Using Windows PowerShell to fix a broken Secure Channel and reset the computer account

2012/10/24 | By | 1 Reply More

When a computer joins a domain, a computer account is created in AD. The computer account gets its own password that will expire after 30 days (default). When the password expires, the computer itself will initiate a password change with a DC in its domain.

When the computer starts up, it uses this password to create a secure channel (SC) with a DC. The computer will request to sign all traffic that passes the SC. If a DC says “go ahead”, all traffic that is signed passes through this channel.

Traffic like NTLM pass through authentication is typically signed traffic.

So what happens if there is a mismatch between the computer account password? The computer tries to authenticate, but the DC says this is not the correct password.

The SC is down.

To reset the SC between a computer and a DC:

Open PowerShell on the local computer with the broken SC and run the cmdlet:

Test-ComputerSecureChannel -repair

*The cmdlet requires PowerShell 2.0  (which is pre-installed on Win7/2008R2) or greater

Category: Serever 2012, Server 2008 R2

Leave a Reply

%d bloggers like this: