Your company has an Active Directory domain.
A user attempts to log onto a computerthat was turned off for twelve weeks.
The administratorreceives an error messagethat authentication has failed.
You need to ensure that the user is able to log on to the computer.
What should you do?
A.
Run the netsh command with the set and machine options.
B.
Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the
domain.
C.
Run the netdom TRUST /reset command.
D.
Run the Active Directory Users and Computers console to disable, and then enable the computer account.
Explanation:
Answer.Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to
the domain.
http://social.technet.microsoft.com/wiki/contents/articles/9157.trust-relationship-between-workstation-andprimary-domain-failed.aspx
Trust Relationship between Workstation and Primary Domain failed
What are the common causes which generates this message on client systems?
There might be multiple reasons for this kind of behaviour. Below are listed a few of them:
1. Single SID has been assigned to multiple computers.
2. If the Secure Channel is Broken between Domain controller and workstations
3. If there are no SPN or DNSHost Name mentioned in the computer account attributes
4. Outdated NIC Drivers.
How to Troubleshoot this behaviour?
..
2. If the Secure Channel is Broken between Domain controller and workstations
When a Computer account is joined to the domain, Secure Channel password is stored with computer account
in domain controller. By default this password will change every 30 days(This is an automatic process, no
manual intervention is required). Upon starting thecomputer, Netlogon attempts to discover a DC for the
domain in which its machine account exists. After locating the appropriate DC, the machine account password
from the workstation is authenticated against the password on the DC.
If there are problems with system time, DNS configuration or other settings, secure channel’s password
between Workstation and DCs may not synchronize with each other.
A common cause of broken secure channel [machine account password] is that the secure channel password
held by the domain member does not match that held by the AD. Often, this is caused by performing a
Windows System Restore (or reverting to previous backup or snapshot) on the member machine, causing an
old (previous) machine account password to be presented to the AD.
Resolution:
Most simple resolution would be unjoin/disjoin the computerfrom the domain and rejoin the computer
account back to the domain.
(this is a somewhat similar principle to performinga password reset for a user account)
Or
You can go ahead and reset the computer accountusing netdom.exetool
http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx
Netdom
Enables administrators to manage Active Directory domains and trust relationships from the command prompt.
Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is
available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if
you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools
(RSAT).
You canuse netdom to:
Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a Windows Server
2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or Windows NT 4.0 domain.
Manage computer accounts for domain member workstations and member servers. Management
operations include:
Establish one-way or two-way trust relationships between domains, including the following kinds of trust
relationships:
Verify or reset the secure channel forthe following configurations:
* Member workstations and servers.
* Backup domain controllers (BDCs) in a Windows NT4.0 domain.
* Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or Windows 2000
replicas.
Manage trust relationships between domains.
Syntax
NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>]
http://technet.microsoft.com/en-us/library/cc788073%28v=ws.10%29.aspx
Netdom reset
Resets the secure connection between a workstation and a domain controller.
Syntax
netdom reset <Computer> {/d: | /domain:}<Domain> [{/s: | /server:}<Server>] [{/uo: | /usero:}<User> {/po: | /
passwordo}{<Password>|*}] [{/help | /?}]
Further information:
http://technet.microsoft.com/en-us/library/cc835085%28v=ws.10%29.aspx
Netdom trust
Establishes, verifies, or resets a trust relationship between domains.
Syntax
netdom trust <TrustingDomainName> {/d: | /domain:} <TrustedDomainName> [{/ud: | /userd:}[<Domain>\]
<User> [{/pd: | /passwordd:}{<Password>|*}] [{/uo: | /usero:}<User>] [{/po: | /passwordo:}{<Password>|*}] [/
verify] [/reset] [/passwordt:<NewRealmTrustPassword>] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/
transitive[:{YES|NO}]] [/oneside:{TRUSTED | TRUSTING}] [/force] [/quarantine[:{YES | NO}]] [/namesuffixes:
<TrustName> [/togglesuffix:#]] [/EnableSIDHistory] [/ForestTRANsitive] [/SelectiveAUTH][/AddTLN][/
AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}]