question

ScottGao-0030 avatar image
0 Votes"
ScottGao-0030 asked ScottGao-0030 commented

netdom reset how to use

Hello

I have Microsoft MCSE AD book beside my hand. I also read "netdom help reset", I also had made many google.
But I still have question about it. Would you please help me?
Thank you very much.

NETDOM RESET machine [/Domain:domain] [/Server:server]
[/UserO:user] [/PasswordO:[password | *]] [/SecurePasswordPrompt]

I have a PC1 lost trust with dc1.doamin.com. I had try to "reset account" in "AD users and computers." but no help.
q1: where should I run netdom reset?
q2: for domain, I should input /Domain:domain.com ?
q3: for server, I should input /Server:dc1.domain.com
q4: for user, I should use domain admin? or PC1 local admin or any else?
q5: I will ignore option /SecurePasswordPrompt, am I right.

Thanks for your time.

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
1 Vote"
HannahXiong-MSFT answered HannahXiong-MSFT commented

Hello,

Thank you so much for posting here.

As mentioned, we have PC1 lost trust with dc1.domain.com. Then we will encounter the error message "The trust relationship between this workstation and the primary domain failed" when logging on PC1.

If so, to resolve the error message, we can run the command Netdom resetpwd /s:target_server /ud:mydomain\domain_admin /pd:*on the PC1.

/s:server is the name of the domain controller to use for setting the machine account password. This is the server where the KDC is running.
/ud:domain\User is the user account that makes the connection with the domain you specified in the /s parameter. This must be in domain\User format. If this parameter is omitted, the current user account is used.
/pd: specifies the password of the user account that is specified in the /ud parameter. Use an asterisk () to be prompted for the password.

For example, my domain name is a.local:
42885-1.jpg

Or we could choose to reset the secure connection between a workstation and a domain controller using Netdom reset. Syntax is

NETDOM RESET machine [/Domain:domain] [/Server:server] [/UserO:user] [/PasswordO:[password | *]] [/SecurePasswordPrompt]

say user account name is X, computer name is PC1, Domain name is : domain.com, server name : dc1

so

netdom reset PC1 /d:domain.com /S:dc1 /U:X /P:*

(and run it on the DC)

As for user, specifies the user account to use to make the secure connection with the computer that you want to reset. If you do not specify this parameter, then netdom reset uses the current user account. We could choose to use domain admin.

Reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc788073(v=ws.11)

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




1.jpg (15.1 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your great help and valuable time.

0 Votes 0 ·

Hi,

You are welcome.

Thank you for sharing your experience and solution here. It will be very beneficial for other community members who have similar questions. Your support is greatly appreciated.

Thanks so much and have a nice day.

Best regards,
Hannah Xiong

0 Votes 0 ·
ScottGao-0030 avatar image
0 Votes"
ScottGao-0030 answered

Dear Hannah

Thanks for your great help.
I still have question.

  1. q1. for option name, /ud: same as /UserD: ? how did you know?

  2. q2. what is the different between reset and resetpwd?
    "reset machine account password" is different with "reset the secure connection between workstation and DC" ?

  3. q3. go on my enviroment problem. I fix 1 backup server lost trust by command
    netdom resetpwd /s:dc1.domain.com /ud:admin /pd:*
    I can login to backup server by domain account properly. But in backup software, is still said "a trust relationship was not estabilished between the remote agent and the media server".
    Backup server is media server. so remote agent should be backup target.
    But I run test-computersecurechannel at both server (backup and target), both return True.
    do you have any idea double check about trust and fix?

before I use netdom resetpwd fix backup, I alsow get True when test by test-computersecurechannel. I mean this test trust tool can not be trust.

Thanks for your time.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ScottGao-0030 avatar image
0 Votes"
ScottGao-0030 answered

Dear Hannah

It's symantec backup exec error. Ifixed it in symantec.

but did you know q1, q2 and test-computersecurechannel keep true question?
Thank you.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered HannahXiong-MSFT commented

Dear @ScottGao-0030,

You are welcome. Thank you so much for your kindly reply.

1, Yes, they are the same.

Reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc785478(v=ws.11)

2, Netdom resetpwd is to reset the computer account password for workstation or domain controller.
Netdom reset is to reset the secure connection between a workstation and a domain controller.

As per my understanding, they have the same function, which is to resolve the secure channel issue. Netdom resetpwd could be used when it is needed to reset the computer account password for a domain controller.

Usually we use the command Netdom resetpwd /s:target_server /ud:mydomain\domain_admin /pd:*

3, Test-ComputerSecureChannel returns $True if the channel is working correctly and $False if it is not. If the output is true, there is no secure channel issue anymore. As mentioned, we have run the command to fix the issue and then we could login by domain account properly.

I understand that the issue has been solved. If we still have some doubts, we could run the below commands to double check.

(1)Run command on the client: 
nltest /sc_verify:domain.com

43176-8.png

(2)Run command on the client:
netdom verify /d:domain.com client name

43192-9.png

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




8.png (14.1 KiB)
9.png (42.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @ScottGao-0030 ,

I am checking how the issue is going, if you still have any questions, please feel free to contact us.

Thank you so much for your time and support.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
ScottGao-0030 avatar image
0 Votes"
ScottGao-0030 answered

Dear Hannah

Thanks for your grate support and time.
Last question, did you know how to manual broken secure channel then I can have more test and learn?
Thank you.

Best Regards.
Scott Gao

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered ScottGao-0030 commented

Dear Scott,

You are welcome. Thank you so much for kindly reply.

I understand that we would like to do more tests. But as far as I know, it could not manual make secure channel broken. Besides, I would not recommend to manual break secure channel. We might have a try If it is in the test environment. But I have no idea how to manual do this. Below are some reasons for the problem of secure channel. Maybe we could get some inspiration.

There are many reasons for the problem of Secure Channel. For example,

-Try to add a computer with the same name to the domain. According to the feedback we have received from customers, this factor has caused the most problems. When we join the computer to the domain",if there is a computer account with the same name in the current domain, reset the account password. This process will cause problems with the previous system that uses the computer account.

-Synchronization problems between DCs. For example, after the client saves the password to DC1, the client may use DC2 the next time it starts, but the replication between DC1 and DC2 is not completed in time (or cannot). This may cause Secure Channel errors. This is the second most common situation.

-The password of the local LSA is changed or rolled back. This situation is not very common. It usually occurs when the system is restored or the snapshot of the virtual machine is rolled back. Of course, it may also happen to the hard disk. Or in the case of a file system error. For example, the disk cache did not write back normally after a power failure.

-Non-persistent network connection problem. This situation is relatively rare.

Thank you so much for your support.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Dear Hannah,
When I try use netdom to reetpwd for DC, has error :
netdom resetpwd /server:MAILSERVER /UserD:mutovn\a
dministrator /PasswordD:*
The machine account password for the local machine could not be reset.

Logon failure: unknown user name or bad password.

I'm sure password and user correct. Because when I replace MAILSERVER = 10.0.0.1 >>> OK.
C:\Users\Administrator.MUTOVN>netdom resetpwd /s:10.0.0.1 /ud:mutovn\administrat
or /pd:*
Type the password associated with the domain user:

The machine account password for the local machine has been successfully reset.

The command completed successfully.
This command is OK but nothing change. My DC not replicate to SDC. Error name "The target principal name is incorrect"
I don't know how. Please help me.
Thank you very much.

0 Votes 0 ·

Hello Huong


you mean your mail server losr trust?where did you run.this command?
thank you.


Scott Gao

0 Votes 0 ·