Recipe 8.6 Testing the Secure Channel for a Computer

8.6.1 Problem

You want to test the secure channel of a computer.

8.6.2 Solution

8.6.2.1 Using a command-line interface

> nltest /server:<ComputerName> /sc_query:<DomainName>

8.6.3 Discussion

Every member computer in an Active Directory domain establishes a secure channel with a domain controller. The computer's password is stored locally in the form of an LSA secret and in Active Directory. This password is used by the NetLogon service to establish the secure channel with a domain controller. If, for some reason, the LSA secret and computer password become out of sync, the computer will no longer be able to authenticate in the domain. The nltest /sc_query command can query a computer to verify its secure channel is working. Here is sample output from the command when things are working:

Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\dc1.rallencorp.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

If a secure channel is failing, you'll need to reset the computer as described in Recipe 8.7. Here is sample output when things are not working:

Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully

8.6.4 See Also

Recipe 8.7 for resetting a computer and MS KB 216393 (Resetting Computer Accounts in Windows 2000 and Windows XP)