Hello Readers, today we are going to learn how to Fix trust relationship issue between the workstation and the domain. But before jumping into the solution, we need to learn the concept of Secure channel.
What is a Secure Channel ?
Before understanding the trust relationship issue, you will need to know what is a Secure channel.
- Whenever you add a computer or client machine to an Active Directory domain, your computer account gets created in Active Directory.
- Secure Channel helps to make the communication between the client machine and DC (Domain Controller), Example : Replicating Group Policies.
- Always remember in a Secure channel the computer authentication takes place and not the User Authentication
- So for this Authentication Password is required. Once computer is joined to the domain a password for authentication is proposed to the Active Directory
- By Default, Computer account password change is initiated by the client computer in every 30 days. This can be modified in Group Policy settings.
- NETLOGON Service is responsible for establishing the secure channel.
Why Trust Relationship issues occurs ?
Trust relationship issue occurs when the secure channel is not getting established between the Client computer and the Domain Controller. This can happen if the last recorded password in Active Directory doesn't match with the Local client computer password.
By default there is no way to know what is the password. Only thing in your hand is to reset or re-establish the secure channel.
Examples when this can occur :
1. You have reset your computer recently
2. You are trying to build new server from an OS Image which was joined to a domain previously
3. Rebuilding VM Files (.avhdx)
4. NetLogon service is not working properly
Ways to Fix Trust Relationship issue without doing reboot ?
Usually the below step also fixes this issue but only disadvantage is it requires system reboot.
Computer Properties > Add the computer to Workgroup > Reboot the system > and then Join the the computer back to the domain.
So the question arises how to fix this issue without doing System Reboot?
Step 1 ) Using Reset-ComputerMachinePassword
Reset-ComputerMachinePassword -Server "DC01" -Credential "<DomainAdminCreds>"
This command will only work on PowerShell 4.0 and 5.0
Step 2 ) Using Test-ComputerSecureChannel
Test-ComputerSecureChannel -Repair -Credential "<DomainAdminCreds>"
- Login to Domain Controller
- Open Active Directory Users and Computers (dsa.msc)
- Search for the ComputerName and then Right click on it and then Reset.
Post a Comment