reset computer account

win 2000 / winxp

The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect.

原因:
password for the computer account and the local security authority (LSA) secret are not synchronized.

For Windows 2000 or Windows XP, the default computer account password change period is every 30 days.

* The security channel is used by the Netlogon service
* Resetting a computer account breaks that computer's connection to the domain and requires it to rejoin the domain.

Test:

nltest.exe

/SC_QUERY:DomainName
Query security channel for domain on ServerName

/SC_VERIFY:DomainName
Verifies the security channel in the specified domain for a local or remote workstation, server, or domain controller.

解決:
Reset the secure channel between the Windows XP-based client computer and the domain controller.

方法1

You can run 'netdom verify machinename' to see if that is in fact what happened.

The easiest way to fix is to disjoin from domain, say no to the reboot prompt (it saves time), rejoin to domain, and then reboot. And no, you won't have to migrate user profiles or anything like that. Everything will just work, and the machine account will even stay in the same OU in AD.

P.S.

netdom 在 Support Tools 內

netdom usage:

NetDom add
===========

NetDom add machinename /d: domain /s: controller

NetDom verify
==============

netdom verify machinename

Verifies the secure connection between a workstation and a domain controller.

失敗:

C:\>netdom verify winsrv01
Access is denied.

The command failed to complete successfully.

成功:

C:\>netdom verify winsrv02
The secure channel from WINSRV02 to the domain test has been verified.  
The connection is with the machine \\ad01.test.local.

The command completed successfully.