How to Resetting a Computer Account, Without rebooting and rejoin it to Domain.

Posted by in Tips & Tricks, Windows, Windows Server, on January 18, 2017

When the secure channel fails, you must reset it. Many administrators do so by removing the computer from the domain, putting it in a workgroup, and then rejoining the domain. This is not a good practice because it has the potential to delete the computer account altogether, which loses the computer’s SID and, more importantly, its group memberships. When you rejoin the domain, even though the computer has the same name, the account has a new SID, and all the group memberships of the previous computer object must be re-created.

Note  Do not remove a computer from the domain and rejoin it
If the trust with the domain is lost, do not remove a computer from the domain and rejoin
it. Instead, reset the secure channel.

To reset the secure channel between a domain member and the domain, use the Active Directory Users And Computers snap-in, Dsmod.exe, Netdom.exe, or Nltest.exe. If you reset the account, the computer’s SID remains the same and it maintains its group memberships.

To reset the secure channel using the Active Directory Users And Computers snap-in:

1.     Right-click a computer, and then click Reset Account.
2.     Click Yes to confirm your choice.
3.     Re-join the computer to the domain, and then restart the computer.

To reset the secure channel using DSMod:

1.     Type the following command:
dsmod computer “Computer DN” -reset.
2.     Re-join the computer to the domain, and then restart the computer.

To reset the secure channel using NetDom, type the following command:

netdom reset MachineName /domain DomainName /UserO UserName /PasswordO {Password | *} where the account with the credentials provided as UserName and Password is a member of the local Administrators group of the computer.

This command resets the secure channel by attempting to reset the password on both the computer and the domain, so it does not require rejoining or restarting.
To reset the secure channel using NLTest, on the computer that has lost its trust type the command:

nltest /Server:ServerName /SC_Reset:DOMAIN\DomainController
For example:
nltest /server:SERVER02 /sc_reset:CONTOSO\SERVER01

This command, like NetDom, attempts to reset the secure channel by resetting the password on both the computer and in the domain, so it does not require rejoining or rebooting. Because NLTest and NetDom reset the secure channel without requiring a reboot, you should try those commands first. Only if those are not successful should you use the Reset Account command or DSMod to reset the computer account.