PrepAway - Latest Free Exam Questions & Answers

You need to ensure that the user is able to log on to the computer

Your company has an Active Directory domain. A user attempts to log on to a computer that
was turned off for twelve weeks. The administrator receives an error message that
authentication has failed.
You need to ensure that the user is able to log on to the computer.
What should you do?

PrepAway - Latest Free Exam Questions & Answers

A.
Run the netsh command with the set and machine options.

B.
Reset the computer account. Disjoin the computer from the domain, and then rejoin the
computer to the domain.

C.
Run the netdom TRUST /reset command.

D.
Run the Active Directory Users and Computers console to disable, and then enable the
computer account.

Explanation:
Answer) Reset the computer account. Disjoin the computer from the domain, and then rejoin
the computer to the domain.

http://social.technet.microsoft.com/wiki/contents/articles/9157.trust-relationship-betweenworkstation-andprimary-domain-failed.aspx
Trust Relationship between Workstation and Primary Domain failed

What are the common causes which generates this message on client systems?
There might be multiple reasons for this kind of behaviour. Below are listed a few of them:
1. Single SID has been assigned to multiple computers.
2. If the Secure Channel is Broken between Domain controller and workstations
3. If there are no SPN or DNSHost Name mentioned in the computer account attributes
4. Outdated NIC Drivers.
How to Troubleshoot this behaviour?
..
2. If the Secure Channel is Broken between Domain controller and workstations
When a Computer account is joined to the domain, Secure Channel password is stored with
computer account in domain controller. By default this password will change every 30 days
(This is an automatic process, no manual intervention is required). Upon starting the
computer, Netlogon attempts to discover a DC for the domain in which its machine account
exists. After locating the appropriate DC, the machine account password from the
workstation is authenticated against the password on the DC.
If there are problems with system time, DNS configuration or other settings, secure
channel’s password between Workstation and DCs may not synchronize with each other.
A common cause of broken secure channel [machine account password] is that the secure
channel password held by the domain member does not match that held by the AD. Often,
this is caused by performing a Windows System Restore (or reverting to previous backup or
snapshot) on the member machine, causing an old (previous) machine account password to
be presented to the AD.
Resolution:
Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the
computer account back to the domain. (this is a somewhat similar principle to performing a
password reset for a user account)
Or
You can go ahead and reset the computer account using netdom.exe tool
http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx
Netdom
Enables administrators to manage Active Directory domains and trust relationships from the
command prompt.
Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server
2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role
installed. It is also available if you install the Active Directory Domain Services Tools that are
part of the Remote Server Administration Tools (RSAT).
You can use netdom to:
Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or
Windows NT 4.0 domain. Manage computer accounts for domain member workstations and
member servers. Management operations include:
Establish one-way or two-way trust relationships between domains, including the following
kinds of trust relationships:
Verify or reset the secure channel for the following configurations:
* Member workstations and servers.
* Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
* Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or
Windows 2000 replicas.
Manage trust relationships between domains.
Syntax
NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>]

http://technet.microsoft.com/en-us/library/cc788073%28v=ws.10%29.aspx
Netdom reset Resets the secure connection between a workstation and a domain controller.
Syntax netdom reset <Computer> {/d: | /domain:}<Domain> [{/s: | /server:}<Server>] [{/uo: |
/usero:}<User> {/po: | /
passwordo}{<Password>|*}] [{/help | /?}]
Further information:
http://technet.microsoft.com/en-us/library/cc835085%28v=ws.10%29.aspx
Netdom trust
Establishes, verifies, or resets a trust relationship between domains.
Syntax netdom trust <TrustingDomainName> {/d: | /domain:} <TrustedDomainName> [{/ud: |
/userd:}[<Domain>\]<User> [{/pd: | /passwordd:}{<Password>|*}] [{/uo: | /usero:}<User>]
[{/po: | /passwordo:}{<Password>|*}] [/verify] [/reset]
[/passwordt:<NewRealmTrustPassword>] [/add [/realm]] [/remove [/force]] [/twoway]
[/kerberos] [/transitive[:{YES|NO}]] [/oneside:{TRUSTED | TRUSTING}] [/force]
[/quarantine[:{YES | NO}]] [/namesuffixes:<TrustName> [/togglesuffix:#]] [/EnableSIDHistory]
[/ForestTRANsitive] [/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN]
[/RemoveTLNEX][{/help | /?}]


Leave a Reply