Solved

Windows 10 client lost trust relationship with 2012r2 domain

Posted on 2016-10-05
8
155 Views
Last Modified: 2016-10-28
One of the PCs we upgraded to windows 10 will not login to the domain because the machine has lost the trust relationship.
If you enter a bogus password it knows it is incorrect.
A correct password will produce the issue.

No longer have the local machine user credentials.  When trying to log into the local machine with user "administrator" and a bogus password it responds with a this account has been disabled message.

Thought I would ask if there is a resolution before rebuilding the machine from scratch.
Thanks
Karl
0
Comment
Question by:kbettencourt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 31

Expert Comment

by:Scott C
ID: 41830124
Did-join the machine from the domain by joining it to a workgroup.  Make sure the machine account has been deleted from AD, then join it back in again.

You may need to power down the machine and unplug it from the wall to make sure no junk information is left in the NIC.

Ooopps...never mind...just read you don't have the local PC creds.

At this point your only option is to rebuild the machine from scratch as you said.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 41830166
Make sure you the computer isn't attempting to log you in using the local administrator. That may be the account that is disabled. When you type in "Administrator" as your username, since Windows Vista came out and changed the login system, the login screen will default to the local administrator account if you just enter "Administrator" as your user name. You need to type in the domain if you want to log in as the domain admin. Use domain\administrator or administrator@domain.local.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 41830244
You can try resetting the machine account for that Windows 10 computer.  From a server logged in as an administrator:  "dsmod computer <ComputerDN> -reset"

Option 2:
I don't know if Windows 10 has the equivalent to safe mode.  Booting in safe mode in older OS would re-enable the disabled local administrator account.  (Possibly old knowledge though, I don't know for certain that it applies in Windows 10.)
1
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 30

Assisted Solution

by:Rich Weissler
Rich Weissler earned 250 total points
ID: 41830257
Here's more on the 'Reset Computer account' option.  (Why, and a GUI option to accomplish.  Hint: you can do it in ADUC, right on the computer object.)  ;-))
1
 
LVL 55

Accepted Solution

by:
McKnife earned 250 total points
ID: 41830652
The computer account pw is something the client and the DCs both know and synchronize. So if you reset it at the server, the client side is unchanged. I don't see how this should help.

Donwload the pogostick bootdisk (google it) and reset  the password of the local administrator (blank it) and make the account usable (=enable it). Then logon with it and trigger a sync with the DC like this:
from an elevated powershell prompt, launch:
Reset-ComputerMachinePassword -Credential yourdom\yourdomadmin

Open in new window

(you'll be asked for the domain admin password).
Afterwards, you can login with a domain account again.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 41830711
If you know a domain account that was an administrator on the local box, that administrator has logged into the system, and you haven't disabled credential caching -- disconnect the NIC, and login using the domain administrator.
0
 

Author Comment

by:kbettencourt
ID: 41830884
Thanks all for the replies.  Will give it a try in the morning.
0
 

Author Comment

by:kbettencourt
ID: 41834490
Thanks.  I was able to contact the person that installed the OS and have the local machine password now.  
Also was able to get in with my domain admin account after disconnecting the NIC and booting.  That one was a simple intuitive and logical method.  
Also liked the pogostick bootdisk.  It works.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question