Resetting a computer account when the trust with the domain is lost

If the trust with the domain is lost, do not remove a computer from the domain and rejoin it. Instead, reset the secure channel. Removing and rejoining is not a good practice because it has the potential to delete the computer account altogether, which loses the computer’s SID and, more importantly, its group memberships. When you rejoin the domain, even though the computer has the same name, the account has a new SID, and all the group memberships of the previous computer object must be re-created.

Four ways to reset a computer account:

1. Active Directory Users And Computers snap-in
2. dsmod computer "Computer DN" -reset.

#1 and #2 require rejoining to domain and restarting computer.

3. netdom reset MachineName /domain DomainName /UserO UserName /PasswordO {Password | *}
4. nltest /Server:ServerName /SC_Reset:DOMAIN\DomainController

#3 and #4 are recommended because they reset the secure channel by attempting to reset the password on both the computer and the domain, so it does not require rejoining or restarting.