How to prevent "The Trust relationship between this workstation and the primary domain failed"

Posted on 2009-04-03
Last Modified: 2012-06-21
I got a call from a user who is not able to login to Domain. The error message was " The Trust relationship between this workstation and the primary domain failed".
I tried local Administrator and other domain users and got the following message" Account is disabled". I then login as Domain administrator and I was able to login and I noticed that the local administrator account is indeed was disabled. I then enabled it  and before I remove this Laptop from Domain and rejoint to domain I was woundering if this is the solution and if someone knows why this had happened.

Thank you AsgharE
Question by:AsgharE
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 400 total points
ID: 24062307
That error message indicates a problem with the computer's domain account. It's hard to say positively, but I don't think that disabling the local admin account would cause that problem, at least I have never heard of that being the case.  I would guess that the reason you were able to get in with the domain admin account is that that account was the only other account that had admin privileges on the local workstation.
LVL 18

Assisted Solution

Americom earned 100 total points
ID: 24062327
Simply having the local Administrator account of the machine disabled should not affect other local or domain account from logon on the the machine or logon to the domain from the machine.
The message probably was due to other thing also disabled such as the computer account.

As far as why the local Administrator account was disabled it could be from someone manually disabled it or from GPO policy. If from GPO, then you could have more machine with the local Administrator disabled. Whcih you can verify from other workstations.

btw, If you rejoin the domain the computer account in the Active will be active again. But again, if there is a GPO still active to disable the Administrator account, you would see thisAdministrator account gets disabled again on next GPO refresh.

Author Comment

ID: 24062656
There was another local user with administrator privilage that I could not login as that user either with the same issue as local admininstratoe (was disabled).
I also noticed that when I checked the property of local administrators group "Member of" it shows bounch of numbers rather domain\administrator as a member, usually in the past I remove the computer from domain and re jointed to resolve the issue but never had seen local administrator and local users account to be disabled. btw, there is no GPO therefore it was not impacted by GPO. But at the domain event viewer there has been alot of login failiur regarding this workstation last several days but users had no problem login till today..
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

LVL 38

Accepted Solution

Hypercat (Deb) earned 400 total points
ID: 24063130
At this point, you really need to remove that workstation from the domain, delete the AD computer account, and then rejoin the domain.  That should resolve these issues.  The reason you see that "bunch of numbers" instead of the name of the account is that you are seeing the local SID of the domain administrator account.  Because of the problem with the computer account, it cannot properly read the attributes of the domain admin account and therefore is just displaying the local SID.  Once you rejoin it to the domain properly, you will one again see the domain administrator account name there.

Author Comment

ID: 24063400
hypercat, I almost did what you have recommended except did not delete the computer account from AD before re joining the computer to Domain. (I just got your comment).
Surprisingly to my expectation when I added the domain user to local administrator group and login as the user to domain,  all the privious profile was accessible, I mean that I did not even had to recreate Outlook profile.
I lunch outlook icon and the user got to the inbox, where in the past the windows xp recreate another profile like user01.domain.
I will whatch this laptop and logs on the Domain and DNS next week to see if I have to repeat the process and take your complete and clean steps.
Thank you.
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 400 total points
ID: 24063589
Glad to help - I hope it works consistently for you.  I recommended deleting the computer account because I've found in some cases that just unjoining and rejoining the domain with the same AD account does not quite do the trick.  However, it sounds like it worked in your case, so that's even better.

Expert Comment

ID: 27294811

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question