Sunday, June 21, 2015

The Trust Relationship between this workstation and the primary domain failed...here is the fix

Today after reverting a Virtual Machine to a previously taken snapshot when I tried to login on this VM, end up with this domain/workstation trust relation error
Usually it can happen after restore operations, you restored a snapshot or restored a VM from old backup and the Windows VM can’t authenticate with the domain because the Trust Relationship between workstation and domain fails.
The reason why this problem happens is because of a "password mismatch." Passwords are typically thought of as something that is assigned to a user account. However, in Active Directory environments each computer account also has an internal password. If the copy of the computer account password that is stored within the server gets out of sync with the password copy that is stored on the domain controller then the trust relationship will be broken as a result.

The default domain value is 30 days, after that each workstation do a reset of their computer account password in AD

You can simply fix this issue by removing and then re-joining this system to domain.

But here is a better way where you don't need to domain re-join/reboot your system, 

Login to your DC and simply reset the affected computer's computer account.

or

login to affected system using local admin account and run this command:

netdom resetpwd /Server:DomainName /UserD:Administrator /PasswordD:AdministratorPWD

Here you need the credentials having required domain access.

This will fix the Domain/Workstation trust relationship issue.

If this is your lab environment then to prevent future occurrence of this issue you can simply disable the group policy responsible for this setting "Disable machine account password change"
located here,
\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options


or increase number of days by modifying the GPO Maximum machine account password age. 

Ref: Vladan Seget and Brien Posey's blog. 

That's it........... :)



No comments:

Post a Comment