Workstations lose their trust relationship

My workstations often receive the message "The trust relationship between this workstation and the primary domain failed" when users try to log in.  I can fix this by rejoining the machine to the domain.  My question is -- why does this happen?  I have 500 workstations on a flat one vlan network.  I have two domain controllers and they are running WIndows server 2012 and 2016.  Any thoughts on how to keep this from happening more than it should be would be greatly appreciated.
David ImbrognoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hello ThereSystem AdministratorCommented:
Why this occurs:

A) If the Machine account password expires and it doesn't renew.
B) If you join a new machine to the domain with the same name as the affected computer while the affected computer is offline.
C) AD policy that would disable a computer after x number of days of not authenticating.
D) Computer object in AD is deleted.
E) Using an image or performing a system restore.

There are many ways how to get it.

To solve this just kick the computer off the domain and rejoin.

How to recognize that computer (from another discussion):

   First, the computer starts to seem distant. It doesn't talk to the domain like it used to. The computer begins to act funny, like working late more, paying more attention to its appearance, and getting snappy when the domain asks about it. Then, one of the other computers in the domain sees the computer hanging out in a different LAN or subnet. The domain tries to reach it, but can't. Finally, the domain catches the computer in a lie. And then, the trust relationship is broken.


Also some info from Microsoft Technet why this happens:

   
1. The secure link between the PC and the Directory is  broken due to a  disruption in the presentation of credentials. If the PC presents the wrong password, the authentication is denied. Each Windows-based computer maintains a machine account password history containing the current and previous passwords used for the account. When two computers attempt to authenticate with each other and a change to the current password is not yet received, Windows then relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may be unable to communicate, and you may receive error messages (for example, "Access Denied" error messages when Active Directory replication occurs).
    2. The client machine presents the right password, but the wrong machine account.  If the images that are being used are cloned without properly being SysPrepped, the scenario arises where two machines are presenting the same SIDs, while the passwords are out of sync.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaheshArchitectCommented:
one of the reason could be incorrectly configured network card dns settings on workstations
You need to ensure that tcp/ip network card settings \ dns properties should be as below

Correct DNS settings
Also there should not be public DNS server directly entered in client DNS, client should point to AD\DNS only
0
David ImbrognoAuthor Commented:
After reading the solutions and reasons proposed for my issue, I have one more question for clarification.  Do you think that the cause of my machines getting this message is due to us using a cloning program when we image our machines?  Of course we rename them all and join them to the network with a unique name, but is the cloning process what is making our machines lose their network identity so often or is it still something else?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Hello ThereSystem AdministratorCommented:
Simply, yes. You might experience some kind of SID issue. HERE
E) Using an image or performing a system restore.
0
MaheshArchitectCommented:
Cloning can be a problem if image used for cloning is not syspreped, in that case cloned image SID is identical with previous alive system and new system identity gets invalidated
0
David ImbrognoAuthor Commented:
Thank you to "Mahesh" and "Hello There" for all your responses.  I would like to give you both "equal credit" for answering my question but am not sure how to do that here since I am new to Experts Exchange.  Can you tell me how to give both of you equal "credit" for helping me?
0
MaheshArchitectCommented:
you can select best solution (primary) whichever you like and also can select another solution/s as assisted solution (secondary)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.