Wednesday, September 18, 2013

Failed trust relationship between workstation and primary domain

Hi,

This morning I restored a snapshot on my virtual machine which I took about six weeks ago. When I tried
to log on using my user account which is in the company domain, Windows confronted me with the following
login error:

"The trust relationship between this workstation and the primary domain failed".

Using the local administrator's account I was able to log on. So let's break down what actually happened
here.

The machine has a default setting in the registry which determines how often your machine will try to change its machine account password. This password is being used to secure a safe communication channel between the domain member and domain controller. In this channel information about authentication and authorization decisions are being transmitted, thus must be handled carefully.

So, what happened here is that after I took the snapshot, the machine account password was changed (this is done by the Netlogon service) and the new password had also been updated in the domain controller so everything was in synch. By restoring the snapshot, I got back the old password and this caused a mismatch between the domain member and the domain controller.

NOTE: This can be solved by removing the computer (or VM in this case) from the domain and then re-adding it.

Now, to prevent this from happening again, do the following:

1. Press Windows Logo Key + R
2. Type 'gpedit.msc' in the textbox and press Enter
3. Expand 'Computer Configuration' -> 'Windows Settings' -> 'Security Settings' -> 'Local Policies' -> 'Security Options'
4. Search for the policy called: 'Domain member: Disable machine account password changes'
5. Double-click it, change the setting to 'Enabled' and click 'OK'

This is obviously not the safest option to choose security-wise, however, in my case I'm dealing with a development machine so
I am cool with this.

Alternatively you can also choose to keep this option disabled and rather change the 'Domain member: Maximum machine account password age' and set it to a value of which you think is more suitable.

Hope this helps.

Later.

No comments:

Post a Comment