Have you ever seen a message saying “The trust relationship between this workstation and the primary domain failed’’. Usually happens after a restore operation, after restoring an older VM and the windows VM can’t authenticate with the domain because the trust relationship between workstation and domain fails. The other reason for this could be after you restore from an old backup, which you have done on a physical system. Those backup are done using imaging solutions like Acronis (True image) or Symantec (Norton Ghost). The fault domain value is 30 days. After the period is over, each workstation does a reset of their computer account password in AD.
The fast way to fix this problem is to disjoint the workstation from the domain> reboot > and join the domain back again. Sometimes this may not work and you need to have another way to do this. The next metod may be the best, according to me. You can use a single command to reset the computer account. You have to log into the computer under account which has local admin rights. Here is the command:
netdom resetpwd /Server:DC /UserD:Administrator /
PasswordD:mysuperpassword
Explanations:
- Server:DC is my domain controller
- UserD:Administrator – is the user with domain admin rights
- PasswordD:mysuperpassword – is the administrator’s password
It works for server systems but also for client systems. It does not work for windows xp. It is because the Netdom command does not work because the netdom.exe is not installed. But if you use one, you can copy it from the Windows server CD or iso image.
The Netdom.exe and Nltest.exe tools are located on the Windows Server CD-ROM in the SupportTools folder. To install these tools, run Setup.exe or extract the files from the Support.cab file
You can test if the secured channel has been reestablished. Try on any domain connected workstation or server using this command:
nltest /sc_verify:lab.local
where lab.local is our lab domain.
There is a GPO who manages the default value of computer passwords , so for my lab environments. I disabled the machine password change frequency.
It’s maximum machine password age and its located at:
GPO_nameComputer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options
The policy name is:
Domain Member: Disable machine account password change = Disabled
It’s possible to turn it off here.
