Solved

How to prevent "The Trust relationship between this workstation and the primary domain failed"

Posted on 2009-04-03
7
849 Views
Last Modified: 2012-06-21
I got a call from a user who is not able to login to Domain. The error message was " The Trust relationship between this workstation and the primary domain failed".
I tried local Administrator and other domain users and got the following message" Account is disabled". I then login as Domain administrator and I was able to login and I noticed that the local administrator account is indeed was disabled. I then enabled it  and before I remove this Laptop from Domain and rejoint to domain I was woundering if this is the solution and if someone knows why this had happened.

Thank you AsgharE
0
Comment
Question by:AsgharE
7 Comments
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 400 total points
ID: 24062307
That error message indicates a problem with the computer's domain account. It's hard to say positively, but I don't think that disabling the local admin account would cause that problem, at least I have never heard of that being the case.  I would guess that the reason you were able to get in with the domain admin account is that that account was the only other account that had admin privileges on the local workstation.
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 100 total points
ID: 24062327
Simply having the local Administrator account of the machine disabled should not affect other local or domain account from logon on the the machine or logon to the domain from the machine.
The message probably was due to other thing also disabled such as the computer account.

As far as why the local Administrator account was disabled it could be from someone manually disabled it or from GPO policy. If from GPO, then you could have more machine with the local Administrator disabled. Whcih you can verify from other workstations.

btw, If you rejoin the domain the computer account in the Active will be active again. But again, if there is a GPO still active to disable the Administrator account, you would see thisAdministrator account gets disabled again on next GPO refresh.
0
 

Author Comment

by:AsgharE
ID: 24062656
There was another local user with administrator privilage that I could not login as that user either with the same issue as local admininstratoe (was disabled).
I also noticed that when I checked the property of local administrators group "Member of" it shows bounch of numbers rather domain\administrator as a member, usually in the past I remove the computer from domain and re jointed to resolve the issue but never had seen local administrator and local users account to be disabled. btw, there is no GPO therefore it was not impacted by GPO. But at the domain event viewer there has been alot of login failiur regarding this workstation last several days but users had no problem login till today..
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 400 total points
ID: 24063130
At this point, you really need to remove that workstation from the domain, delete the AD computer account, and then rejoin the domain.  That should resolve these issues.  The reason you see that "bunch of numbers" instead of the name of the account is that you are seeing the local SID of the domain administrator account.  Because of the problem with the computer account, it cannot properly read the attributes of the domain admin account and therefore is just displaying the local SID.  Once you rejoin it to the domain properly, you will one again see the domain administrator account name there.
0
 

Author Comment

by:AsgharE
ID: 24063400
hypercat, I almost did what you have recommended except did not delete the computer account from AD before re joining the computer to Domain. (I just got your comment).
Surprisingly to my expectation when I added the domain user to local administrator group and login as the user to domain,  all the privious profile was accessible, I mean that I did not even had to recreate Outlook profile.
I lunch outlook icon and the user got to the inbox, where in the past the windows xp recreate another profile like user01.domain.
I will whatch this laptop and logs on the Domain and DNS next week to see if I have to repeat the process and take your complete and clean steps.
Thank you.
0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 400 total points
ID: 24063589
Glad to help - I hope it works consistently for you.  I recommended deleting the computer account because I've found in some cases that just unjoining and rejoining the domain with the same AD account does not quite do the trick.  However, it sounds like it worked in your case, so that's even better.
0
 

Expert Comment

by:rkelly32
ID: 27294811
0

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now