- After a restore of a VM/CT backup with Domain Controller or a c2c/c2v/p2v migration of a Domain Controller, it is not possible to logon to workstations of the domain.
- The error appears: The trust relationship between this workstation and the primary domain failed
This problem can be caused by inconsistency in Kerberos keytab, when it misses all of the automatic password changes that are executed against the domain controller. The password changes are required to maintain the security integrity of the domain.
There can be several ways to fix the issue:
Reset the computer account and re-join the workstation to the domain.
1.1 On DC, run the command:
dsmod computer "cn=*compname*,ou=*dep*,dc=*dmn*,dc=*com*" -reset
1.2 Log on to the workstation with local credentials, move the computer to workgroup, move back to domain, reboot.
Note: replace the values for cn=, ou= and dc= to compose a proper LDIF path.
Reset the workstation password with
2.1 Log on to the workstation with local administrator credentials
2.2 Run the command:
nltest /server:*workstationName* /sc_reset:*DC_Name*
2.3 Reboot the workstation
Reset the workstation password with Test-ComputerSecureChanel cmdlet from Powershell v3:
3.1 Log on to the workstation with local administrator credentials
3.2 Run in Powershell: Test-ComputerSecureChanel -Repair
3.3 Reboot the workstation
As the default computer password duration period is 30 days, a similar issue can be faced in case of restoration from an outdated CT or VM backup with domain membership.
You can use
prlctl command in order to automate computer account reset procedure:
vzctl exec CTID nltest /server:*workstationName* /sc_reset:*DC_Name* vzctl restart CTID prlctl exec VM_NAME nltest /server:*workstationName* /sc_reset:*DC_Name* prlctl restart VM_NAME