Workstations lose their trust relationship

My workstations often receive the message "The trust relationship between this workstation and the primary domain failed" when users try to log in.  I can fix this by rejoining the machine to the domain.  My question is -- why does this happen?  I have 500 workstations on a flat one vlan network.  I have two domain controllers and they are running WIndows server 2012 and 2016.  Any thoughts on how to keep this from happening more than it should be would be greatly appreciated.
David ImbrognoAsked:
Who is Participating?
Hello ThereConnect With a Mentor System AdministratorCommented:
Why this occurs:

A) If the Machine account password expires and it doesn't renew.
B) If you join a new machine to the domain with the same name as the affected computer while the affected computer is offline.
C) AD policy that would disable a computer after x number of days of not authenticating.
D) Computer object in AD is deleted.
E) Using an image or performing a system restore.

There are many ways how to get it.

To solve this just kick the computer off the domain and rejoin.

How to recognize that computer (from another discussion):

   First, the computer starts to seem distant. It doesn't talk to the domain like it used to. The computer begins to act funny, like working late more, paying more attention to its appearance, and getting snappy when the domain asks about it. Then, one of the other computers in the domain sees the computer hanging out in a different LAN or subnet. The domain tries to reach it, but can't. Finally, the domain catches the computer in a lie. And then, the trust relationship is broken.

Also some info from Microsoft Technet why this happens:

1. The secure link between the PC and the Directory is  broken due to a  disruption in the presentation of credentials. If the PC presents the wrong password, the authentication is denied. Each Windows-based computer maintains a machine account password history containing the current and previous passwords used for the account. When two computers attempt to authenticate with each other and a change to the current password is not yet received, Windows then relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may be unable to communicate, and you may receive error messages (for example, "Access Denied" error messages when Active Directory replication occurs).
    2. The client machine presents the right password, but the wrong machine account.  If the images that are being used are cloned without properly being SysPrepped, the scenario arises where two machines are presenting the same SIDs, while the passwords are out of sync.
MaheshConnect With a Mentor ArchitectCommented:
one of the reason could be incorrectly configured network card dns settings on workstations
You need to ensure that tcp/ip network card settings \ dns properties should be as below

Correct DNS settings
Also there should not be public DNS server directly entered in client DNS, client should point to AD\DNS only
David ImbrognoAuthor Commented:
After reading the solutions and reasons proposed for my issue, I have one more question for clarification.  Do you think that the cause of my machines getting this message is due to us using a cloning program when we image our machines?  Of course we rename them all and join them to the network with a unique name, but is the cloning process what is making our machines lose their network identity so often or is it still something else?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Hello ThereSystem AdministratorCommented:
Simply, yes. You might experience some kind of SID issue. HERE
E) Using an image or performing a system restore.
Cloning can be a problem if image used for cloning is not syspreped, in that case cloned image SID is identical with previous alive system and new system identity gets invalidated
David ImbrognoAuthor Commented:
Thank you to "Mahesh" and "Hello There" for all your responses.  I would like to give you both "equal credit" for answering my question but am not sure how to do that here since I am new to Experts Exchange.  Can you tell me how to give both of you equal "credit" for helping me?
you can select best solution (primary) whichever you like and also can select another solution/s as assisted solution (secondary)
All Courses

From novice to tech pro — start learning today.