A secure communication channel can be established between a recovery console and a recovery agent during an Active Directory disaster recovery. This secure channel can be established without employing the Kerberos or NT LAN Manager (NTLM) authentication protocols. Therefore, the recovery console and recovery agent will be able to establish a secure channel even when the domain controller is in Directory Services Restore Mode (DSRM) and NTLM is disabled. A secure channel can be established between the recovery console and the recovery agent based on the Microsoft Secure Channel (Schanel) Security Support Provider (SSP). The Schannel implementation can be modified in a manner that allows the client to be authenticated within the Schannel architecture.