Solved

how to fix domain trust issues with a user on active directory

Posted on 2014-12-30
9
171 Views
Last Modified: 2015-08-06
user receives error when logging in that " the trust relationship between the workstation and the primary domain has failed"
0
Comment
Question by:columbiaG
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 12

Expert Comment

by:Chris Staunton
ID: 40524511
You can simply remove that machine from the domain and rejoin, but what is causing the issue?  Is there a time difference between the two?  Check the settings on the machine before re-joining it to the domain, make sure that there is little to no time drift.  Check to make sure all TCP/IP DNS settings are correct on the workstation, make sure it's pointing to the correct DNS.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40524512
The simplest fix is to remove the computer from the domain then re-add it.

If you have logon cache enabled you can just pull out the network cable from the back of the machine and then log in. Once you've logged in, remove the computer from the domain via the System Properties window (Control Panel > System).

Remember to reset the computer account in Active Directory Users and Computers before rejoining the computer to the domain. If you have multiple DCs then either wait for replication to occur or force replication manually.
0
 

Author Comment

by:columbiaG
ID: 40524514
I have had this happen once before, had to delete and recreate the user profile in active directory, but that also caused the entire profile on the pc to be removed. had to log into the pc using non-domain admin credentials and recreate which required completely rebuilding her desktop and profile on the pc.....can I just reset her pc  on the server which is providing domain control
0
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

 

Author Comment

by:columbiaG
ID: 40524518
if I remove her from the domain, the add her back in, it completely removes her profile. the last time this happened I did that and it was a lot of work to bring the info back
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40524539
if I remove her from the domain, the add her back in, it completely removes her profile. the last time this happened I did that and it was a lot of work to bring the info back
Not sure why this happened but this specific problem has nothing to do with user accounts and more to do with the computer itself. Try logging in with any other user account on your domain and you will get the same error message.

When you join a computer to the domain, a computer object is created inside Active Directory. This computer object has it's own internal password that it uses to establish a trust with your domain controllers. Sometimes these passwords gets out of sync with the password copy that is stored on the domain controller so the trust relationship becomes broken as a result.

The only way to fix this is to reset the internal machine password. There are several methods to do this but the simplest method is to remove the computer from the domain then re-add it. Make sure you have access to a local account that has Administrator rights on this machine by either creating one or resetting the password on the default local Administrator account.

Once you rejoin the computer to the domain, you should be able to log back in as the user and everything will still be there. Do not delete and recreate the user's account.
0
 

Author Comment

by:columbiaG
ID: 40524568
ok, but removing it from the domain, then restarting and then adding it back to the domain, causes you to create a completely new desktop profile, which requires all to be resetup again...could I not just go into the server controlling the domain, to the domain admin, computers, to the pc in question and reset its connection
0
 

Author Comment

by:columbiaG
ID: 40524577
what is the easiest and fastest way to remove someone from the domain, control panel/system/change settings?
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40524591
ok, but removing it from the domain, then restarting and then adding it back to the domain, causes you to create a completely new desktop profile, which requires all to be resetup again...
No it doesn't. I have literally rejoined computers to the domain 100 times and I've never had a problem with user profiles. Just make sure you are following this process:
Make sure you have access to a local account that has Administrator rights. This is very important otherwise you will not be able to do any administrative tasks on the computer once you remove it from the domain.
Once you've confirmed you have confirmed the above, remove the computer from the domain by going to Control PanelSystem > note down the Computer name here > click Change settings > click the Change button in the Computer Name tab > choose Workgroup at the bottom > type in WORKGROUP or whatever else you want as it's just temporary > OK > you may be prompted for admin credentials so type this in > OK  your way out > restart when prompted
Log on to your Domain Controller > open up the Active Directory Users and Computers console from Start > Administrative Tools > locate the computer account then right click on it > Reset Account > click Yeswhen prompted. If you have multiple Domain Controllers in your environment then you'll need to wait for replication to occur or you can force it manually before proceeding to the next step.
Log back into the problem computer > re-add it to the domain by using the same steps earlier > restart the machine when prompted
Once the machine comes back up, the user should be able to log in and all of their files and settings should still be there.
0
 

Author Comment

by:columbiaG
ID: 40524621
Thanks will give it a try as you described
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question