I've seen this question asked a dozen times and I've yet to see an appropriate response. I have a network of 400+ PC's and two of them have the error "The trust relationship between this workstation and the primary domain controller failed." Both win 7 pro. One is 64 and the other 32. I can remove and re-add them to the domain. I can delete the account in AD and recreate. I've been in the KB (which BING is completely inept at searching, try a working search engine like Google). Nothing will apply I've seen. No matter what I try in several reboots I get the same error again. My domain controllers are Server2003, 3 of them. I'd like not to blame them as all the other computers work fine. Anyone have an answer that’s not a work around Please?

bubbathegreat_9 wrote: I've seen this question asked a dozen times and I've yet to see an appropriate response. I have a network of 400+ PC's and two of them have the error "The trust relationship between this workstation and the primary domain controller failed." Both win 7 pro. One is 64 and the other 32. I can remove and re-add them to the domain. I can delete the account in AD and recreate. I've been in the KB (which BING is completely inept at searching, try a working search engine like Google). Nothing will apply I've seen. No matter what I try in several reboots I get the same error again. My domain controllers are Server2003, 3 of them. I'd like not to blame them as all the other computers work fine. Anyone have an answer thats not a work around Please?   Did you manually remove any remnants of the not working PCs from the domain after unjoining from the domain? And did you wait till all changes were replicated to all domain controllers before trying to rejoin the domain? There are so many possibilities of wrong settings on the local PC for that trust relationship failing, that's impossible to give an answer without much more details. Wolfgang

I removed it one day before leaving the office and rejoined it the next morning. Failed by the end of the day.Thanks.

bubbathegreat_9 wrote: I removed it one day before leaving the office and rejoined it the next morning. Failed by the end of the day. So it does work - but only for a short time - after rejoining? If it does work for more than 6 hours then it should be nothing that comes from policies - but probably something from an application, service or other program that changes vital settings for the domain authentication. I'd check for any programs running immediately before the failure - or do a retry with no startup programs and a minimum set of services and look after enabling each one, which breaks the trust relationship. Wolfgang

Let me start with... Thanks for all your help! That’s correct; it will work for a short time. It also seems to be somewhat user dependent. For example my domain admin will log in fine but another admin level user account will get the error. This isn't universally true but more often than not the domain admin account will remain unaffected. As far as applications... In my own reading I saw some allusions to that as well. I think I'm going to pull Symantec Endpoint Protection 12 off and see if that makes any difference. I'll be sure to post back regardless of the success. -DanThanks.

Are these machines imaged from a single source? If so, did you do a sysprep prior to joining the domain? From what you describe, it is similar to what can happen with cloned machines that have not been properly sysprep'ed.

DarienHawk67 - No, this machine was formatted from scratch. Here's what I did do. I removed it from the domain yet again. Deleted all traces of it I could find on the Primary domain controller. Let it sit offline overnight. The next day I changed the name of the machine completely, rebooted. Then I rejoined the domain. I deployed it in a separate IP structure form what it was initially configure under (10.10..... vs. 192.168...). I've not been back to check on in since but I've not had any user complaints. If the issues crop up again, I'll post back. Thanks.

DarienHawk67 - No, this machine was formatted from scratch. Here's what I did do. I removed it from the domain yet again. Deleted all traces of it I could find on the Primary domain controller. Let it sit offline overnight. The next day I changed the name of the machine completely, rebooted. Then I rejoined the domain. I deployed it in a separate IP structure form what it was initially configure under (10.10..... vs. 192.168...). I've not been back to check on in since but I've not had any user complaints. If the issues crop up again, I'll post back. Thanks.

Not trying to hijack this but I'm just about out of hair trying to reslove this same issue. I may be on to the real cause though and I don't believe it is the machine passwords expiring. Mine are now set to not expire via GP and the GP is loading and can be verified with RSOP. Today, with what's left of my hair in my hands I disconnected the computer from the network and logged on with local cached credentials. I'm running DHCP so I ran a ipconfig/flushdns just for the heck of it. I then plugged the network cable back in and it got an IP address but none of my network resources were available. If that sounds normal to you then that's where we're going wrong. If the cached credentials were good enough to log on to the local machine off the network they should have been good enough to authenticate network resources once the network was restored. The credentials that were used to logon with were not local, they were domain. Tell me if this sounds familiar My scenario - 1. User cannot logon.. My phone rings.."Bad username or Password. Computer is on the network. Sysadmin with adequate priveledges can logon. 2. Disconect computer from the network - User can logon. Compter is off the network. User is using his domain credentials. 3. With the user logged on locally reconnect the computer to the network. User now has and IP adddress and email but can't authenticate mapped drives. Entering passwords multiple times sometimes works but mostly it just makes you mad. 4. Out of the blue the machine works perfectly and you think you have it fixed but then you do a final restart and you're back to square one. 5. When user gets the "Bad username or Password" at logon, you can try as many times as you want and you will not lockout the account on either the local machine or the network. Mine are set via GP to 5 bad logons then a 45 min lockout. That never gets triggered. I know, sounds like DNS but if it is, it's something so well hidden that none of the tools I have can find it. I thought maybe it was a NTLM V2 problem but that wasn't either. I've been through these machines and used every search engine there is looking for similar problems and this thread is the closest I found. If anybody knows the answer please loosen up and give us some help... Thanks so much. Steve Schefer

I don't want to throw in a red herring, but can you ping the domain controller when you're restored your netowrk connection? sschefer wrote: > > >Not trying to hijack this but I'm just about out of hair trying to reslove this same issue. I may be on to the real cause though and I don't believe it is the machine passwords expiring. Mine are now set to not expire via GP and the GP is loading and can be verified with RSOP. > >Today, with what's left of my hair in my hands I disconnected the computer from the network and logged on with local cached credentials. I'm running DHCP so I ran a ipconfig/flushdns just for the heck of it. I then plugged the network cable back in and it got an IP address but none of my network resources were available. If that sounds normal to you then that's where we're going wrong. If the cached credentials were good enough to log on to the local machine off the network they should have been good enough to authenticate network resources once the network was restored. The credentials that were used to logon with were not local, they were domain. > >Tell me if this sounds familiar > >My scenario - > >1. User cannot logon.. My phone rings.."Bad username or Password. Computer is on the network. Sysadmin with adequate priveledges can logon. > >2. Disconect computer from the network - User can logon. Compter is off the network. User is using his domain credentials. > >3. With the user logged on locally reconnect the computer to the network. User now has and IP adddress and email but can't authenticate mapped drives. Entering passwords multiple times sometimes works but mostly it just makes you mad. > >4. Out of the blue the machine works perfectly and you think you have it fixed but then you do a final restart and you're back to square one. > >5. When user gets the "Bad username or Password" at logon, you can try as many times as you want and you will not lockout the account on either the local machine or the network. Mine are set via GP to 5 bad logons then a 45 min lockout. That never gets triggered. > >I know, sounds like DNS but if it is, it's something so well hidden that none of the tools I have can find it. I thought maybe it was a NTLM V2 problem but that wasn't either. I've been through these machines and used every search engine there is looking for similar problems and this thread is the closest I found. If anybody knows the answer please loosen up and give us some help... > >Thanks so much. > > >Steve Schefer Hay

Also might want to check out: http://support.microsoft.com/kb/976494 HarryVerge wrote: >I don't want to throw in a red herring, but can you ping the domain controller when you're restored your netowrk connection? sschefer wrote: > > >Not trying to hijack this but I'm just about out of hair trying to reslove this same issue. I may be on to the real cause though and I don't believe it is the machine passwords expiring. Mine are now set to not expire via GP and the GP is loading and can be verified with RSOP. > >Today, with what's left of my hair in my hands I disconnected the computer from the network and logged on with local cached credentials. I'm running DHCP so I ran a ipconfig/flushdns just for the heck of it. I then plugged the network cable back in and it got an IP address but none of my network resources were available. If that sounds normal to you then that's where we're going wrong. If the cached credentials were good enough to log on to the local machine off the network they should have been good enough to authenticate network resources once the network was >restored. The credentials that were used to logon with were not local, they were domain. > >Tell me if this sounds familiar > >My scenario - > >1. User cannot logon.. My phone rings.."Bad username or Password. Computer is on the network. Sysadmin with adequate priveledges can logon. > >2. Disconect computer from the network - User can logon. Compter is off the network. User is using his domain credentials. > >3. With the user logged on locally reconnect the computer to the network. User now has and IP adddress and email but can't authenticate mapped drives. Entering passwords multiple times sometimes works but mostly it just makes you mad. > >4. Out of the blue the machine works perfectly and you think you have it fixed but then you do a final restart and you're back to square one. > >5. When user gets the "Bad username or Password" at logon, you can try as many times as you want and you will not lockout the account on either the local machine or the network. Mine are set via GP to 5 >bad logons then a 45 min lockout. That never gets triggered. > >I know, sounds like DNS but if it is, it's something so well hidden that none of the tools I have can find it. I thought maybe it was a NTLM V2 problem but that wasn't either. I've been through these machines and used every search engine there is looking for similar problems and this thread is the closest I found. If anybody knows the answer please loosen up and give us some help... > >Thanks so much. > > >Steve Schefer >Hay Hay