17 September 2010

The trust relationship between this workstation and the primary domain failed

One of the best things about virtual machines is the ability to be able to turn them off and park them till you need them again.  This is normally implemented with lab testing something or doing POC work.  Depending on your domain policy, your domain will stop trusting you machine after the timeout of inactivity expires. So typically when you pull a VM out of the moth balls for testing again you can run into a few snags.

When you attempt to log in you get the following error message:

"The trust relationship between this workstation and the primary domain failed"

That is a pain, fortunately all you have to do is remove it from the domain and add it again. No reboot required in between.  Just remove apply then join and restart.

This does however require you to be logged into the machine. This can be done in one of two ways.

Using Cached Credentials
Disconnect the network
Log in with an account that will be stored in the cached credentials with the password from back then.
Reconnect the network and do the domain remove and join.

This is not easy to do in the VM space since networks can't be changed while the machine is running.

Using the local administrator account
You can also elect to log in with the local admin password.

Now I normally build machines with a standards password. but I had a problem where both my cached credentials and my local admin gave me a

"The username or password  is incorrect"

The only thing that was left to do was to attempt reset the local admin password.  This of course could not be done by the normal means because no one on the domain trusts the machine.

There are a few password reset tools that are available for Windows but the one I ended up using was
The Offline Password and Registry Editor  It is a small 4MB bootable ISO file that works nicely within VM environments.  It is recommended to clear the password rather than changing it.  Just follow the prompts and before you know it you can log in without a password.  What is also handy is that it shows you all the local accounts and ask which password to change.  If you have changed the local administrator account to something else and you cant remember what it is this will help for that too.


Matt said...

I know this is really old... but something you can try... set the network connection to disabled so it doesn't find the network link. Then logon with the last account used (like Administrator@domain.com). Usually it will keep the last set of credentials cached and will let you in as long as the network connection is disabled so it forces it to try a cached copy over a live copy.

I use this trick when people have laptops they don't use forever and then they power them backup hoping they work.

Etienne Liebetrau said...

Thanks for the update Matt - i will give this a try next time i run into this.

Anonymous said...

You can prevent the error: "The trust relationship between this..." with a domain GPO.

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Domain member: Disable machine account password changes

Domain member: Maximum machine account password age



Post a Comment