David Kallweit
asked on
PCs randomly losing trust relationship with DC
I have a mixed network with windows 7 and windows 10 PCs. I have two DCs that are 2008R2 and 2016. All of a sudden back in Oct random computers will get the message that the trust relationship has been broken with the DC. If we wait 15-30 mins and try to log in again it will work.
I have cleaned up AD with regards to an old DC and cleaned up a few old IPs in DNS etc. That didn't seem to work. I have the logs for an offending PC. One event that stuck out was an event ID 3210. Just wanted to see if any one had any ideas as to this error? I have also verfied DHCP dns settings and they are pointing to the correct DC etc.
trusterror.png
I have cleaned up AD with regards to an old DC and cleaned up a few old IPs in DNS etc. That didn't seem to work. I have the logs for an offending PC. One event that stuck out was an event ID 3210. Just wanted to see if any one had any ideas as to this error? I have also verfied DHCP dns settings and they are pointing to the correct DC etc.
trusterror.png
What happens if you remove them from the domain then re add them?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
On Win10 and Server 2016 and up the reset can be done without a disjoin rejoin. Log on with a local admin and:
$Domain = "DomainName"
$DomainADmin = "UserName"
Reset-ComputerMachinePassword -Credential "$($Domain)\$($DomainAdmin)"ASKER
Thanks for the input guys. To answer the questions:
Computers have been removed and rejoined to the domain and issue still persists
DHCP has the 2016 DC first and the other DC second
DNS on the servers is pointing to themselves first and then pointing to the other DNS server second. No public IPs except in forwarders.
Computers have been removed and rejoined to the domain and issue still persists
DHCP has the 2016 DC first and the other DC second
DNS on the servers is pointing to themselves first and then pointing to the other DNS server second. No public IPs except in forwarders.
Please remove the pointer to the other DC/DNS. Active Directory integrated zones take care of finding each DC/DNS for the zones.
What is the forest and domain level?
What is the forest and domain level?
Get-ADForest | Format-List Name,ForestMode
Get-ADDomain | Format-List Name,DomainMode
Verify DNS is set up correctly. On the DCs DNS0 on the NIC should point to itself and only itself. No other IPs in DNS1.
Verify DHCP has just those two DCs preferably with the 2016 DC first in line.
Please don't have a public DNS server anywhere in the above setup.