Recently I had to restore a number of virtual machine servers from a previous snapshot. Unfortunately the domain controller snapshot was taken at a different time to the other machines.
All seemed well as I logged on to each machine remotely with the domain administrator account. That was until one of them returned with the following error:
An authentication error has occurred.
The Local Security Authority cannot be contacted.
This could be due to an expired password.
Please update your password if it has expired.
For assistance, contact your administrator or technical support.
The error suggests that the password could have expired on the account. From Googling around it is apparently possible to log in with the local administrator account and reset the password. In my case I couldn’t log in to the local account remotely and still got the same error above.
It was possible however to log in from the VMWare console and get access to the box. I was a bit reluctant to reset the domain administrator password considering I could log on to the other boxes. When logging on locally with the domain administrator account I got this error:
The trust relationship between this workstation and the primary domain failed.
So what causes this problem? Well every 30 days the machine’s private secret which is shared with the domain controller changes. Unfortunately for me that private secret changed between the dates the snapshots were taken on the two machines.
The fix from Microsoft for this is to remove the computer from the domain controller and rejoin it but this isn’t always possible and is a bit heavy handed.
To fix this you need to log on locally as the local administrator and run the following in PowerShell.
$credential = Get-Credential
You will be prompted for account credentials at this point. You should use the domain administrator account for this. Then run the following:
Reset-ComputerMachinePassword -Credential $credential -Server dc.dev.local
The server should be the host name of the domain controller.
If this errors it might be because you are using PowerShell 2 instead of 3 which doesn’t support the credential parameter. In this case just run this and you should be prompted for credentials.
Reset-ComputerMachinePassword -Server dc.dev.local
You should now be able to logon as the domain administrator again.
I haven’t tried it myself but others have also had success with the following command:
Test-ComputerSecureChannel -Repair -Credential $credential
If this gets you out of a tight spot please leave a comment below.