When a PC joins a Windows NT domain, a password is created for the PC to
authenicate itself to the domain. The password and communication is called a
secure channel. This password is changed every 7 days
for NT and every 30 days for NT2000. We have had occasional problems with
Windows NT member servers losing their secure channel. The PDC will disable the
secure channel if the PC misses the change period twice.
When a trust is set up between Windows NT domains, a trust
password is setup with the Trusting domain using a password and the
Trusted domain has the trust password in its SAM. Both trust passwords and
secure channel passwords can and do get out of synch. When this happens for
trusts, the ability to authenication trusted users fails. When this happens to
member servers, the domain netlogon service gets disabled and one can only login
with a local account and access to resources fail due to failed authenication
channel. These secret password problems can be resolved by Netdom .
If these problems become frequent due to network instabilities, you can make
the passwords static, that is disable the periodic changes. To disable password
changes apply to domain controller ( trusted ):
You can also extend the number of days between changes by
applying to domain controllers and workstations (sounds like a LOT of work):
up to 1,000,000
IF you do a search on Microsoft, there are many articles on secure channels
and trust passwords.