Fixing “Windows cannot connect to the domain” Errors

Sometimes, after extended periods of time when a computer which is a member of an Active Directory domain was taken offline and then brought online, or when some sort of cloning or imaging method or even a virtualization software snapshot mechanism was used on a domain member, you may get an error similar to this:

Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance.

secure channel error 1
No matter what you do, you will not be able to log on to the computer by using a domain account. The only possible solution for logging on could be to use a local user account.

Note: In most cases, unless this has been specifically disabled by the administrator, you may be able to log on using a domain user account if you disconnect the network cable from the computer. This will only work if you’re using a user account that has successfully logged on to that computer in the past, and again, unless it has been specifically disabled by the administrator.
Note: If you’ve used a cloning software and cloned a computer that was a member of a domain you should know 2 things:

  1. Never clone a domain member. You now know why.
  2. Never clone a Windows-based computer that is supposed to operate in an Active Directory domain and/or on any type of network, without properly using SYSPREP on the computer PRIOR to cloning it.

After logging on you may see some or all of the following events in the Event Viewer.

NETLOGON 3210
This computer could not authenticate with \\WIN2003-SRV1.petrilabs.local, a Windows domain controller for domain PETRILABS, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

secure channel error 2

LSASRV 40961
The Security System could not establish a secured connection with the server cifs/WIN2003-SRV1.petrilabs.local.  No authentication protocol was available.

secure channel error 3

W32Time 18
The time provider NtpClient failed to establish a trust relationship between this computer and the petrilabs.local domain in order to securely synchronize time. NtpClient will try again in 15 minutes. The error was: The trust relationship between this workstation and the primary domain failed. (0x800706FD)

secure channel error 4
And possibly others.
So why does this error happen?
The short story is that somehow there is a computer account password mismatch. The Windows-based domain member thinks that its machine account password is something X, while the domain controller believes it to be something Y. Because of this, the computer cannot authenticate itself to the domain controller(s), and thus you get this error. Read my Working with Domain Member Virtual Machines and Snapshots article for one possible reason for this to happen.
How do I fix this error?
Well, there are basically 2 methods of fixing it.
Method #1 – Using the GUI
This method may be the easiest one to perform, and it requires a double reboot of the client computer.
Note that the following screenshots are taken on a Windows XP Pro machine, but other Microsoft-based operating systems are pretty much similar.
1. Right-click My Computer (or simply Computer in the Start menu, depending on your version of OS), select Properties.
re join domain 1
2. In the Computer Name tab, click on the Change button. Then change the Member of option from the AD domain to a Workgroup.
re join domain 2
3. Enter a workgroup name. Any name. Press Ok.
re join domain 3
4. You’ll be prompted to enter the credentials of a user with administrative rights.
re join domain 4
5. You’ll get a confirmation message.
re join domain 5
6. You’ll need to reboot the computer.
re join domain 6
After rebooting, you need to login locally to the computer, and join it to the domain. Basically, same procedure as above, but if you feel you don’t remember the exact steps please read my Joining a Domain in Windows XP Pro and/or Joining a Domain in Windows 7 articles.
re join domain 7
Method #2 – Using the Command Line
You can use the netdom.exe tool from support tools.
Download details: Windows Server 2003 Service Pack 1 32-bit Support Tools
http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en
Note: In Windows Server 2008/Windows 7, netdom is already available on the system, no need to download anything.


Open a Command Prompt window and type:

netdom.exe remove winxp-cl1 /Domain:petrilabs.local /userd:petrilabs\administrator /passwordd:***************

At this moment, the computer account will show with a red X in Active Directory Users and Computers.
re join domain 8
BTW, it seems that using netdom.exe will save you one reboot…
Next type:

netdom.exe join winxp-cl1 /Domain:petrilabs.local /userd:petrilabs\administrator /passwordd:***************

re join domain 9
Reboot the computer.
Now all will work well.