Solved

How to prevent "The Trust relationship between this workstation and the primary domain failed"

Posted on 2009-04-03
7
857 Views
Last Modified: 2012-06-21
I got a call from a user who is not able to login to Domain. The error message was " The Trust relationship between this workstation and the primary domain failed".
I tried local Administrator and other domain users and got the following message" Account is disabled". I then login as Domain administrator and I was able to login and I noticed that the local administrator account is indeed was disabled. I then enabled it  and before I remove this Laptop from Domain and rejoint to domain I was woundering if this is the solution and if someone knows why this had happened.

Thank you AsgharE
0
Comment
Question by:AsgharE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 400 total points
ID: 24062307
That error message indicates a problem with the computer's domain account. It's hard to say positively, but I don't think that disabling the local admin account would cause that problem, at least I have never heard of that being the case.  I would guess that the reason you were able to get in with the domain admin account is that that account was the only other account that had admin privileges on the local workstation.
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 100 total points
ID: 24062327
Simply having the local Administrator account of the machine disabled should not affect other local or domain account from logon on the the machine or logon to the domain from the machine.
The message probably was due to other thing also disabled such as the computer account.

As far as why the local Administrator account was disabled it could be from someone manually disabled it or from GPO policy. If from GPO, then you could have more machine with the local Administrator disabled. Whcih you can verify from other workstations.

btw, If you rejoin the domain the computer account in the Active will be active again. But again, if there is a GPO still active to disable the Administrator account, you would see thisAdministrator account gets disabled again on next GPO refresh.
0
 

Author Comment

by:AsgharE
ID: 24062656
There was another local user with administrator privilage that I could not login as that user either with the same issue as local admininstratoe (was disabled).
I also noticed that when I checked the property of local administrators group "Member of" it shows bounch of numbers rather domain\administrator as a member, usually in the past I remove the computer from domain and re jointed to resolve the issue but never had seen local administrator and local users account to be disabled. btw, there is no GPO therefore it was not impacted by GPO. But at the domain event viewer there has been alot of login failiur regarding this workstation last several days but users had no problem login till today..
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 400 total points
ID: 24063130
At this point, you really need to remove that workstation from the domain, delete the AD computer account, and then rejoin the domain.  That should resolve these issues.  The reason you see that "bunch of numbers" instead of the name of the account is that you are seeing the local SID of the domain administrator account.  Because of the problem with the computer account, it cannot properly read the attributes of the domain admin account and therefore is just displaying the local SID.  Once you rejoin it to the domain properly, you will one again see the domain administrator account name there.
0
 

Author Comment

by:AsgharE
ID: 24063400
hypercat, I almost did what you have recommended except did not delete the computer account from AD before re joining the computer to Domain. (I just got your comment).
Surprisingly to my expectation when I added the domain user to local administrator group and login as the user to domain,  all the privious profile was accessible, I mean that I did not even had to recreate Outlook profile.
I lunch outlook icon and the user got to the inbox, where in the past the windows xp recreate another profile like user01.domain.
I will whatch this laptop and logs on the Domain and DNS next week to see if I have to repeat the process and take your complete and clean steps.
Thank you.
0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 400 total points
ID: 24063589
Glad to help - I hope it works consistently for you.  I recommended deleting the computer account because I've found in some cases that just unjoining and rejoining the domain with the same AD account does not quite do the trick.  However, it sounds like it worked in your case, so that's even better.
0
 

Expert Comment

by:rkelly32
ID: 27294811
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question