1

Users on workstations or email users using OWA can't change passwords. Passwords can be set using Active Directory Users & Computers.

Win2008 R1 32bit domain controller. Win7 Pro desktops. Various Exchange users accessing OWA through variety of browsers.

Desktop users get a "This computer doesn't have a trust relationship with the domain". I go through the recommended process of removing the desktop from the domain and then re-adding it, but the problem still exists.

OWA users get "Your password couldn't be changed. Make sure the old password you typed is correct and that the new password meets the minimum security requirements."

The same password can be set from Active Directory Users & Computers, so it's not a password complexity issue.

Nothing is showing up in the security event log when looking for Event ID's 4723, 4724, 4738 for these failures. Audit Account Management is enabled for success and failure in the Default Domain Policy

This has been a nuisance for a few months (it's a small domain), but now it's becoming more of an issue.

Any suggestions where to look?

Pete
  • 11
  • 1
  • 2
    You're running a domain controller that's out of support, your client machines are losing their trust relationship with the domain, and you're having password reset issues. Your domain's a mess. Fix that root problem, and your issues will be resolved. Keep running around trying to fix one small symptom of the root problem at a time, and you'll be playing whack-a-mole forever. – HopelessN00b Oct 14 '16 at 14:49

2 Answers2

1

"This computer doesn't have a trust relationship with the domain". You're loosing your trust relation with the domain controller.

The best way to resolve this issue is removing the computer from the domain, delete the AD object and re-join the computer to the domain to create the relationship again.

Possible causes: Your computers is running on a different time (Make sure to synchronize the time with your NTP server or primary domain conteoller). If your domain controller is a Virtual server, make sure to turn off the option to synchronize the server with the host time.

Your computers or any third party software are putting the computer into sleep mode or NIC are disconnected or inactive. (Make sure to uncheck the option "Allow the computer to turn off the device to save power" on the NIC Power Management options).

HEMAN85
  • 415
  • 3
  • 9
0

I have had this pop up a few times over the years. Removing from the domain, deleted the object from the Computer OU in Active Directory and adding it backed always worked.

Also, try resetting the computer account within Active Directory.

FACTORY909
  • 91
  • 5