0

I am on a network where communication is done through static IPs.

On a fairly regular basis I need to swap machines, that is to say unplug a machine, lets say: 10.50.5.1 and plug in a new machine in it's place, with the same static 10.50.5.1 IP.

This machine that I have just plugged into the network will not have a trust relationship established. Is there a quick way to re-establish the trust relationship?

EDIT:

Clarification, both machines are setup with the same IPs and domain information, so only one of them can be on the domain at any given time. I'm just switching which one is plugged into the network. But they both always think that they're members of the domain.

So I'm not changing anything in "System Properties">"Computer Name">"Computer Name/Domain Changes" how then can I re-establish the trust relationship with the newly added computer?

Jonathan Mee
  • 121
  • 1
  • 8
  • 2
    Your question makes no sense. What does the ip address have to do with the Domain trust relationship between the domain member and the domain? – joeqwerty Mar 18 '16 at 15:19
  • @JonathanMee how long has the 2nd machine that you have the issue on been off the network before you plug it back in? As Massimo and Joe say, the IP has nothing to do with domain trust. – Sam Cogan Mar 18 '16 at 15:24
  • @Sam Neither machine will be on the network much longer than a week before I switch them out. I mention IP only to say that I can't solve this by leaving them both on the domain. – Jonathan Mee Mar 18 '16 at 15:26
  • @JonathanMee Do both machines have the same name? – Sam Cogan Mar 18 '16 at 15:27
  • @Sam Yes, they do, but obviously different mac addresses, violating the trust relationship. – Jonathan Mee Mar 18 '16 at 15:27
  • @joeqwerty I'm sorry for my terrible wording. The IP addresses and domain configurations of both machines are identical, so I can't have them both on the network at once. I simply swap out which one the LAN line is connected to, but I run into the issue of the trust relationship being violated when I do that. – Jonathan Mee Mar 18 '16 at 15:30
  • 1
    `obviously different mac addresses, violating the trust relationship` - The Trust has nothing to do with the MAC address either. – joeqwerty Mar 18 '16 at 15:34
  • 2
    Maybe you could explain the purpose of this operation. Why are you swapping them out? Why do they both have the same computer name? – joeqwerty Mar 18 '16 at 15:35
  • @joeqwerty Good call. I'm trying to setup a lab, and I'm trying out two different configurations. The computers network identities must be identical for the purposes of deploying builds and sharing files and messaging, but when I switch the computers it breaks the trust relationship, so I can't do exactly what I'm trying to do :( – Jonathan Mee Mar 18 '16 at 15:38
  • What lead you to believe this would work in your lab. Do you have an admin to help you with this? – Jim B Mar 18 '16 at 15:49
  • @JimB Ahem... my admin may have told me this would be something very easy for me to accomplish, and then left for another country for a month. Suffice to say, I've gained a new disrespect for his job since then. – Jonathan Mee Mar 18 '16 at 16:49

3 Answers3

5

This... doesn't really make any sense. IP addressing has nothing at all to do with domain membership.

If you are replacing a machine with a new one, the new one will not automatically be a domain member just because it has the same IP address (or name) of the old one; you'll need to join it to the domain, using the standard procedure (change the domain membership in the System properties, or use a command line tool like netdom).

And no, you are not "re-establishing the trust relationship". You are joining a new machine to the domain.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • So you're saying that I should do something in the "System Properties">"Computer Name">"Computer Name/Domain Changes"? The problem is that the machines I'm swaping out are both *already configured* to be on that domain. What do I do to tell it to re-establish the trust relationship? – Jonathan Mee Mar 18 '16 at 15:20
  • 1
    You can't have two machines with the same name joined to the same domain. As soon as you join one of them to the domain, it will overwrite the computer account of the other one in Active Directory, effectively rendering it unable to be part of the domain anymore. – Massimo Mar 18 '16 at 16:52
  • If (for whatever reason) you actually need both computers to have the same name, then you'll have to re-join each machine to the domain when you put it on the network to replace the other one. – Massimo Mar 18 '16 at 16:53
  • I think you just stated the crux of my problem. But if one machine replaces the other in the Active Directory, shouldn't the same thing happen when the first machine returns? Or are you just implying that each time my Active Directory is updated I'll have to restart all the machines in the domain to notify them? – Jonathan Mee Mar 18 '16 at 16:56
  • 1
    The process is not automatic; if machine A is a domain member, Active Directory only accepts connections from machine A; if instead machine B tries to log in, Active Directory presumes (correctly) its trust relationship is invalid and rejects it; you can fix this by re-joining machine B, but then the opposite will happen when machine A comes back on the network and tries to access Active Directory, which by then will be expecting machine B and so will reject machine A. – Massimo Mar 18 '16 at 17:52
  • TL;DR: **you can't have two machines with the same name in the same domain**, they will conflict with each other; each time you join one machine to the domain, the other one will cease to work. – Massimo Mar 18 '16 at 17:53
2

The issue you are having is nothing to do with the IP, it is because you have 2 machines with the same name. You can only have one AD computer object for a machine name and this computer object has a password, this password is negotiated between the DC and the Computer when you join it to the domain, it's not something you enter it's configured by the domain.

When you swap out the machine for another with the same name then you get this issue. This new machine does not know the password that has been negotiated and the DC won't trust it.

There are a couple of ways to resolve it. One way is to remove and re-join the machine from the domain, this will recreate the trust. Another is to run one of the following commands:

Powershell

Reset-ComputerMachinePassword -Server <Name of any domain controller> -Credential <domain admin account>

Command Line

NETDOM RESETPWD /Server:<name of any domain controller> /UserD:<domain admin account> /PasswordD:*

Either method requires you to be able to logon with a local admin account (or cached credentials).

This issue is going to occur every time you do this, so I would advise you avoid having 2 machines with the same name. If you need to swap them around, give them different machine names and setup a CNAME to point to the appropriate live server.

Edit for more info

If we say the old working machine is machine A, and the new one Machine B. Machine A and the domain have negotiated a password when you joined it to the domain, nothing to do with any of your passwords, you have no involvement. Both Machine A and the domain know this password and whenever machine A communicates with the domain it passes this and authenticates. All is well.

When you disconnect Machine A and Join Machine B, Machine B tries to talk to the domain, but it has no idea what password Machine A and the domain agreed on, so it fails and there is no trust. The only way to get them to trust again is to get them to negotiate a new password, but you have to force this using one of the commands I mentioned, or by removing and rejoining the domain. All of these require the user to have the rights to add domain computes, it would be no good if you could just restart the machine and it work else anyone could add a rouge machine to the domain and get access to the network. The commands I mentioned only need to be run on the machine that has the issue, it basically says to the domain that it needs to recreate the password with this machine, and here are my credentials to prove it is OK.

However, as I mentioned this will happen every time you swap machines. This is not a good idea as a permanent solution.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
  • So if I understand you correctly the Active Directory object on a machine has a domain password encoded into it (this password is not my logon password?) So when I swap the computers, the new computer's Active Directory object doesn't have the encoded password, and therefore will not be trusted by the Domain Controller. Your suggestion then is to reset the Active Directory object... on the machine in question, or all the machines in the domain? Wouldn't just restarting the machine recreate the Active Directory object? – Jonathan Mee Mar 18 '16 at 17:09
  • @JonathanMee see my edit – Sam Cogan Mar 18 '16 at 20:41
0

Let me start by saying everything Massimo and Sam have said is correct.

The actual "answer" for your problem is that you need to have two different computer names.

Have you through about building two VMs using virtualization software (e.g. VirtualBox) and configuring the network adapters as NAT so both VMs would use appear to the network to be using your host's static IP address?

Again, please keep in mind the IP address has nothing to do with the trust violation. Having two computers with the same name joined to the same domain does.

Don't do that. A non-administrative user by default is able to join several computers to the domain (the specific number of computers a non-administrative user can join depends on how the domain administrator has configured active directory)

So if you are "trying out two different configurations" then create a different VM for each configuration you need to try. You will need to give them different machine names, but realistically speaking there is no reason that using different machine names would keep you from testing. If you need to test how group policy applies to different configurations then simply give each VM its own machine name and place them in their own OU in AD and then link the GPO to that OU.

Bottom line is you can't have two machines with the same name joined to the same domain. I strongly encourage you to look at using visualization software to test build environments.

user5870571
  • 2,900
  • 2
  • 11
  • 33