The trust relationship between this workstation and the primary domain failed

From Pumping Station One
Jump to navigation Jump to search

The Issue

Some of the computers on the network display this error: 

The trust relationship between this workstation and the primary domain failed.

Domain Trust Error.jpeg Trust Relationship Failed.JPG

No user is able to log in.

Potential Solutions

Reboot

Sometimes rebooting clears the error as a workaround

Setup Time Sync

   w32tm /config /manualpeerlist:bob.ad.pumpingstationone.org,0x8 /syncfromflags:MANUAL 
   w32tm /config /update 
   net stop w32time 
   net start w32time
   w32tm /resync

Also check the timezone is correct.

Fixes a Potential problem where kerberos and the AD server get out of sync. Has failed to permanently resolve the problem on sliceyToo, but did make it go away for a day while rebooting failed.

Reset Machine Password

   netdom RESETPWD /Server:bob /UserD:PS1\hef /PasswordD:*


Attempted on sliceyToo, has not yet been attempted elsewhere.

Reference: DON'T REJOIN TO FIX I have tried rejoining the computers to domain. It didn't fix.

Remove Stale Entries to the Old Domain Controller from ldap

The previous Domain Controller with all the FSMO roles was named vm. It died a sudden death and was not cleanly demoted from the domain.


cleaning out the _msdcs record

Find the extra entry 


samba-tool dns query bob _msdcs.ad.pumpingstationone.org @ ALL
  Name=, Records=2, Children=0
    SOA: serial=5, refresh=900, retry=600, expire=86400, minttl=0, ns=vm.ad.pumpingstationone.org., email=hostmaster.ad.pumpingstationone.org. (flags=600000f0, serial=5, ttl=3600)
    NS: vm.ad.pumpingstationone.org. (flags=600000f0, serial=1, ttl=900)
  Name=8e76c887-c322-4e20-98df-372fa8801c44, Records=1, Children=0
    CNAME: vm.ad.pumpingstationone.org. (flags=f0, serial=110, ttl=900)
  Name=dc, Records=0, Children=2
  Name=domains, Records=0, Children=1
  Name=e3fac096-8349-4e28-8fda-91d32e6ec7c0, Records=1, Children=0
    CNAME: bob.ad.pumpingstationone.org. (flags=f0, serial=110, ttl=900)
  Name=gc, Records=0, Children=2

In this case, the extra record is the one that resolves to vm.ad.pumpingstaitonone.org: 8e76c887-c322-4e20-98df-372fa8801c44

Delete it: 

   samba-tool dns delete bob _msdcs.ad.pumpingstationone.org 8e76c887-c322-4e20-98df-372fa8801c44 CNAME vm.ad.pumpingstationone.org


gc records

   samba-tool dns query bob _msdcs.ad.pumpingstationone.org gc ALL

Delete A or AAAA record that is not a Domain controller 

   samba-tool dns delete bob _msdcs.ad.pumpingstationone.org gc A ${IP4_Address}
   samba-tool dns delete bob _msdcs.ad.pumpingstationone.org gc AAAA ${IP6_Address}

I had a lot of stale entries, as ip address have changed before.

_tcp.gc records

   samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.gc ALL

delete SRV records poining to removed machines 

   samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.gc SRV 'vm.ad.pumpingstationone.org. 3268 0 100'

_tcp.dc records

   samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.dc ALL

delete the extra records for _ldap and _kerberos 

   samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _kerberos._tcp.dc SRV 'vm.ad.pumpingstationone.org. 88 0 100'
   samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.dc SRV 'vm.ad.pumpingstationone.org. 389 0 100'

_tcp.pdc records

   samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.pdc ALL

delete the extra _ldap records: 

   samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.pdc SRV 'vm.ad.pumpingstationone.org. 389 0 100'

_tcp records records

   samba-tool dns query bob ad.pumpingstationone.org _tcp ALL

delete the extra _gc, _kerberos, _kpasswd, and _ldap records 

   samba-tool dns delete bob ad.pumpingstationone.org _gc._tcp SRV 'vm.ad.pumpingstationone.org. 3268 0 100'
   samba-tool dns delete bob ad.pumpingstationone.org _kerberos._tcp SRV 'vm.ad.pumpingstationone.org. 88 0 100'
   samba-tool dns delete bob ad.pumpingstationone.org _kpasswd._tcp SRV 'vm.ad.pumpingstationone.org. 464 0 100'
   samba-tool dns delete bob ad.pumpingstationone.org _ldap._tcp SRV 'vm.ad.pumpingstationone.org. 389 0 100'

_udp records

   samba-tool dns query bob ad.pumpingstationone.org _udp ALL

delete the extra _kerberos and _kpasswd records 

   samba-tool dns delete bob ad.pumpingstationone.org _kerberos._udp SRV 'vm.ad.pumpingstationone.org. 88 0 100'
   samba-tool dns delete bob ad.pumpingstationone.org _kpasswd._udp SRV 'vm.ad.pumpingstationone.org. 464 0 100'


_tcp.Default-First-Site-Name._sites records

   samba-tool dns query bob ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites ALL

delete extra _kerberos, _ldap, and _gc records 

   samba-tool dns delete bob ad.pumpingstationone.org _kerberos._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 88 0 100'
   samba-tool dns delete bob ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 389 0 100'
   samba-tool dns delete bob ad.pumpingstationone.org _gc._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 3268 0 100'

_tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains records

find the domain guid: 

   samba-tool dns query bob _msdcs.ad.pumpingstationone.org domains ALL

In my case it was Name=b83beba7-1a4b-4801-a2bd-8ee8ea0eb626, Records=0, Children=1 

   samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains ALL

delete the _ldap record 

   samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains SRV 'vm.ad.pumpingstationone.org. 389 0 100'

_tcp.Default-First-Site-Name._sites.gc

   samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites.gc ALL

delete extra _ldap records 

   samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites.gc SRV 'vm.ad.pumpingstationone.org. 3268 0 100'

_tcp.Default-First-Site-Name._sites.dc

   samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites.dc ALL

delete extra _kerberos and _ldap records 

   samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _kerberos._tcp.Default-First-Site-Name._sites.dc SRV 'vm.ad.pumpingstationone.org. 88 0 100'
   samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites.dc SRV 'vm.ad.pumpingstationone.org. 389 0 100'

More stale entries

The primary problem has been resolved, but I am going to document stale entries left behind

  • CN=NTDS Settings,CN=VM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumpingstationone,DC=org
    • Removing this entry removed the box from the replication pool in samba-tool drs showrepl
Retrieved from "https://ps1.mywikis.wiki/w/index.php?title=The_trust_relationship_between_this_workstation_and_the_primary_domain_failed&oldid=19086"