Friday, November 20, 2015

Active Directory Domains and Trusts Snap-in May Display Secure Channel Error Message

Trust relationships between Windows domains occur over an SC. The Active Directory Domains and Trusts snap-in (Domain.msc) and Nltest.exe command line utility both issue Query and Reset commands to validate or reset the integrity of trust relationships. 

An SC query operation in the Active Directory Domains and Trusts snap-in or Nltest.exe does not initialize the SC. The query merely determines whether or not the SC is set up. An SC initializes on the first attempt to use the SC or when the Domain.msc and Nltest.exe files issue the Reset command.

If you use the Active Directory Domains and Trusts snap-in Verify command in such a situation, the following error message may appear:
The Secure Channel (SC) query on domain controller <Domain Controller Name> of domain <Domain Name> to domain <Domain Name> failed. An SC reset is attempted.
This error occurs (by default) if you just restarted the computer. This also occurs if you create a trust and do not initialize an SC.

If the trust is valid, the SC initializes after the Reset command, and verification of the trust is correctly reported as healthy.

