How to establish trust relationship when logging in with the old password and network disabled?

Question

I have two computers in the same domain that I use, recently I changed the domain password on one of them.

When I tried to login with the same account on the other machine I get:

The trust relationship between this workstation and the primary domain failed.

I knew that I can log with that account and the old password if I just disable the network connection. So I logged in with the network disabled and the old password and it work. If I try to refresh the trust by locking and unlocking this time with the network enabled I get the same:

The trust relationship between this workstation and the primary domain failed.

If I disable again the network I can log in with the old password. If I enable afterwords the network connection I am able to see the domain dns, etc.

How to establish trust relationship from this situation without having access to domain control server?

Have you tried rejoining the computer to the domain? – Shaun Vermaak Jul 27 '15 at 11:56 — Shaun Vermaak, Jul 27 '15 at 11:56

score 1 · Answer 1 · answered Jul 27 '15 at 11:40

1

If your user has administrative rights i would create a local user and login with this user to reestable the domain trust with valid domain credentials.

answered Jul 27 '15 at 11:40

chewbakka

401
4
8

I tried that and, when I do that, I no longer see the domain – Eduard Florinescu Jul 27 '15 at 12:03
What do you mean with see the domain? What is the output of nslookup domain.com ? – chewbakka Jul 28 '15 at 13:05
It was my fault, the pc was in another domain than the user, I fixed using the accepted answer above, thanks – Eduard Florinescu Jul 28 '15 at 13:49

score 1 · Answer 2 · edited Jul 27 '15 at 15:35

1

As long as the client has access to the DC for authentication, the easiest ways are:

Reset-ComputerMachinePassword (run cmdlet in powershell with admin rights)
netdom.exe resetpwd /s:<server> /ud:<user> /pd:*
Remove the client from the domain and rejoin it.

edited Jul 27 '15 at 15:35

Eduard Florinescu

831
5
24
39

answered Jul 27 '15 at 12:13

colealtdelete

6,009
1
29
34

score 1 · Answer 3 · answered Jul 27 '15 at 13:08

1

You will not be able to reestablish trust with domain with connection disabled.

You can however reset computer password (trust password) on the Domain Controller if you can get access.

answered Jul 27 '15 at 13:08

Shaun Vermaak

161
3

Rhys · Accepted Answer · 2015-07-28T23:26:34.160

1

If you have no possible network access to the DC you are out of luck. If your network still has access do the below.

Open Powershell as an administrator

Reconnect the network cable

Run Test-ComputerSecureChannel -Credential Domain\Username -Repair at the powershell command prompt.

Additional Note: The Domain\Username needs to have enough AD Permissions to reset the computer account password.

edited Jul 28 '15 at 23:26

answered Jul 27 '15 at 14:36

Rhys

26
4

score 1 · Answer 5 · answered Jul 27 '15 at 14:49

The easiest way to fix this problem without powershell is:

Pull/Disable network connection
Login using cached domain credentials or a local account
- Make sure you have local admin credentials that can be used to login off domain. Create them now if they do not exist. If you don't, you will be locked out once you leave the domain.
Plug network connection back in
Go to the System screen, and leave the domain (join workgroup, name doesn't matter). Reboot PC.
Login using a local account
Rejoin the domain, then reboot
Login using domain credentials to ensure all is woking

This is how I have guys fix it who aren't familiar(or not trusted) with powershell. Basically it just tells the DC to delete the Computer account, then recreate it again.

This can happen for a few other reasons, but the common ones I've seen are another PC has been given the same name, or the computer hasn't been logged in to for quite a long time.

How to establish trust relationship when logging in with the old password and network disabled?

5 Answers5