Link to home
Start Free TrialLog in
Avatar of columbiaG
columbiaGFlag for United States of America

asked on

how to fix domain trust issues with a user on active directory

user receives error when logging in that " the trust relationship between the workstation and the primary domain has failed"
Avatar of Chris Staunton
Chris Staunton
Flag of United States of America image

You can simply remove that machine from the domain and rejoin, but what is causing the issue?  Is there a time difference between the two?  Check the settings on the machine before re-joining it to the domain, make sure that there is little to no time drift.  Check to make sure all TCP/IP DNS settings are correct on the workstation, make sure it's pointing to the correct DNS.
Avatar of VB ITS
The simplest fix is to remove the computer from the domain then re-add it.

If you have logon cache enabled you can just pull out the network cable from the back of the machine and then log in. Once you've logged in, remove the computer from the domain via the System Properties window (Control Panel > System).

Remember to reset the computer account in Active Directory Users and Computers before rejoining the computer to the domain. If you have multiple DCs then either wait for replication to occur or force replication manually.
Avatar of columbiaG

ASKER

I have had this happen once before, had to delete and recreate the user profile in active directory, but that also caused the entire profile on the pc to be removed. had to log into the pc using non-domain admin credentials and recreate which required completely rebuilding her desktop and profile on the pc.....can I just reset her pc  on the server which is providing domain control
if I remove her from the domain, the add her back in, it completely removes her profile. the last time this happened I did that and it was a lot of work to bring the info back
if I remove her from the domain, the add her back in, it completely removes her profile. the last time this happened I did that and it was a lot of work to bring the info back
Not sure why this happened but this specific problem has nothing to do with user accounts and more to do with the computer itself. Try logging in with any other user account on your domain and you will get the same error message.

When you join a computer to the domain, a computer object is created inside Active Directory. This computer object has it's own internal password that it uses to establish a trust with your domain controllers. Sometimes these passwords gets out of sync with the password copy that is stored on the domain controller so the trust relationship becomes broken as a result.

The only way to fix this is to reset the internal machine password. There are several methods to do this but the simplest method is to remove the computer from the domain then re-add it. Make sure you have access to a local account that has Administrator rights on this machine by either creating one or resetting the password on the default local Administrator account.

Once you rejoin the computer to the domain, you should be able to log back in as the user and everything will still be there. Do not delete and recreate the user's account.
ok, but removing it from the domain, then restarting and then adding it back to the domain, causes you to create a completely new desktop profile, which requires all to be resetup again...could I not just go into the server controlling the domain, to the domain admin, computers, to the pc in question and reset its connection
what is the easiest and fastest way to remove someone from the domain, control panel/system/change settings?
ASKER CERTIFIED SOLUTION
Avatar of VB ITS
VB ITS
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks will give it a try as you described