Every once in a while, I get a client PC that won't be able to log into the domain. This morning it was telling us that the trust relationship between the pc and the domain failed. I checked the event logs on the primary domain controller and I see this for 2 PCs (the one that had the problem and one that can log in today).
The session setup from the computer failed to authenticate. The name(s) of the account(s) referenced in the security database is . The following error occurred: Access is denied.
I know how to fix this, by rejoining the PC to the domain... But why does this happen and how can I prevent it so I don't have to keep rejoining PCs to the domain?
Computers joined to a domain manage their membership by use of a shared secret. Basically, all computers on the domain have their very own account password, just like all your user accounts.
The difference is that the computers maintain this themselves, without any involvement from you and without you ever seeing what that password is. The machine periodically goes through a password change where a new password is generated and updated on both the computer and the AD computer account object.
What you're seeing is a situation where the password stored on the domain and the password the computer believes is valid, are not the same. This could happen for a multitude of reasons but the most common ones are:
So to fix it, watch for issues similar to the above. Any cases where either the domain or the workstation could be ending up with a stale or corrupted account password will bring you this issue.