Computer Account Secure Channel
When a computer is bound to AD, it forms a Secure Channel between the system and the domain controller. Once this channel has been established, it renews automatically. By default, this Secure Channel is renegotiated every 30 days and is renewed before the expiration date. AD systems with a Secure Channel to the domain controller can securely execute Active Directory tasks, jobs and queries. If the Secure Channel is not renewed the system and domain controller relationship may exist in a broken state.
The current state of the secure channel is shown in the GUI tool under 'System Information > Domain Name'.
If the Secure Channel of a system is broken, account names will be listed as security identifiers (SIDs) instead of account names. The ADMU does not require a repaired Secure Channel as it does not rely on AD.
If the Secure Channel is broken, it can be repaired If the system's Secure Channel is in a broken state, the Secure Channel can likely be restored. In order to restore the Secure Channel, the system must be able to connect to the domain controller.
A PowerShell command can be run on the target system to repair the Secure Channel:
Option 1:
Test-ComputerSecureChannel -Repair -Credential (Get-Credential)The command should return True if successful.
If the following PowerShell command is ran:
Test-ComputerSecureChannel -VerboseThe command should return "The Secure Channel between the local computer and the domain is in good condition."
Option 2:
Reset-ComputerMachinePassword –server -credential (Get-Credential)Additional information about Secure Channel can be found on Microsoft's TechNet site.