I have two computers in the same domain that I use, recently I changed the domain password on one of them.
When I tried to login with the same account on the other machine I get:
The trust relationship between this workstation and the primary domain failed.
I knew that I can log with that account and the old password if I just disable the network connection. So I logged in with the network disabled and the old password and it work. If I try to refresh the trust by locking and unlocking this time with the network enabled I get the same:
The trust relationship between this workstation and the primary domain failed.
If I disable again the network I can log in with the old password. If I enable afterwords the network connection I am able to see the domain dns, etc.
How to establish trust relationship from this situation without having access to domain control server?
If your user has administrative rights i would create a local user and login with this user to reestable the domain trust with valid domain credentials.
As long as the client has access to the DC for authentication, the easiest ways are:
Reset-ComputerMachinePassword
(run cmdlet in powershell with admin rights)netdom.exe resetpwd /s:<server> /ud:<user> /pd:*
You will not be able to reestablish trust with domain with connection disabled.
You can however reset computer password (trust password) on the Domain Controller if you can get access.
If you have no possible network access to the DC you are out of luck. If your network still has access do the below.
Open Powershell as an administrator
Reconnect the network cable
Run
Test-ComputerSecureChannel -Credential Domain\Username -Repair
at the powershell command prompt.Additional Note: The Domain\Username needs to have enough AD Permissions to reset the computer account password.
The easiest way to fix this problem without powershell is:
This is how I have guys fix it who aren't familiar(or not trusted) with powershell. Basically it just tells the DC to delete the Computer account, then recreate it again.
This can happen for a few other reasons, but the common ones I've seen are another PC has been given the same name, or the computer hasn't been logged in to for quite a long time.