How to reestablish the trust relationship between a protected server and a domain controller


In some cases the protected servers could lose the trust relationship between the server and the domain. This means that the machine’s private secret is not set to the same value that is stored in the domain controller. In this situation one fix would be to re-join the Active server to the domain but this would automatically invalidate the Neverfail license, which is generated based on the FQDN and machine SID. So in order to avoid having to generate a new license key and to re-clone the Passive server(s), the following two options can be used to restore the machine’s private secret and re-enable domain functionality.

Option 1. To run the following command from PowerShell:

Reset-ComputerMachinePassword [-Credential ] [-Server ]

Option 2. To change your computer password using netdom utility:

  1. Log in with the local Administrator account by typing, .\Administrator in the logon window. If this is not possible you can try to disconnect the machine from the network and try to log in with a domain user.
  2. Make sure you have the netdom.exe utility. In Windows Server 2008 R2 and Windows Server 2012 you might need to enable the Active Directory Domain Services role in order to have access to the application.
  3. Open a command prompt with administrative privileges and run the following command:
netdom resetpwd /s:server /ud:domain\User /pd:*

          /s:server is the name of the domain controller

          /ud:domain\User is the user account

          /pd:* represents the password

     4. Reboot the server.

More information on how to use the netdom utility can be found in this Microsoft KB:

0 out of 0 found this helpful



Article is closed for comments.