Trust Relationship between Workstation and Domain Fails – fix without double reboot

July 11, 2013

Table of Contents

Trust Relationship

Have you ever seen a message saying “The trust relationship between this workstation and the primary domain failed’’. Usually happens after a restore operation, after restoring an older VM and the windows VM can’t authenticate with the domain because the trust relationship between workstation and domain fails. The other reason for this could be after you restore from an old backup, which you have done on a physical system. Those backup are done using imaging solutions like Acronis (True image) or Symantec (Norton Ghost). The fault domain value is 30 days. After the period is over, each workstation does a reset of their computer account password in AD.

The fast way to fix this problem is to disjoint the workstation from the domain> reboot > and join the domain back again. Sometimes this may not work and you need to have another way to do this. The next metod may be  the best, according to me. You can use a single command to reset the computer account. You have to log into the computer under account which has local admin rights. Here is the command:

 

netdom resetpwd /Server:DC /UserD:Administrator /

PasswordD:mysuperpassword

Explanations:

  • Server:DC is my domain controller
  • UserD:Administrator – is the user with domain admin rights
  • PasswordD:mysuperpassword – is the administrator’s password

It works for server systems but also for client systems. It does not work for windows xp. It is because the Netdom command does not work because the netdom.exe is not installed. But if you use one, you can copy it from the Windows server CD or iso image.

The Netdom.exe and Nltest.exe tools are located on the Windows Server CD-ROM in the SupportTools folder. To install these tools, run Setup.exe or extract the files from the Support.cab file

You can test if the secured channel has been reestablished. Try on any domain connected workstation or server using this command:

nltest /sc_verify:lab.local

where lab.local is our lab domain.

There is a GPO who manages the default value of computer passwords , so for my lab environments. I disabled the machine password change frequency.

It’s maximum machine password age and its located at:

GPO_nameComputer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options

 The policy name is:

Domain Member: Disable machine account password change = Disabled

It’s possible to turn it off here.

Home

Share on
Facebook
Twitter
LinkedIn
Pinterest
More posts

Dedicated Servers Quick Guide

What is a Dedicated Servers? Why bother using a dedicated server over a VPS or Shared Hosting?A dedicated server is a server 100% dedicated to your website/project or business needs.

Emailing vCloud Organization Users

Due to a lot of requests I found necessary to show you guys who might be having a problem using the “notify users” function in the vCloud Director web UI

Veeam Launches Backup & Replication v7

When it comes to data protection, data replication and data recovery, these are very challenging tasks. Consolidation through virtualization has forced customers to retool automated protection and recovery methodologies in

Easy File & Code Manager

Easy File Manager FileZilla Best Server Manager Tools Download FileZilla Client You can use FileZilla to manage websites and servers and edit code in real-time or for simple backup methods

vSphere 5.1 New Storage Features

VMFS File Sharing Limits In previous versions of vSphere, the maximum number of hosts which could share a read-only file on a VMFS volume was 8. The primary use case

Get 90% Discount

First 3 People gets the Bonus!
Don't Miss Out Our Big Sale

Get 0-90% On All
247Rack Services

247Rack

The Sale Is Until The End Of March