I am having a problem with a recently reinstalled laptop with Win 7 Enterprise. The computer is complaining about a broken trust relationship when I try to grant domain users local access on the machine.
I've done the following (twice, using a different name each time) and it doesn't resolve the issue:
- As domain administrator, leave domain and join workgroup: WORKGROUP.
- Reboot.
- As domain administrator, join domain using new computer name.
- Reboot.
- As domain administrator, add a domain user as local administrator.
- Error: "The trust relationship between this workstation and the primary domain failed."
This doesn't make any sense to me. As I understand it the above process is the appropriate way to fix this issue.
So far, other symptoms I've experienced are:
The client machine says it's unable to reach the domain. Meanwhile, on the server, I see EventID 5723 from NETLOGON:
The session setup from the computer [name_of_computer] failed because there is no trust account in the security database for this computer. The name of the account referenced in the security database is [name_of_computer]$.
An inability to to ping hosts by hostname when joined to the domain. When off the domain, I can ping hosts just fine.
nslookup [fqdn] returns the proper value for both my domain controllers, and nsloookup [DC hostname] returns the proper IP for the domain controller as well.
I've checked to see that the DNS servers are being assigned properly to the clients, and they are.
I also don't believe I have any WINS servers handing out incorrect NS information. Neither Domain Controller has that role installed (though if anyone has a definitive way to check for WINS servers, that might be helpful).
Can anyone provide some further troubleshooting steps?
Best Answer
Your next troubleshooting step is to examine the DC EventLogs for anything useful, and following that, you'll want to figure out why the computer can't "reach the domain."
You might want to reverse the order of those, and they might lead you to the same spot, but looking for errors in the EventLog is usually easier than troubleshooting your network, which is why I'd recommend starting there.
Incidentally, if the computer can't "reach the domain," how are you able to join it to the domain at all? Sounds to me like it's not properly joining to the domain, which is why the trust relationship is still broken. Haven't seen that before, honestly... but you could try changing its name when it's domain-joined to test that idea. See if the name changes in ADUC, or not (and see if it changes on all your DCs, or not - maybe there's a replication problem that's preventing the domain from recognizing the new computer account). While you're in there, you might want to check and make sure the various computer accounts you created when "rejoining" it actually show up in AD. I'm betting they didn't.