Trust Relationship between Workstation and Domain Fails – fix without double reboot

July 11, 2013

Table of Contents

Trust Relationship

Have you ever seen a message saying “The trust relationship between this workstation and the primary domain failed’’. Usually happens after a restore operation, after restoring an older VM and the windows VM can’t authenticate with the domain because the trust relationship between workstation and domain fails. The other reason for this could be after you restore from an old backup, which you have done on a physical system. Those backup are done using imaging solutions like Acronis (True image) or Symantec (Norton Ghost). The fault domain value is 30 days. After the period is over, each workstation does a reset of their computer account password in AD.

The fast way to fix this problem is to disjoint the workstation from the domain> reboot > and join the domain back again. Sometimes this may not work and you need to have another way to do this. The next metod may be  the best, according to me. You can use a single command to reset the computer account. You have to log into the computer under account which has local admin rights. Here is the command:

 

netdom resetpwd /Server:DC /UserD:Administrator /

PasswordD:mysuperpassword

Explanations:

  • Server:DC is my domain controller
  • UserD:Administrator – is the user with domain admin rights
  • PasswordD:mysuperpassword – is the administrator’s password

It works for server systems but also for client systems. It does not work for windows xp. It is because the Netdom command does not work because the netdom.exe is not installed. But if you use one, you can copy it from the Windows server CD or iso image.

The Netdom.exe and Nltest.exe tools are located on the Windows Server CD-ROM in the SupportTools folder. To install these tools, run Setup.exe or extract the files from the Support.cab file

You can test if the secured channel has been reestablished. Try on any domain connected workstation or server using this command:

nltest /sc_verify:lab.local

where lab.local is our lab domain.

There is a GPO who manages the default value of computer passwords , so for my lab environments. I disabled the machine password change frequency.

It’s maximum machine password age and its located at:

GPO_nameComputer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options

 The policy name is:

Domain Member: Disable machine account password change = Disabled

It’s possible to turn it off here.

Home

Share on
Facebook
Twitter
LinkedIn
Pinterest
More posts

Dedicated Servers Quick Guide

What is a Dedicated Servers? Why bother using a dedicated server over a VPS or Shared Hosting?A dedicated server is a server 100% dedicated to your website/project or business needs.

vSphere 5.1 New Storage Features

VMFS File Sharing Limits In previous versions of vSphere, the maximum number of hosts which could share a read-only file on a VMFS volume was 8. The primary use case

Windows Update Cleanup Plugin

Here is some good news for windows 7 SP1 users and maybe for VDI admins running windows 7 desktops in their VDI environments. Windows update cleanup plugin allows to uninstall

Live Help

Get 90% Discount

First 3 People gets the Bonus!
Don't Miss Out Our Big Sale

Get 0-90% On All
247Rack Services

247Rack

The Sale Is Until The End Of March