Repair broken Windows trust relationship between domain controller and client machine

By | November 28, 2013

Repair broken trust relationship between domain controller and client machine

Trust as the word indicates “Allow without fear”, the domain controller and client trust each other using a bond. Clients accept securities, policies, authentication mechanism etc. deployed in the domain controller and domain controller accepts and agrees communications from client machine. If the trust was broken, it fails the communication between domain controller and the client machine.

There are certain conditions the security bond between clients and domain controller broke, I would like to share the method that I use to fix the issue.

Better ways to fix Windows trust relationship failure issues. I cannot tell this would be a complete solution, but like to share the knowledge and effort.

First Method

  1. Disjoin the trust broken client machine from domain.
  2. Search the Active Directory computers and delete the computer account. The computer account will not be removed immediately and will be taking some time. If we suddenly rejoin the client machine, it will be picking the existing computer account for creating the bond (SID).
  3. Add the client computer back to domain.

Second Method

  1. Ensure the client machine clock is synchronized with the domain controller time, otherwise the trust relation will be having issues. The clock cannot be slow and I don’t think it will allow more than 5 minutes.

Third Method

  1. The searches the computer account in Active directory and reset the password, the computer account password changes automatically on certain period (30 days default).

Fourth Method

  1. Never have duplicate machine names in same network and apply proper SID changes if the machine were cloned.

Fifth Command Line Method

1)      Find out the domain controller that was used by the client machine.

        Netdom query dc

2)      Test the trust relationship of the machine using PowerShell command.

Test-ComputerSecureChannel –Server *dc name* -Verbose

  • If command output returns False, proceed to 3rd step.

3)      Repair the trust relationship of the client machine using PowerShell command.

Test-ComputerSecureChannel –Server *dc name* -Repair -Verbose

  • If the command output returns error message “Cannot find the computer account for the local computer from the domain controller”, go to Active directory and create a new computer account for the client machine and rerun the PS command once again.
  • If successful repaired, the command output show “True”.

repair trust relation.techiesweb.com

 

Melbin Mathew

I am Melbin Mathew, Systems Engineer from Kerala, India. I live with my parents, daughter and my wonderful wife. I graduated in 2004 with a bachelor’s degree in Electronics and Hardware from Mahatma Gandhi University, Kottayam and completed certification in MCITP, RHCE, CCNA, VCP ...Read More
Category: Scripts Windows

About Melbin Mathew

I am Melbin Mathew, Systems Engineer from Kerala, India. I live with my parents, daughter and my wonderful wife. I graduated in 2004 with a bachelor’s degree in Electronics and Hardware from Mahatma Gandhi University, Kottayam and completed certification in MCITP, RHCE, CCNA, VCP ...Read More

  • Rainabba

    Was looking good and then I got the “Cannot find the computer account for the local computer..” error. I tried resetting the account, then deleting and creating a new one. Each time the error was the same and I had to delete account and remove/rejoin the machine from/to the domain which is the same approach I’ve been taking since the days of NT 4.0 for such problems.

  • ImL8

    Instead of the remove/rejoin, just run the network ID Wizard (button labeled ‘network ID’ in the system properties window under the Computer Name tab). Usually you will be prompted that there already is a computer with this name on the domain, and you do want to use that. I skip adding a network user to the computer. You do have to have credentials for an account that can join the domain. Reboot and you are done.

    • KERR

      Network ID Wizard is available on my Win7 PC but not on my Win2012R2 server.

    • fatboy1271

      You ROCK!!! This is so much better than the remove/rejoin method I’d been using…

      • Melbin Mathew

        thank you.

  • KERR

    Thanks, this was useful

    • Melbin Mathew

      thank you.

  • Kelly Bancroft

    How do you script this command to run on a Windows 7 workstation? Credentials for an account that has access to the Domain controller need to be passed to the command but Windows 7 has Powershell 2 which does no support the “-Credential” parameter.