Every computer joined to an Active Directory domain has its own special account in AD, meaning each computer actually has a “username” and a password of its own. The username is the computer name followed by a dollar sign ($). The password is automatically negotiated between computer and domain controller when you join the computer to AD and is renegotiated on a periodic basis thereafter. This password is called machine password.
For this or other reason, sometimes one needs to revert a member computer (or an AD) to a previous state in time. If computer and AD changed machine password meanwhile, and you restored only one of them to the state before that, passwords are out of sync. Users can no longer log in on that computer.
If you manage to open a command prompt on computer somehow, you should read access denied error when running:
nltest /sc_verify:<yourdomain>
A usual remedy is to log-in using a local administrator account, un-join computer from the domain, and re-join it. Not a very elegant way: involves at least two restarts, possible removal of all deployed applications and their reinstallation etc. Fortunately, it can be done with a bit less fuss.
I have tried with Reset-ComputerMachinePassword
PowerShell cmdlet to no avail. When run in elevated PowerShell console it produces no output, as expected by documentation. Unfortunately, nltest /sc_verify...
test still returns access denied.
netdom missing on Windows workstations
The netdom
utility comes to the rescue. Unfortunately, this utility is available on Windows Server computers only. Fortunately, you can copy netdom.exe from the Windows Server’s System32 folder, and its en-US\netdom.exe.mui localization file, and it should work just fine on your Windows workstation.
Existing network connections to domain controller interference
netdom resetpwd
will refuse to work if there are existing connections to the domain controller other than domain administrative account you are going to use to restore trust.
On the computer with broken AD trust, start an elevated command prompt (Run as Administrator) and use net use
command to delete all existing connections to the server.
Restore trust
Still in elevated command prompt, type:
netdom resetpwd /server:<domain controller> /UserD:<domain\admin user> /PasswordD:<admin user password>
Operation takes a few seconds. Once it is done, test the trust between computer and AD has been re-established by running:
nltest /sc_verify:<yourdomain>
Very nice, there is a easier way if the machine has Windows PowerShell 3.0
I give this one liner to “simple” system admins to enter in a elevated PowerShell console:
if(Reset-ComputerMachinePassword -Server -Credential $(Get-Credential)) {} else {Restart-Computer}
It prompts for credentials and restarts the machine if the command is successful