netdom reset how to use

Scott Gao 291 Reputation points
2020-11-26T04:30:00.433+00:00

Hello

I have Microsoft MCSE AD book beside my hand. I also read "netdom help reset", I also had made many google.
But I still have question about it. Would you please help me?
Thank you very much.

NETDOM RESET machine [/Domain:domain] [/Server:server]
[/UserO:user] [/PasswordO:[password | *]] [/SecurePasswordPrompt]

I have a PC1 lost trust with dc1.doamin.com. I had try to "reset account" in "AD users and computers." but no help.
q1: where should I run netdom reset?
q2: for domain, I should input /Domain:domain.com ?
q3: for server, I should input /Server:dc1.domain.com
q4: for user, I should use domain admin? or PC1 local admin or any else?
q5: I will ignore option /SecurePasswordPrompt, am I right.

Thanks for your time.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,928 questions
0 comments No comments
{count} votes

Accepted answer
  1. Hannah Xiong 6,226 Reputation points
    2020-11-26T06:19:03.527+00:00

    Hello,

    Thank you so much for posting here.

    As mentioned, we have PC1 lost trust with dc1.domain.com. Then we will encounter the error message "The trust relationship between this workstation and the primary domain failed" when logging on PC1.

    If so, to resolve the error message, we can run the command **Netdom resetpwd /s:target_server /ud:mydomain\domain_admin /pd:***on the PC1.

    /s:server is the name of the domain controller to use for setting the machine account password. This is the server where the KDC is running. /ud:domain\User is the user account that makes the connection with the domain you specified in the /s parameter. This must be in domain\User format. If this parameter is omitted, the current user account is used. /pd:* specifies the password of the user account that is specified in the /ud parameter. Use an asterisk (*) to be prompted for the password.

    For example, my domain name is a.local: 42885-1.jpg

    Or we could choose to reset the secure connection between a workstation and a domain controller using Netdom reset. Syntax is

    **NETDOM RESET machine [/Domain:domain] [/Server:server] [/UserO:user] [/PasswordO:[password | *]] [/SecurePasswordPrompt]**

    say user account name is X, computer name is PC1, Domain name is : domain.com, server name : dc1

    so

    netdom reset PC1 /d:domain.com /S:dc1 /U:X /P:*

    (and run it on the DC)

    As for user, specifies the user account to use to make the secure connection with the computer that you want to reset. If you do not specify this parameter, then netdom reset uses the current user account. We could choose to use domain admin.

    Reference: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc788073(v=ws.11)

    For any question, please feel free to contact us.

    Best regards, Hannah Xiong

    ============================================ If the Answer is helpful, please click "Accept Answer" and upvote it. Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

5 additional answers

Sort by: Most helpful
  1. Scott Gao 291 Reputation points
    2020-11-26T10:09:56.517+00:00

    Dear Hannah

    Thanks for your great help.
    I still have question.

    1. q1. for option name, /ud: same as /UserD: ? how did you know?
    2. q2. what is the different between reset and resetpwd?
      "reset machine account password" is different with "reset the secure connection between workstation and DC" ?
    3. q3. go on my enviroment problem. I fix 1 backup server lost trust by command
      netdom resetpwd /s:dc1.domain.com /ud:admin /pd:*
      I can login to backup server by domain account properly. But in backup software, is still said "a trust relationship was not estabilished between the remote agent and the media server".
      Backup server is media server. so remote agent should be backup target.
      But I run test-computersecurechannel at both server (backup and target), both return True.
      do you have any idea double check about trust and fix?

    before I use netdom resetpwd fix backup, I alsow get True when test by test-computersecurechannel. I mean this test trust tool can not be trust.

    Thanks for your time.

    0 comments No comments

  2. Scott Gao 291 Reputation points
    2020-11-27T02:10:11.707+00:00

    Dear Hannah

    It's symantec backup exec error. Ifixed it in symantec.

    but did you know q1, q2 and test-computersecurechannel keep true question?
    Thank you.

    0 comments No comments

  3. Hannah Xiong 6,226 Reputation points
    2020-11-27T07:11:42.313+00:00

    Dear @Scott Gao ,

    You are welcome. Thank you so much for your kindly reply.

    1, Yes, they are the same.

    Reference: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc785478(v=ws.11)

    2, Netdom resetpwd is to reset the computer account password for workstation or domain controller.
    Netdom reset is to reset the secure connection between a workstation and a domain controller.

    As per my understanding, they have the same function, which is to resolve the secure channel issue. Netdom resetpwd could be used when it is needed to reset the computer account password for a domain controller.

    Usually we use the command Netdom resetpwd /s:target_server /ud:mydomain\domain_admin /pd:*

    3, Test-ComputerSecureChannel returns $True if the channel is working correctly and $False if it is not. If the output is true, there is no secure channel issue anymore. As mentioned, we have run the command to fix the issue and then we could login by domain account properly.

    I understand that the issue has been solved. If we still have some doubts, we could run the below commands to double check.

    (1)Run command on the client: 
    nltest /sc_verify:domain.com

    43176-8.png

    (2)Run command on the client:
    netdom verify /d:domain.com client name

    43192-9.png

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  4. Scott Gao 291 Reputation points
    2020-12-01T04:47:25.34+00:00

    Dear Hannah

    Thanks for your grate support and time.
    Last question, did you know how to manual broken secure channel then I can have more test and learn?
    Thank you.

    Best Regards.
    Scott Gao

    0 comments No comments