You are the administrator of an organization with a single Active Directory domain.
A user who left the company returns after 16 weeks.
The user tries to log onto their old computer and receives an error stating that authentication
has failed.
The user’s account has been enabled.
You need to ensure that the user is able to log onto the domain using that computer.
What do you do?
A.
Reset the computer account in Active Directory. Disjoin the computer from the domain
and then rejoin the computer to the domain.
B.
Run the ADadd command to rejoin the computer account.
C.
Run the MMC utility on the user’s computer and add the Domain Computers snap-in.
D.
Re-create the user account and reconnect the user account to the computer account.
Explanation:
Basically the same as A/Q10:the computer to the domain.
http://social.technet.microsoft.com/wiki/contents/articles/9157.trust-relationship-betweenworkstation-andprimary-domain-failed.aspx
Trust Relationship between Workstation and Primary Domain failed
What are the common causes which generates this message on client systems?
There might be multiple reasons for this kind of behaviour. Below are listed a few of them:
1. Single SID has been assigned to multiple computers.
2. If the Secure Channel is Broken between Domain controller and workstations
3. If there are no SPN or DNSHost Name mentioned in the computer account attributes
4. Outdated NIC Drivers.
How to Troubleshoot this behaviour?
..
2. If the Secure Channel is Broken between Domain controller and workstations
When a Computer account is joined to the domain, Secure Channel password is stored with
computer account in domain controller. By default this password will change every 30 days
(This is an automatic process, no manual intervention is required). Upon starting the
computer, Netlogon attempts to discover a DC for the domain in which its machine account
exists. After locating the appropriate DC, the machine account password from the
workstation is authenticated against the password on the DC.
If there are problems with system time, DNS configuration or other settings, secure
channel’s password between Workstation and DCs may not synchronize with each other.
A common cause of broken secure channel [machine account password] is that the secure
channel password held by the domain member does not match that held by the AD. Often,
this is caused by performing a Windows System Restore (or reverting to previous backup or
snapshot) on the member machine, causing an old (previous) machine account password to
be presented to the AD.
Resolution:
Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the
computer account back to the domain. (this is a somewhat similar principle to performing a
password reset for a user account)
Or
You can go ahead and reset the computer account using netdom.exe tool
http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx
Netdom
Enables administrators to manage Active Directory domains and trust relationships from the
command prompt.Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server
2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role
installed. It is also available if you install the Active Directory Domain Services Tools that are
part of the Remote Server Administration Tools (RSAT).
You can use netdom to:
Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or
Windows NT 4.0 domain.
Manage computer accounts for domain member workstations and member servers.
Management operations include:
Establish one-way or two-way trust relationships between domains, including the following
kinds of trust relationships:
Verify or reset the secure channel for the following configurations:
* Member workstations and servers.
* Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
* Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or
Windows 2000 replicas.
Manage trust relationships between domains.
Syntax
NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>]
http://technet.microsoft.com/en-us/library/cc788073%28v=ws.10%29.aspx
Netdom reset Resets the secure connection between a workstation and a domain controller.
Syntax netdom reset <Computer> {/d: | /domain:}<Domain> [{/s: | /server:}<Server>] [{/uo: |
/usero:}<User> {/po: | /passwordo}{<Password>|*}] [{/help | /?}]
Further information:
http://technet.microsoft.com/en-us/library/cc835085%28v=ws.10%29.aspx
Netdom trust
Establishes, verifies, or resets a trust relationship between domains.
Syntax netdom trust <TrustingDomainName> {/d: | /domain:} <TrustedDomainName> [{/ud: |
/userd:}[<Domain>\]
<User> [{/pd: | /passwordd:}{<Password>|*}] [{/uo: | /usero:}<User>] [{/po: |
/passwordo:}{<Password>|*}] [/verify] [/reset] [/passwordt:<NewRealmTrustPassword>] [/add
[/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]] [/oneside:{TRUSTED
| TRUSTING}] [/force] [/quarantine[:{YES | NO}]] [/namesuffixes:<TrustName>
[/togglesuffix:#]] [/EnableSIDHistory] [/ForestTRANsitive]
[/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}]
Hi, I prefer…
A.
Reset the computer account in Active Directory. Disjoin the computer from the domain
and then rejoin the computer to the domain.
How you say in the explanation:
Resolution:
Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the
computer account back to the domain. (this is a somewhat similar principle to performing a
password reset for a user account)
Or
You can go ahead and reset the computer account using netdom.exe tool
http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx
Netdom
Enables administrators to manage Active Directory domains and trust relationships from the
command prompt.