Hello and welcome to a new article on fixing things that shouldn’t break at all!
This time, we’ll look at a very old problem that has arisen since the days of sysadmins as we know them: the problem where our member server or domain computer loses trust with the domain.
Yes, yes, the awful words that pop up on the login screen when you try to log into one of your servers on a very sunny and rather hot Monday after a nice and quiet weekend.
The trust relationship between this workstation and the primary domain failed.
Well, many of us will just log in with a local administrator account and simply join the machine to the domain. But there are other alternatives, including what to do if we do not remember the local administrator password and we only have a domain login. Fortunately, there is a way around this annoying problem.
First, we never need to rejoin a machine to the domain if we have this problem. Run the following command from an administrator command prompt or a PowerShell command prompt:
Netdom resetpwd / Server: / UserD: / PasswordD:
Now, to analyze the command: we invoke the netdom command with the resetpwd (password reset) switch and provide the domain controller that we will authenticate with and the credentials of the domain administrator account. Just. I’ll also explain a little why this problem occurs at all.
We can also use PowerShell to accomplish the same goal.
Reset-ComputerMachinePassword -Server -Credential (Get-Credential)
So easy! After these commands, we don’t even need to restart the computer!
Forgot your local admin password
What should we do if we do not remember the local administrator password?
Again, the solution is simple. We just unplug the network cable, then reboot the server or computer with the network cable disconnected and then log in using our domain account that we used to log in earlier.
Since the operating system will “see” that there is no network connection, it will use its cache to authenticate you, which means it won’t even try to query the domain controllers.
Once logged in, just plug the network cable back in and you can try the commands we talked about above.
Why does this error happen
Now I have promised to explain why this problem actually occurs. Well, since I promised, let’s go.
Each computer account when joining a domain initially has a password, a machine password that is used by the schannel (secure channel) to authenticate the machine to the domain.
This password also has an expiration date, the same as your regular user account where you are asked to change the password, in which case the machine matches the new password with the domain and the new password is updated in both places.
So, if you ever get this error, the server or computer has been shut down for a very long time, the machine’s password expired and the computer was not online to update it, so the domain does not trust this computer.
Either someone accidentally, or even you (yes, you) deleted the computer account in AD, recreated it, and didn’t execute the commands we talked about earlier after you recreated the computer account.
Well, that’s enough for me, I hope you enjoyed this article and I look forward to your return for it. Until then rm -rf /! (No, don’t try this).