NETDOM Reports Access Denied with Windows NT 4.0 SP4

Windows NT Netlogon services uses a secret LSA account and password to
communicate with Windows NT domain controllers using secure channels. For each
member in the domain, there is a secure communication channel with a domain
controller which I think of as a special form of VPN. The secure channel is used
by the Netlogon service on the member and on the domain controller to
communicate. The password of the secure channel is stored on the member itself
under an LSA secret entry and on the PDC in the SAM.

If a secure channel gets out of synch, NETDOM (
netdom.exe ) can reset it automatically. Prior to Windows NT SP4, to check a
secure channel remotely, NETDOM established a connection
with the PDC using the computer account and the password found in the LSA secret
$MACHINE.ACC. With SP 4, LSA secret values are no
longer returned to clients over the network and it prevented NETDOM from working.

Microsoft has released a new version that is compatible with Windows NT SP4
and later. Secure channels are no longer checked by comparing passwords on both
sides of the secure channel. The new release of NETDOM
relies on the NETLOGON service to query secure channels status.

When the secure channel fails, you will only be able to logon using local
accounts since the NETLOGON service has stopped itself. The NETDOM utility which shipped with Windows NT Resource Kit is
version 1.7 and will fix the secure channel failure. When run against a Windows
NT SP4 or later, you get the error message:

Access Denied

The newer Windows NT Resource Kit supplements should have the fixed version
of NETDOM. My tip Resource Kit Support Tools Updates has links
to the updated supplement and to the download site where you can get updated
executables. Click to download the new netdom.exe .

The new NETDOM adds the ability to force partial synchronization from a BDC
to a PDC:


a ability to force full synchronization from a BDC to a PDC


For related information:

Resource Kit Support Tools Updates

How to
Join a Domain From the Command Line

Domain Member Secure Channel

Service Fails when Secure Channel Not Functioning

How to
Build and Reset a Trust Relationship from a Command Line

Leave a Comment

Your email address will not be published.

Scroll to Top