none
Enforce password history policy change affected the systems in domain

    Question

  • After changing the settings for Enforce password history on the Default Domain Policy GPO from Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy, the servers and desktops started getting the "Trust relationship between workstation and primary domain failed" error. And the suggested options were tried to fix this problem but in vain: 1. Reset computer account from AD Users and Computers & 2. Rejoin the systems to domain.

    These options worked for 2 days and the same computers starting throwing the same error from 3rd day on-wards. It is also observed that the group policy is not getting updated on the affected systems in domain and this has led to a major work stoppage for most of our projects.

    I would like to request the experts to please help me figure this one out!

    Please refer the below Error event logs from the affected system:

    Log 1:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC$. The target name used was DNS/DC.COMPANY.COM. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (COMPANY.COM) is different from the client domain (COMPANY.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    Log 2:

    The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful. 

    Tuesday, December 08, 2015 4:36 PM

Answers

  • > After changing the settings for *Enforce password history * on the
    > Default Domain Policy GPO from Computer Configuration\Windows
    > Settings\Security Settings\Account Policies\Password Policy, the servers
    > and desktops started getting the "*Trust relationship between
    > workstation and primary domain failed*" error.
     
    To my knowledge, this is not related. It might be suspicious due to
    happening shortly after, but it is not related.
     
    > by the server. This error can also happen if the target service account
    > password is different than what is configured on the Kerberos Key
    > Distribution Center for that target service.
     
    Possibly, the krbtgt account password on your DCs is out of sync for
    whatever reason... Re-sync and it should be ok again. To do so:
     
    Disable the KDC service on affected DCs, then reboot it. After that,
    re-enable the KDC service.
     
    Ah - what's dcdiag telling about replication issues?
     
    > /The processing of Group Policy failed. Windows attempted to retrieve
    > new Group Policy settings for this user or computer.
     
    This is a follower of the above.
     
    • Marked as answer by CVSRINIVAS Wednesday, December 09, 2015 11:13 AM
    Tuesday, December 08, 2015 4:49 PM

All replies

  • > After changing the settings for *Enforce password history * on the
    > Default Domain Policy GPO from Computer Configuration\Windows
    > Settings\Security Settings\Account Policies\Password Policy, the servers
    > and desktops started getting the "*Trust relationship between
    > workstation and primary domain failed*" error.
     
    To my knowledge, this is not related. It might be suspicious due to
    happening shortly after, but it is not related.
     
    > by the server. This error can also happen if the target service account
    > password is different than what is configured on the Kerberos Key
    > Distribution Center for that target service.
     
    Possibly, the krbtgt account password on your DCs is out of sync for
    whatever reason... Re-sync and it should be ok again. To do so:
     
    Disable the KDC service on affected DCs, then reboot it. After that,
    re-enable the KDC service.
     
    Ah - what's dcdiag telling about replication issues?
     
    > /The processing of Group Policy failed. Windows attempted to retrieve
    > new Group Policy settings for this user or computer.
     
    This is a follower of the above.
     
    • Marked as answer by CVSRINIVAS Wednesday, December 09, 2015 11:13 AM
    Tuesday, December 08, 2015 4:49 PM
  • Thank you very much! It worked like a charm!

    Restarting the KDC service and restarting the domain controllers fixed the issue.

    Wednesday, December 09, 2015 11:13 AM