+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 36
Windows 7 Thread, Windows 7 Trust relationship in Technical; Hi, Not sure if anyone has seen this issue before? We run a windows 7 domain here with everyone having ...
  1. #1
    Sunderwood's Avatar
    Join Date
    Jan 2008
    Posts
    130
    Thank Post
    9
    Thanked 10 Times in 6 Posts
    Rep Power
    15

    Windows 7 Trust relationship

    Hi,

    Not sure if anyone has seen this issue before?

    We run a windows 7 domain here with everyone having a laptop device.. We do have a few desktops on windows 7 but not many. So all students have a laptop and now and again some students come to us and sometimes its the same ones complaining their laptop won't let them logon and its says "The Trust relationship between the primary domain failed"

    I've searched the internet and found a couple of posts saying that remove the PC from the domain and rejoin it. This i admit works but i don't feel it is a log term fix. The PC's in question have all updates installed.

    Anyone seen this before and have a fix?

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,841
    Thank Post
    876
    Thanked 1,679 Times in 1,459 Posts
    Blog Entries
    12
    Rep Power
    444
    I have noticed this happens with Windows 7. I left before i got around to fixing the issue.

  3. #3
    januttall's Avatar
    Join Date
    Sep 2010
    Posts
    225
    Thank Post
    17
    Thanked 28 Times in 28 Posts
    Blog Entries
    1
    Rep Power
    13
    in AD on right clicking the machines theres an option to reset the computer account does this help or not. and is it repetadly doing this or is it sorted once its rejoined ? there was one day we had to run round the school doing it will all machines (re joining) but that was down to a server issue we had faures on the hdd and lost entire sections of AD.

  4. #4

    Join Date
    Apr 2008
    Posts
    853
    Thank Post
    111
    Thanked 112 Times in 108 Posts
    Rep Power
    45
    I had this issue alot when I first installed windows 7 site wise (I was one of the first) the issue has gone away though I installed latest drivers and sp1 + updates

  5. #5

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,800
    Thank Post
    272
    Thanked 1,135 Times in 1,031 Posts
    Rep Power
    349
    Quote Originally Posted by irsprint84 View Post
    I had this issue alot when I first installed windows 7 site wise (I was one of the first) the issue has gone away though I installed latest drivers and sp1 + updates
    Same here - in the first couple of weeks after i rolled out 7 i was rejoining 2/3 to the domain a day (out of 900). After all the updates from when i made the image had been deployed and Sp1 it seems to have sorted itself.

  6. Thanks to glennda from:

    irsprint84 (9th November 2011)

  7. #6

    Join Date
    Apr 2008
    Posts
    853
    Thank Post
    111
    Thanked 112 Times in 108 Posts
    Rep Power
    45
    Quote Originally Posted by glennda View Post
    Same here - in the first couple of weeks after i rolled out 7 i was rejoining 2/3 to the domain a day (out of 900). After all the updates from when i made the image had been deployed and Sp1 it seems to have sorted itself.
    If I recall there was a hotfix for sp0, which was rolled into Sp1

  8. #7


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,580
    Thank Post
    228
    Thanked 853 Times in 732 Posts
    Rep Power
    294
    ive had it a few times but in every case the pc/laptop has had a realtek nic in it and not had it for a while

  9. #8

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    310
    Thank Post
    20
    Thanked 80 Times in 68 Posts
    Rep Power
    43
    Yes we have been having same issue with some of our staff & student laptops (running Windows 7 x86 with SP1) every now and again.

    I'm fairly sure the problem is when someone turns off the laptop while it's loading windows, the next time they boot the laptop it gives them the option to boot into repair mode or boot normally. By default it's set to boot to repair mode (so most people will select it or let it time out), I've found that in repair mode Windows will give user the option to use system restore to restore to a previous restore point that could end up being before the last time the computer account password has been changed (I think by default it's 30 days). If that's the case it will come up with the trust relationship error the next time it boots and someone tries to log in (rejoining it to the domain fixes it but like you I wanted a more long term fix).

    What I've done is created a group policy startup script to disable start up repair by default and to ignore all boot errors with the following commands:
    Code:
    bcdedit /set {default} recoveryenabled No
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    I've only deployed this fix about a week ago but I'm hoping it resolves it.

  10. #9

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,841
    Thank Post
    876
    Thanked 1,679 Times in 1,459 Posts
    Blog Entries
    12
    Rep Power
    444
    Quote Originally Posted by Ashm View Post
    Yes we have been having same issue with some of our staff & student laptops (running Windows 7 x86 with SP1) every now and again.

    I'm fairly sure the problem is when someone turns off the laptop while it's loading windows, the next time they boot the laptop it gives them the option to boot into repair mode or boot normally. By default it's set to boot to repair mode (so most people will select it or let it time out), I've found that in repair mode Windows will give user the option to use system restore to restore to a previous restore point that could end up being before the last time the computer account password has been changed (I think by default it's 30 days). If that's the case it will come up with the trust relationship error the next time it boots and someone tries to log in (rejoining it to the domain fixes it but like you I wanted a more long term fix).

    What I've done is created a group policy startup script to disable start up repair by default and to ignore all boot errors with the following commands:
    Code:
    bcdedit /set {default} recoveryenabled No
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    I've only deployed this fix about a week ago but I'm hoping it resolves it.
    Is that a batch file please?

  11. Thanks to FN-GM from:

    timpaxton (13th March 2014)

  12. #10

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,076
    Thank Post
    853
    Thanked 2,676 Times in 2,270 Posts
    Blog Entries
    9
    Rep Power
    769
    Here are some methods that should allow you to track down the actual cause of the issue and probably fix it.

    Quote Originally Posted by SYNACK View Post
    This is usually to do with the machine account change process, sometimes it seems to fail in the background leaving the machine account still in active directory but not able to logon with the domain trust error. The other thing that can cause this is machines with duplicate SPNs.

    To deal initially with the auto change on the machine account passwords (which fail to update to the server) you should be able to just disable the autochange:
    How to disable automatic machine account password changes
    1. Start Registry Editor. To do so, click Start, click Run, type regedit in the Open box, and then click OK.
    2. Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\Netlogon\Parameters
    3. In the right pane, click the DisablePasswordChange
      entry.
    4. On the Edit menu, click Modify.
    5. In the Value data box, type a value of 1, and then click OK.
    6. Quit Registry Editor.
    You can also reset the connection password using a netdom command but that does not always work:
    Netdom reset
    netdom reset /d:myDomain.contoso.com myWorkstation
    Not sure if it is run from the client or the DC as I tried it both ways each time

    I tended to unjoin/rejoin the workstations when they became a problem as I only had a couple pull this kind of stunt every 3-4 months.

    As to the SPNs this can easily happen if you accidentally name a workstation the same as another recently joined one (that has not reset the machine password yet. This can cause duplicate SPNs in AD which toasts the accounts in the short or long term.

    This person had some luck with finding and removing them using the setSPN.exe tool along with ADSI edit to give them the proper level of kill:
    The trust relationship between this workstation and the primary domain failed | Daily Tweak
    ONE SOLUTION: (Or at least what worked for us.) We had a workstation with the exact same error message. Rejoining the domain did not correct the issue. The only thing which worked was to use an entirely different computer name, which was not our preferred solution. After much searching (including finding this page) and gnashing of teeth I finally found the problem in our domain.
    There was a duplicate SPN (Service Principal Name) registered on another computer account. For some reason setspn -X was NOT finding the duplicate entries. Instead I ran setspn -Q */hostname* where hostname was name of the computer. (not the FQDN)
    This turned up another computer account with a duplicate SPN:
    C:\Users\tblackerby>setspn -Q */hostname1*
    Checking domain DC=mydomain,DC=edu
    CN=EDBB9F19DB3E435,OU=Other Computer Objects,DC=mydomain,DC=edu
    HOST/EDBB9F19DB3E435
    HOST/hostname1.mydomain.edu
    CN=hostname1,OU=Lab Workstations,OU=Workstations,DC=mydomain,DC=edu
    TERMSRV/hostname1.mydomain.edu
    RestrictedKrbHost/hostname1.mydomain.edu
    HOST/hostname1.mydomain.edu
    HOST/hostname1
    RestrictedKrbHost/hostname1
    TERMSRV/hostname1
    Existing SPN found!
    I used ADSIEdit to remove the SPN off of the conflicting account, waited for replication, and was finally able to login to hostname1 without the error!
    To verify I can recreate the problem by putting the duplicate SPN back on the other computer account, which immediately causes the error again.
    The linked thread also has lots of other possible solutions too.
    This thread is the last discussion on here about this fault.

    Trust relationship error on Windows 7

  13. Thanks to SYNACK from:

    plexer (15th November 2011)

  14. #11

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,343
    Thank Post
    624
    Thanked 1,584 Times in 1,421 Posts
    Rep Power
    414
    Started experiencing this today with our win 7 machines.

    Grr.

    Ben

  15. #12
    adamchapman's Avatar
    Join Date
    Aug 2007
    Location
    North Lincolnshire
    Posts
    187
    Thank Post
    29
    Thanked 14 Times in 14 Posts
    Rep Power
    17
    Quote Originally Posted by Sunderwood View Post
    Hi,

    Not sure if anyone has seen this issue before?

    We run a windows 7 domain here with everyone having a laptop device.. We do have a few desktops on windows 7 but not many. So all students have a laptop and now and again some students come to us and sometimes its the same ones complaining their laptop won't let them logon and its says "The Trust relationship between the primary domain failed"

    I've searched the internet and found a couple of posts saying that remove the PC from the domain and rejoin it. This i admit works but i don't feel it is a log term fix. The PC's in question have all updates installed.

    Anyone seen this before and have a fix?
    We've had this a few times when a user tries to run the start up repair or system restore in windows 7. I think its something to to with the Active Directory computer account passwords being mixed up if the machine is taken back too far.
    Our usual fix is just to re-join the domain manually.

  16. #13

    Join Date
    Apr 2008
    Posts
    853
    Thank Post
    111
    Thanked 112 Times in 108 Posts
    Rep Power
    45
    do you have SP1? also at the time I had w2k3 DC's though it stopped after a while while on 2k3 so maybe do windows updates for those servers I m now on 2008 r2 DCs

  17. #14

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    This is the hotfix that addresses this issue. This is included in Service Pack 1. If you click 'View and request hotfix downloads' at the top left, it states 'Release SP1'.

    I've used 7 SP1 for a while now and it does fix a lot of issues. I think re-imaging is probably the quickest way of deploying it, along with other software updates.

  18. #15

    Join Date
    Jan 2012
    Location
    Derby
    Posts
    20
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I have also been having this problem now alot, even with clients upgraded to SP1. What I have found out is that the DNS forward lookup records are pointing to the wrong place. What I have to do is to delete the computers forward and reverse records in DNS and also the DHCP record. I then have to remove and re add the computer to the domain. I also delete the computer account so i can keep the same name. This is becoming a little tedious now and would like to know why this is happeneing?

    This is an example of 1 computer we have that is doing this:

    Netbook101(Computer Name) - 10.5.91.191 (DNS Forward)

    Netbook101(Computer Name) - 10.5.91.145 (DNS Reverse)
    10.5.91.191 - netbook030(Computer Name) (DNS Reverse)

    ipconfig on local machine - 10.5.91.145

    10.5.91.191 - Does not exist (DHCP)
    Netbook101 - 10.5.91.145 (DHCP)

    I think that made sense above...

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Trust relationship error on Windows 7
    By techie08 in forum Windows 7
    Replies: 41
    Last Post: 22nd September 2011, 01:40 PM
  2. Rebuilt server - now lacking trust relationships!!!
    By InspireICT in forum Wireless Networks
    Replies: 13
    Last Post: 3rd May 2011, 01:41 PM
  3. Trust Relationship for web traffic
    By ahunter in forum Wireless Networks
    Replies: 4
    Last Post: 11th November 2008, 05:34 PM
  4. Replies: 5
    Last Post: 12th June 2008, 04:14 PM
  5. Trust Relationships and DeepFreeze
    By AdamWilden in forum How do you do....it?
    Replies: 6
    Last Post: 4th February 2008, 11:16 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •