How To Fix Domain Trust Issues in Active Directory

Posted on 2014-08-14
Medium Priority
Last Modified: 2014-08-22
How To Fix Domain Trust Issues in Active Directory, I tried the below steps no luck. Also need to know the reason for trus relationship error.

1.      Try to reset the computer account and check.
2.      Try to run this PS command on client machine Test-ComputerSecureChannel –Server DC verbose and make sure output returns True.
- If command output returns False, proceed with next step.
- Repair the trust relationship of the client machine using PS command.
- Run Test-ComputerSecureChannel –Server DC -Repair -Verbose
3.      Last option is to disjoin and rejoin the machine manually to ad.domain.com

Question by:sureshkumarit
LVL 26

Assisted Solution

by:Sekar Chinnakannu
Sekar Chinnakannu earned 1200 total points
ID: 40262465
try to reset the computer using netdom.exe command,

netdom resetpwd /s:DOMAINCONTROLLER /ud:domain\USERID /pd:PASSWORD
LVL 24

Assisted Solution

Sandeshdubey earned 400 total points
ID: 40265829
It seems to be dns name resolution issue. The error message "'The trust relationship between this workstation and the primary domain failed or secure channel is broken' indicates that secure channel between the client server and DC is broken. This could be due to multiple reasons.

(1) Check the DNS & WINS entries?
DNS configuration on clients and member servers:
1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
2. Do not set public DNS server in TCP/IP setting of WS.

(2) Check whether the Firewall service is ON of OFF?
Refer link this to diable the firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

(3) Check the status of the Browser service?
It should be started.

(4) Check the status of the machines account in the AD?(It may be disabled)
If the Machine account is disable enable the same.

(5) Try using netdom utility to reset the secure channel between the client & the domain controller?

(6) Else remove the client from the domain & readd it to the domain

(7)Also check the DNS console for duplicate record for the host machine and remove the same.
Note:It could be due to AV(McAfee,Symantec, Trend, etc) or 3rd party security application which act as firewall and block AD communuctaion.AV like Symantec,trend,etc have new features to "protect network traffic".Please check AV setting and disable the same if defined.

Take a look at below hotfix too.A secure channel is broken after you change the computer password on a Windows 7 or Windows Server 2008 R2-based client computer:http://support.microsoft.com/kb/979495

Hope this helps

Author Comment

ID: 40266857
C:\windows\system32>netdom resetpwd /s: DOMAIN CONTROLLER /ud: DOMAIL\USERID /pd:*
Type the password associated with the domain user:

The machine account password for the local machine could not be reset.

Logon failure: unknown user name or bad password.

The command failed to complete successfully.

I am sure I am trying correct password. I am getting this output, can you please help, Should I need to use domain admin account to reset computer account from client machine???
LVL 85

Accepted Solution

David Johnson, CD, MVP earned 400 total points
ID: 40278339
yes you should use a domain admin

Author Comment

ID: 40278349
Excellent  working

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question