Network login error caused by security channel in NT Environment

Fault symptom
There are about 350 computers in our company, five of which are: One PDC, two BDC, and three other independent servers. The PDC and BDC are both in the English version of NT4.0, And the PDC is in Service Pack 5, BDC is Sservice Pack 6a. Several days ago, a WIN2000 workstation encountered the following strange error when logging on to the domain:

The system cannot log you on to this Domain because the system's computer account in its primary domain is missing or the password on that account is incorrect.

In fact, the network settings of this computer are completely correct. A computer account has been set up for this computer on the PDC, and the user name and password are correct when the user logs on.

After checking the Event View on PDC and BDC, the following Event is found on a BDC:

Netlogon Event 5722:
The session setup from the computer DOMAINMEMBER failed to authenticates, the name of the account referenced in the security database is DOMAINMEMBER $. The following error occurred: Access is denied.

At the same time, "0xC0000022" is displayed in the specific data word, which indicates that the password is incorrect.

Solution Process

First, I deleted the computer account of this computer on the PDC and re-established it again, but the fault still persists when I log on again.

After checking some information, I learned that the above phenomena will occur when the following conditions are met:

1. The Domain Member name has recently changed
2. Emergency Repair Disk is used, but the rescue Disk contains old information.
3. The computer account of the Domain Member is deleted.

At this time, I recalled that I had restarted all the servers because of the device adjustment in the data room. So I first thought about whether there was a problem with the synchronization of PDC and BDC after the server was restarted, so I immediately synchronized the PDC and BDC, but it didn't work.
Next, I used the Netdom tool provided by the NT Resource Kit to reset the security channel of the above BDC in the NT domain:

After the C: \ WINNT> Netdom BDC BDCMember \ Reset command is executed, the following prompt is displayed:
NetDom 1.2 @ 1997
Querying domain information on computer \ MYBDC...
The computer \ MYBDC is a domain controller of THEDOMAIN.
Searching PDC for domain THEDOMAIN...
Found PDC \ THEPDC
Verifying secure channel on \ MYBDC...
Verifying the computer account on the PDC \ THEPDC...
Secure channel checked successfully.

The preceding prompt indicates that the BDC Security channel has been successfully established and reset. At this time, log on to the workstation again, but the fault persists.

By looking at other information, we know that every member of the domain has a non-continuous communication channel locally connected to the domain controller, that is, a secure channel; this security channel is used by domain members to communicate with the domain controller at login. At the same time, different domain controllers also establish communication connections through secure channels, and exchange trust relationship communications and legitimate requests from different domain users. Therefore, the problem should be the security channel established between the workstation that cannot log on to the network and the domain controller.

Therefore, we decided to re-Add the workstation to the domain to re-establish the security channel. Use the following command:
C: \ WINNT> Netdom/DOMAIN: DomainName MEMBER \ Domainmember/JoinDomain
The following result is displayed:

Searching PDC for domain DOMAIN...
Found PDC \ DOMAINPDC
Querying domain information on PDC \ DOMAINPDC...
Querying domain information on computer \ DOMAINMEMBER...
The RPC Server is unavailable.
If the RPC Server is unavailable and the permission is incorrect, the administrator privilege of Domainmember (the workstation with an error) should be obtained first. Run the following command:

C: \ WINNT> net use \ DOMAINMEMBER \ IPC $/USER: DOMAINMEMBER \ ADMINISTRATOR password

After confirming the password, obtain the equivalent local administrator permission and re-run the above command to add the workstation to the domain. The following figure is displayed:

Searching PDC for domain DOMAIN...
Found PDC \ DOMAINPDC
Querying domain information on PDC \ DOMAINPDC...
Querying domain information on computer \ DOMAINMEMBER...
Computer \ DOMAINMEMBER is already a member of domain DOMAIN.
Verifying secure channel on \ DOMAINMEMBER...
Verifying the computer account on the PDC \ DOMAINPDC...
Resetting secure channel...
Changing computer account on PDC \ DOMAINPDC...
Stopping service NETLOGON \ DOMAINMEMBER .... Stopped.
Starting service NETLOGON \ DOMAINMEMBER .... Started.
Querying user groups of \ DOMAINMEMBER...
Adding DOMAIN domain groups on \ DOMAINMEMBER...
The computer \ DOMAINMEMBER joined the domain DOMAIN successfully.
Logoff/Logon \ DOMAINMEMBER to take modifications into effect.

Go to the Server Manager and check that DOMAINMEMBER (the workstation with an error) has seen the properties. This workstation is successfully logged on again.

Check other materials to find out other solutions, such:
1. Use nltest.exe in the NT Resource Kit;
2. Use MMCfor windows2k domain server of Active Directory );
3. Use VB script.