Windows Server Domain Controller Out of Sync Unable to Verify Workstations Again Domain

Windows Server How-To

How To Fix Domain Trust Issues in Active Directory

Earlier this calendar week  I saw a state of affairs in which someone with a pocket-sized, single-domain controller network performed a restoration of their domain controller. This restoration effectively reverted the Active Directory to a previous version. In doing then, they accomplished basically the same affair that they would have if they had performed an administrative restoration on a domain controller in a larger organisation.

Although the restore functioning succeeded, information technology had some unforeseen consequences. After the restoration, all of the other servers in the domain displayed an mistake message at log in. This error message stated that the trust relationship between the workstation and the master domain failed. You can see the actual error bulletin in Figure one.

Figure 1. An authoritative  domain controller restoration tin can trigger this error on workstations and fellow member servers.

The reason why this trouble happens is because of a "countersign mismatch." Passwords are typically thought of as something that is assigned to a user account. Even so, in Agile Directory environments each computer business relationship also has an internal password. If the re-create of the computer account password that is stored within the member server gets out of sync with the password copy that is stored on the domain controller then the trust human relationship volition be cleaved every bit a outcome.

So how can you lot set up this error? Unfortunately, the simplest fix isn't always the best option. The like shooting fish in a barrel fix is to accident away the reckoner account within the Active Directory Users and Computers panel and then rejoin the computer to the domain. Doing so reestablishes the broken-trust relationship. This approach works really well for workstations, but it can do more harm than skillful if yous effort it on a member server.

The reason for this has to do with the way that some applications employ the Active Directory. Take Exchange Server, for example. Exchange Server stores messages in a mailbox database residing on a mailbox server. Yet, this is the only significant data that is stored locally on Exchange Server. All of the Exchange Server configuration data is stored within the Active Directory. In fact, it is possible to completely rebuild a failed Exchange Server from scratch (aside from the mailbox database) simply by making employ of the configuration data that is stored in the Active Directory.

The reason why I mention this particular example is that the Exchange Server configuration data is stored inside the reckoner object for that server. So with that in mind, imagine that a trust relationship was accidentally broken and yous decided to fix the problem by deleting the Exchange Server'southward computer business relationship and rejoining the computer to the domain. By doing and then, y'all would lose all of the configuration data for that server. Worse yet, there would still be orphaned references to the figurer account scattered elsewhere in the Agile Directory (you tin encounter these references by using the ADSIEdit tool). In other words, getting rid of a computer business relationship tin can crusade some pretty serious problems for your applications.

A amend arroyo is to simply reset the computer account. To do so, open up the Active Directory Users and Computers panel and select the Computers container. Right click on the estimator that you lot are having problem with. Select the Reset Business relationship command from the shortcut card, as shown in Figure 2. When you practise, you will come across a prompt request you if you are certain that you lot want to reset the computer account.  Click Yes and the computer account will be reset.

[Click on image for larger view.] Figure 2. Yous can reset the computer account through the Active Directory Users and Computers console.

In case you are wondering, computer accounts tin besides be reset through PowerShell (version 2 or higher). The cmdlet used for doing so is Reset-ComputerMachinePassword.

In my experience, broken trust relationships probably aren't something that you volition have to worry about on a 24-hour interval-to-day footing, but they can happen as a effect of using backup software or imaging software to revert a server to a previous country. When this happens, the best course of action is to reset the computer account.

Well-nigh the Author

Brien Posey is a 20-time Microsoft MVP with decades of Information technology experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and wellness care facilities. He has as well served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his connected work in It, Posey has spent the last several years actively training every bit a commercial scientist-astronaut candidate in preparation to fly on a mission to report polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.

comments powered by

E-mail Address* * * Country* *

Please type the letters/numbers y'all see above.

chanblaying.blogspot.com

Source: https://redmondmag.com/articles/2014/04/21/domain-trust-issues.aspx

Share this post