Solved

The trust relationship is lost between this workstation

Posted on 2009-05-11
12
1,476 Views
Last Modified: 2012-05-06
I have several computers that after being off the network for a period greater than 6 months, I cannot log back into them on the network as a Domain Admin. I get an error message that states "The trust relationship between the workstation and the primary domain failed".
I have read that to correct this problem, you would need to remove the computer from the domain by changing from the domain to a workgroup, and then changing is back.
Here lies the problem. The Administrators account on the machines has been disabled by group policy. I cannot get logged into any of these machines.
How do I rejoin these computers to the domain? How do I log in locally when the Administrator account has been disabled. If I change the GP so that the Admin account is not disabled, does it return to an enabled state? Also, I read somewhere that if you log in using Safe Mode that that Administrators account is automatically enabled, but it still show disabled when I tried it.
Please help.
0
Comment
Question by:separris
12 Comments
 
LVL 6

Expert Comment

by:bcoyxp
ID: 24357548
try using this one to reset your local admin password.

http://home.eunet.no/pnordahl/ntpasswd/

regards,
0
 

Author Comment

by:separris
ID: 24357863
bcoyxp, I attempted to reset the password using your utilitiy, but it did not work. I am getting a message that states "Your account has been disabled". I guess this would make since because this account was disabled using GP when the machine was last on the network.

Any other ideas?
0
 
LVL 2

Expert Comment

by:techxperts
ID: 24359082
from ad users and computers on the DC have u tried to rt click the computer and reset the computer account?
0
 
LVL 2

Expert Comment

by:techxperts
ID: 24359114
see any of these events in your event viewer on the local machine or dc?

http://support.microsoft.com/kb/216393

can u remotely access the client pcs in question through computer management with domain admin credentials?
0
 

Author Comment

by:separris
ID: 24359129
The computer name no longer exist in AD. When the computer was being used 6 months ago, obviously it was in AD. Since then, some cleanup of old inactive accounts and computers were removed from AD. This computer name was one of them. Could this be causing the problem? I attemted to readd the name as it use to be manually, but nothing changed. I also reactivated the user account and used the same password that the old user had, but still no go.
0
 
LVL 2

Accepted Solution

by:
techxperts earned 500 total points
ID: 24359159
if the computer no longer exists in ad thats definately the problem...deleting from the ad destroyed the trust relationship between that computer and the domain controllers. u may be able to restore the deleted computer account

http://www.petri.co.il/recovering-deleted-items-active-directory.htm

0
 
LVL 2

Expert Comment

by:techxperts
ID: 24359164
try the adrestore link in that article for that free utlity
0
 
LVL 2

Expert Comment

by:iamshaked
ID: 24360400
Check your DNS settings thoroughly, I had an issue with this on another clients network. This fixed my issue after an hour of hair pulling.
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 24389570
If your pc isn't in the domain a reboot should get rid of any GPO setting that was applied as the GPO is applied when Windows is contacting the domain.

I was pretty sure http://home.eunet.no/pnordahl/ntpasswd/ had an option to re-enable an account if it was disabled.
0
 
LVL 2

Expert Comment

by:techxperts
ID: 24391402
stoner problem is i think the client caches the gpo settings even if no dc is available. think copoprate laptop user whos on the road. no dc to contact but all the policies are in effect
0
 

Author Comment

by:separris
ID: 24580776
Thanks for all of the input. To gain access to these machines, which were de-installed, I formatted the HDD and started over. I have changed an internal policy to move items in AD and not delete them. This should solve the problem in the future.
0
 
LVL 2

Expert Comment

by:techxperts
ID: 24581866
separris: its ok to delete objects from AD if you are wiping machines and reloading an image or the OS let it regenerate the SID (a clean xp install does this also) and rejoin the domain and youll be fine. We have a stock image we reapply to broken machines or when someone leaves with std apps etc installed. part of the imaging process (using sysprep) generates a new SID for the computer and joins it to the domain, look into that option then delete stale computer accts at will
0

Join & Write a Comment

Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now