Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

The trust relationship is lost between this workstation

Posted on 2009-05-11
12
Medium Priority
?
1,523 Views
Last Modified: 2012-05-06
I have several computers that after being off the network for a period greater than 6 months, I cannot log back into them on the network as a Domain Admin. I get an error message that states "The trust relationship between the workstation and the primary domain failed".
I have read that to correct this problem, you would need to remove the computer from the domain by changing from the domain to a workgroup, and then changing is back.
Here lies the problem. The Administrators account on the machines has been disabled by group policy. I cannot get logged into any of these machines.
How do I rejoin these computers to the domain? How do I log in locally when the Administrator account has been disabled. If I change the GP so that the Admin account is not disabled, does it return to an enabled state? Also, I read somewhere that if you log in using Safe Mode that that Administrators account is automatically enabled, but it still show disabled when I tried it.
Please help.
0
Comment
Question by:separris
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 6

Expert Comment

by:bcoyxp
ID: 24357548
try using this one to reset your local admin password.

http://home.eunet.no/pnordahl/ntpasswd/

regards,
0
 

Author Comment

by:separris
ID: 24357863
bcoyxp, I attempted to reset the password using your utilitiy, but it did not work. I am getting a message that states "Your account has been disabled". I guess this would make since because this account was disabled using GP when the machine was last on the network.

Any other ideas?
0
 
LVL 2

Expert Comment

by:techxperts
ID: 24359082
from ad users and computers on the DC have u tried to rt click the computer and reset the computer account?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 2

Expert Comment

by:techxperts
ID: 24359114
see any of these events in your event viewer on the local machine or dc?

http://support.microsoft.com/kb/216393

can u remotely access the client pcs in question through computer management with domain admin credentials?
0
 

Author Comment

by:separris
ID: 24359129
The computer name no longer exist in AD. When the computer was being used 6 months ago, obviously it was in AD. Since then, some cleanup of old inactive accounts and computers were removed from AD. This computer name was one of them. Could this be causing the problem? I attemted to readd the name as it use to be manually, but nothing changed. I also reactivated the user account and used the same password that the old user had, but still no go.
0
 
LVL 2

Accepted Solution

by:
techxperts earned 2000 total points
ID: 24359159
if the computer no longer exists in ad thats definately the problem...deleting from the ad destroyed the trust relationship between that computer and the domain controllers. u may be able to restore the deleted computer account

http://www.petri.co.il/recovering-deleted-items-active-directory.htm

0
 
LVL 2

Expert Comment

by:techxperts
ID: 24359164
try the adrestore link in that article for that free utlity
0
 
LVL 2

Expert Comment

by:iamshaked
ID: 24360400
Check your DNS settings thoroughly, I had an issue with this on another clients network. This fixed my issue after an hour of hair pulling.
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 24389570
If your pc isn't in the domain a reboot should get rid of any GPO setting that was applied as the GPO is applied when Windows is contacting the domain.

I was pretty sure http://home.eunet.no/pnordahl/ntpasswd/ had an option to re-enable an account if it was disabled.
0
 
LVL 2

Expert Comment

by:techxperts
ID: 24391402
stoner problem is i think the client caches the gpo settings even if no dc is available. think copoprate laptop user whos on the road. no dc to contact but all the policies are in effect
0
 

Author Comment

by:separris
ID: 24580776
Thanks for all of the input. To gain access to these machines, which were de-installed, I formatted the HDD and started over. I have changed an internal policy to move items in AD and not delete them. This should solve the problem in the future.
0
 
LVL 2

Expert Comment

by:techxperts
ID: 24581866
separris: its ok to delete objects from AD if you are wiping machines and reloading an image or the OS let it regenerate the SID (a clean xp install does this also) and rejoin the domain and youll be fine. We have a stock image we reapply to broken machines or when someone leaves with std apps etc installed. part of the imaging process (using sysprep) generates a new SID for the computer and joins it to the domain, look into that option then delete stale computer accts at will
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question