Troubleshooting “The trust relation between this workstation and primary domain failed” error without domain rejoin

Hi Friends

Hope this post finds you in good health and spirit. Today we will discuss a very common error and its troubleshooting. You must have got the “The trust relation between this workstation and primary domain failed” error multiple times. How do you solve the problem ? Rejoin client computer to domain ? This is not a good idea. For answer keep reading.

Why we get this error ?

Every client in domain has an domain account and  its own password just like user account. This account is created by default in Computer container. Client computer uses his account and password to authenticate himself into domain. Computer accounts also reset their password for security reason. By default they reset their password every 30 days.

Note: Computer account password changes are driven by the client computer account, and not by domain controller.

There can be multiple circumstances when password reset between client computer and domain controller becomes out of sync for example:

  1. When computer is out of network for more than 30 days ( default password age).
  2. You restored your machine from old backup.
  3. You did reset of computer account from domain controller.
  4. You reverted to old checkpoint.

Due to any of the reason you get the above mentioned error.

12

Solution

To solve this problem, many admins rejoin client computer to domain.This works but its not a good idea because its time consuming affair. Single machine can take excess of 10 mins so what if we need to do same on multiple computers ? Whole day activity. Duh ! Here are two solution which can solve the problem without rejoining domain.

Using PowerShell – If you are using PowerShell 2.0 and above then login to your client computer using local admin account and run this command:

Reset-ComputerMachinePassword -Server -Credential  

Credential should be the of user account with permission. Your local admin account should work.

Server will be domain controller account.

12.png

It will prompt for password of account so provide the same

You may also use Test-ComputerSecureChannel command. This command checks trust relation between local computer and domain. Ideally its result should be True but unfortunately in event of error you will get False as result. To solve the issue run this command:

Test-ComputerSecureChannel [-Repair]

This command resets the secure channel between the local computer and its domain.

That’s it. It will reset your computer account. There is no need to restart your client machine either.

Using Netdom: This is another method for resetting account for legacy machine. If you don’t have support for PowerShell 2.0 then you can use Netdom. This method is beautifully described here:

http://www.cievo.sk/2012/02/21/reset-computer-accounts-in-active-directory-domain/

Ok, so our job is done. But what to do if in case company have lot of roaming users and they seldom come to office? When they come help desk will be getting call with same error.

They will get this error as discussed earlier in post. Won’t it be better to disable password reset or at least increase the duration? This will be helpful as we won’t get the error at all. If you also think so here is the solution.

You can configure password reset duration or settings by registry or by GPO policy.

Registry

HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters

DisablePasswordChange (default off) prevents the client computer from changing its computer account password. To disable, give it a value of 1.

MaximumPasswordAge (default 30 days) determines when the computer password needs to be changed. Change it to whatever number of days you think may be enough.

12

GPO Policy

Computer Configuration\windows Settings\Security settings\Local Policies\Security Options

Domain member: Disable machine account password changes

Domain member: Maximum machine account password age

12.png

You should input the value which best suits your environment.

Ok. So we have solved the problem, congratulation 🙂

I will see you soon with some other technical post. Till then take good care of yourself. Bye.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s