How To Repair Domain Trust Relationship

Windows Server How-To

How To Set Domain Trust Issues in Agile Directory

Earlier this week I saw a situation in which someone with a small, unmarried-domain controller network performed a restoration of their domain controller. This restoration finer reverted the Active Directory to a previous version. In doing and then, they accomplished basically the aforementioned affair that they would have if they had performed an authoritative restoration on a domain controller in a larger organization.

Although the restore operation succeeded, it had some unforeseen consequences. Later on the restoration, all of the other servers in the domain displayed an error bulletin at log in. This fault bulletin stated that the trust relationship betwixt the workstation and the main domain failed. Y'all can run across the bodily fault message in Effigy 1.

*Figure i.* An administrative domain controller restoration can trigger this error on workstations and member servers.

The reason why this problem happens is because of a "password mismatch." Passwords are typically thought of as something that is assigned to a user business relationship. However, in Active Directory environments each computer business relationship also has an internal password. If the copy of the computer account password that is stored inside the fellow member server gets out of sync with the password copy that is stored on the domain controller then the trust relationship will be cleaved every bit a result.

So how tin you lot set this error? Unfortunately, the simplest fix isn't always the best pick. The easy fix is to blow abroad the figurer business relationship within the Agile Directory Users and Computers console and and then rejoin the computer to the domain. Doing and then reestablishes the broken-trust relationship. This approach works actually well for workstations, but information technology can exercise more harm than good if you try information technology on a member server.

The reason for this has to practise with the mode that some applications utilize the Active Directory. Accept Exchange Server, for case. Commutation Server stores messages in a mailbox database residing on a mailbox server. Still, this is the only pregnant data that is stored locally on Exchange Server. All of the Exchange Server configuration data is stored inside the Active Directory. In fact, it is possible to completely rebuild a failed Exchange Server from scratch (aside from the mailbox database) merely by making use of the configuration information that is stored in the Active Directory.

The reason why I mention this particular example is that the Exchange Server configuration data is stored inside the computer object for that server. So with that in mind, imagine that a trust relationship was accidentally broken and yous decided to fix the problem by deleting the Exchange Server's computer business relationship and rejoining the computer to the domain. By doing and so, you lot would lose all of the configuration information for that server. Worse all the same, in that location would withal exist orphaned references to the calculator account scattered elsewhere in the Agile Directory (you can run into these references by using the ADSIEdit tool). In other words, getting rid of a computer account can crusade some pretty serious problems for your applications.

A better approach is to simply reset the computer account. To do so, open the Agile Directory Users and Computers panel and select the Computers container. Correct click on the computer that you are having trouble with. Select the Reset Business relationship command from the shortcut menu, as shown in Figure 2. When you do, you volition see a prompt asking you if y'all are sure that you want to reset the calculator account. Click Yes and the reckoner business relationship will exist reset.

**[Click on image for larger view.]** *Figure 2.* You can reset the computer business relationship through the Active Directory Users and Computers console.

In example you are wondering, computer accounts tin can also exist reset through PowerShell (version 2 or higher). The cmdlet used for doing and then is Reset-ComputerMachinePassword.

In my feel, cleaved trust relationships probably aren't something that y'all will have to worry about on a twenty-four hour period-to-twenty-four hour period basis, but they tin happen every bit a consequence of using fill-in software or imaging software to revert a server to a previous state. When this happens, the all-time course of action is to reset the computer business relationship.

About the Author

Brien Posey is a 20-time Microsoft MVP with decades of IT experience. As a freelance author, Posey has written thousands of articles and contributed to several dozen books on a broad diversity of Information technology topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has besides served as a network administrator for some of the land's largest insurance companies and for the Section of Defense at Fort Knox. In improver to his continued work in Information technology, Posey has spent the concluding several years actively training as a commercial scientist-astronaut candidate in training to fly on a mission to study polar mesospheric clouds from space. You tin can follow his spaceflight preparation on his Spider web site.