Repair broken trust relationship between domain controller and client machine
Trust as the word indicates “Allow without fear”, the domain controller and client trust each other using a bond. Clients accept securities, policies, authentication mechanism etc. deployed in the domain controller and domain controller accepts and agrees communications from client machine. If the trust was broken, it fails the communication between domain controller and the client machine.
There are certain conditions the security bond between clients and domain controller broke, I would like to share the method that I use to fix the issue.
Better ways to fix Windows trust relationship failure issues. I cannot tell this would be a complete solution, but like to share the knowledge and effort.
- Disjoin the trust broken client machine from domain.
- Search the Active Directory computers and delete the computer account. The computer account will not be removed immediately and will be taking some time. If we suddenly rejoin the client machine, it will be picking the existing computer account for creating the bond (SID).
- Add the client computer back to domain.
- Ensure the client machine clock is synchronized with the domain controller time, otherwise the trust relation will be having issues. The clock cannot be slow and I don’t think it will allow more than 5 minutes.
- The searches the computer account in Active directory and reset the password, the computer account password changes automatically on certain period (30 days default).
- Never have duplicate machine names in same network and apply proper SID changes if the machine were cloned.
Fifth Command Line Method
1) Find out the domain controller that was used by the client machine.
Netdom query dc
2) Test the trust relationship of the machine using PowerShell command.
Test-ComputerSecureChannel –Server *dc name* -Verbose
- If command output returns False, proceed to 3rd step.
3) Repair the trust relationship of the client machine using PowerShell command.
Test-ComputerSecureChannel –Server *dc name* -Repair -Verbose
- If the command output returns error message “Cannot find the computer account for the local computer from the domain controller”, go to Active directory and create a new computer account for the client machine and rerun the PS command once again.
- If successful repaired, the command output show “True”.