man thinking

The trust relationship between this workstation and the primary domain failed

​Don't you hate it when relationships go bad? Once that trust is gone, it's very difficult to get it back. Sometimes it seems easier to just walk away and start again.

This is what happens if you sneakily start a VM using a snapshot without thinking about your domain controller. It has feelings too, and the timing is terrible. Now the security keys are all out of step. It can also happen if your domain controller is itself restored from a snapshot. In this situation the DC no longer sees the encryption keys as valid and so no longer "trusts" the server. Can things ever be the same again?

The usual remedy that is recommended is to re-join the domain. This is a tedious and slightly scary process that involves first logging in using the local (box) admin account, un-joining (i.e. go to System Properties -> Computer Name tab -> Change and join "WORKGROUP" - reboot - log in again - System Properties -> Computer Name tab -> Change and join the domain and supply the domain admin password - reboot - log in finally as domain admin or other domain account). I often make the mistake of logging in the third time as the local admin account instead of using a domain account, and then wondering why nothing works.

The situation crops up a lot if you are using snapshots to roll back to an earlier state if you are experimenting. So is there an easier way of re-establishing the trust of the domain controller?

Well there is handy PowerShell v3 commandlet that can reset the machine password. After you have logged in as local admin, start a PowerShell window (you may need to use Run As Administrator) and run the following Reset-ComputerMachinePassword command using the domain controller and domain administrator account. In my test environment the domain controller is called litad1 and the domain admin is litware/Administrator, so it looks like this:

Reset-ComputerMachinePassword -Server litad1 -Credential litware\Administrator

You can expect this command to take of the order of ten seconds to run and then you will get a password prompt to enter the domain administrator password.

Now you can log out and log back in using your domain account as normal. Life will get back to normal and the awkward problem will never be mentioned again - until the next time...