Trust Relationship Errors – Not the ones you need to hand over your mobile phone for!

So this week, I was given a task to resolve an error that was evident on one of our Hyper-V servers in our cluster. The error message; The trust relationship between this workstation and the primary domain failed.

B3_Image_001

As you do when troubleshooting, you work from the bottom up, whilst applying a bit of logic along the way. I did the standard troubleshooting steps of ensuring that a Domain Controller is present and communicating on the network and that the network was configured correctly.

Thankfully, this was just a case where a server/device had lost itself in the environment and need to be reconnected back.

In this blog, we’ll look at a couple ways to resolve this issue.

1st Option – Offline Access & Reconnection (Laptops /Workstations /Servers).

(Prerequisite; This assumes you have a Domain User Account with local administrative permissions and/or a Domain Administrative Account to re-join the machine back to the Domain).

If this is a physical machine, and that you’re able to remove the network cable from it, then do so. You too can achieve this if this machine is a virtual machine. Jump onto Hyper-V manager and disconnect the network from it.

Once you’ve put the machine into effectively an ‘offline’ state, you will then be able to log-in with the ‘cached’ domain credentials. Once logged in, plug back the Ethernet cable into the machine to restore network connectivity. If you’re working with a VM, re-enable the network.

Now, go to System and re-join the machine to the domain using the Domain Administrative credentials.

This too can be achieved by logging into the machine with a local administrative account, and then using the Domain Administrative credentials to re-join the workstation to the domain (without having to remove the machine off the network).

Soon you will be prompted to reboot the machine to take in the changes. Perform the reboot and try to login to your machine with your domain credentials.

2nd Option – Changing the Domain (ever-so-slightly) – the process I used.

(Prerequisite; This assumes you have a local Administrative Account to login to the server, and a Domain Administrative Account to re-join the server back to the domain once logged in.)

So going back to the opening paragraph about being assigned this job, I had to find out how to achieve disconnecting/reconnecting this Hyper-V Server from the network without causing havoc on/within the environment.

What I did: I logged into the server with the local administrative account credentials. I see the Server 2012 R2 desktop. I right click the Start Menu and select System.

Under Computer Name, Domain, and Workgroup Settings, I select Change Settings. Under the Computer Name Tab, I select Change… next to ‘To rename this computer or change its domain or workgroup, click change.’

Here you will be prompted with the Computer Name and Domain. Under Domain, you should have the FQDN of the domain this machine is connected to, in my case, our Hyper-V Server. What you do now, is remove parts of the domain name.

For example, if the domain is called, CompanyX.Local, remove the .local and leave CompanyX. Simple as that. After that, select Ok. Here the server will go off and look for a/the Domain Controller within the environment. Once found, it will then prompt you for credentials to re-join the machine back to the domain. Enter the Domain Administrative credentials on hand.

Once completed it will prompt you to rejoin the server back to the domain. Reboot the server and you should be able to login to the server, once rebooted, with the Domain User credentials /Domain Administrative credentials.

If you have SCOM installed on the machine, remember, put it into Maintenance Mode, otherwise the gremlins that manage/monitor SCOM, will come after you with bells and whistles.