PC lost trust relationship with domain controller
Our network uses PCs with windows XP, our servers run with Server 2003 and our domain controller uses Active Directory 5.2.3790.1830.
Periodically I encounter PC's that will not allow users to login to our network.
I encounter an error stating that 'Trust relationship has been lost with domain controller'.
Could someone explain what this trust relationship is and if possible give reasons for why a PC may lose this with the domain controller.
Many Thanks
Largewood
All Replies
When a PC boots up, it will attempt to log into the domain that it is a member of. The account is pretty much just like a user's account, only there are a number of automated things that happen -- users type in credentials, machines store them locally and present them to the domain.
The secure link between the PC and the Directory can become broken for a large number of reasons, but the big ones all stem from a disruption in the presentation of credentials. If the PC presents the wrong password, the authentication can be denied. Unfortunately, there really isn't a warning screen that parallels what a user sees... The computer keeps booting, and then you will recieve one of a collection of errors if a user tries to log into the domain with that computer. The solution for that problem (and some of the description of the problem) is located at this KB article:
http://support.microsoft.com/kb/260575
Another problem that can happen is that the machine can present the right password, but the wrong machine account. If the images that are being used are cloned without properly being SysPrepped, the scenario arises where two machines are presenting the same SIDs, while the passwords are out of synch... You can imagine that shenanigans immediately ensues. There is also a scenario where the install of an OS becomes damaged and data gets corrupted. THese kinds of issues are a lot harder to troubleshoot.
Something you could try to diagnose this is to turn on some more auditing. Start looking for logon failures associated with these machine account issues. They may contain a lot more information on what and why things are happening.
Let me know what you find, and I hope this helps!
Luck,
removing and readding the client to domain will resolve the issue on client.
cause could be - client machine account in the domain is incorrect or computer account password is mismatching in the domain
Thanks for this, very helpful.
I wonder if you know the answer to a couple points related to this.
Where is the password held on the client machine, is it in the registry?
Also does the password change periodically or once the client is added to the domain is it set permanently?
Do all the PCs on the domain use the same password, or is it individual to the machine?
Unfortunately, I don't know where the password is. I can tell you that it is not in the registry and in the instance that is on the machine, it is in a hash.
The password does change - I believe 30 days is the default - and it is not correlated with any of the other machine passwords in the domain.
