When a computer joins a domain, a computer account is created in AD. The computer account gets its own password that will expire after 30 days (default). When the password expire, the computer itself will initiate a password change with a DC in its domain.
When the computer starts up, it uses this password to create a secure channel (SC) with a DC. The computer will request to sign all traffic that passes the SC. If a DC says “go ahead”, all traffic that is signed passes through this channel.
Traffic like NTLM pass through authentication is typically signed traffic.
So what will happen if there is a mismatch between the computer account password? The computer tries to authenticate, but the DC says this is not the correct password.
The SC is down.
Tools like “netdom” could be used to reset the password, but this only worked to reset the SC between two DCs. It was not possible to reset the SC on a domain member. The computer had to rejoin the domain.
netdom resetpwd /server:<Name of a DC> /userd:domain\administrator /passwordd:admin_password
Netdom was written back in the NT4 days, and a new tool has taken over. Not just taken over for Netdom, but also for tools like Nltest. Windows PowerShell.
To reset the SC between a computer and a DC:
Open PowerShell on the computer and run the *cmdlet:
*The cmdlet requires PowerShell 2.0, which is pre-installed on Win7/2008R2.
In Win8 there are thousands of new cmdlets, so if you have not began to look at PS. Now is a good time.
PowerShell 2.0 for XP, 2003, Vista, 2008: http://support.microsoft.com/kb/968929
Test-ComputerSecureChannel cmdlet: http://technet.microsoft.com/en-us/library/dd367893.aspx