How to Reset Active Directory Secure Channel If Broken

Solution 1:

I've had some instances where a machine will decide to use an off-site domain controller (elsewhere on our WAN) as it's logon server and map offsite network drives instead of local ones; that can be resolved by resetting the secure channel directly:

nltest /sc_reset:<domain>\<domain controller>

Solution 2:

nltest.exe can be used to check the channel and attempt to reset it.

nltest.exe /sc_verify:<fully.qualified.domain.name.here>

If that does not do it, you can restart the netlogon service (I mainly use PowerShell, so I'll give an example of that).

Get-Service netlogon | restart-service
nltest.exe /sc_verify:<fully.qualified.domain.name.here>

I ran the nltest command after restarting the service to validate that the secure channel was back in operation.

If you've made some network changes (IP Addresses, changing hardware, virtualizing, etc..) you might want to flush your dns cache and clear your arp table before running the above commands.

ipconfig /flushdns
arp -d *
Get-Service netlogon | restart-service
nltest.exe /sc_verify:<fully.qualified.domain.name.here>