netlogon services uses a secret LSA account and password to communicate with Windows NT domain controllers using secure channels. For each member in the domain, there is a secure communication channel with a domain controller which I think of as a special form of VPN. The secure channel is used by the Netlogon service on the member and on the domain controller to communicate. The password of the secure channel is stored on the member itself under an LSA secret entry and on the PDC in the SAM.

If a secure channel gets out of synch, NETDOM ( netdom.exe ) can reset it automatically. Prior to Windows NT SP4, to check a secure channel remotely, NETDOM established a connection with the PDC using the computer account and the password found in the LSA secret $MACHINE.ACC. With SP 4, LSA secret values are no longer returned to clients over the network and it prevented NETDOM from working.

Microsoft has released a new version that is compatible with Windows NT SP4 and later. Secure channels are no longer checked by comparing passwords on both sides of the secure channel. The new release of NETDOM relies on the NETLOGON service to query secure channels status.

When the secure channel fails, you will only be able to logon using local accounts since the NETLOGON service has stopped itself. The NETDOM utility which shipped with Windows NT Resource Kit is version 1.7 and will fix the secure channel failure. When run against a Windows NT SP4 or later, you get the error message:

Access Denied

The newer Windows NT Resource Kit supplements should have the fixed version of NETDOM. My tip Resource Kit Support Tools Updates has links to the updated supplement and to the download site where you can get updated executables. Click to download the new netdom.exe .

The new NETDOM adds the ability to force partial synchronization from a BDC to a PDC:

NETDOM BDC \\BDCNAME /PARTIALSYNC

a ability to force full synchronization from a BDC to a PDC

NETDOM BDC \\BDCNAME /FULLSYNC

For related information:

Resource Kit Support Tools Updates
How to Join a Domain From the Command Line
Resetting Domain Member Secure Channel
NetLogon Service Fails when Secure Channel Not Functioning
How to Build and Reset a Trust Relationship from a Command Line

Featured Links