Today I needed to restore a virtual machine because the virtual hard disk was getting corrupt. I needed to restore an older backup because all newer were also corrupt.

After the restore I couldn’t log on to the virtual machine by using a domain user account and getting the following error message.

The trust relationship between this workstation and the primary domain failed.


The reason for is supposedly that the virtual machine synced its computer password with the domain controller after the taken backup I am using for the restore.

The computer password is needed to create a secure channel between a domain member and Active Directory. If the computer password on the computer iself and the password within the computer account object in Active Directory is not the same and not synchronized, the secure channel cannot be established and the above error message will appear.


In that case, the computer password from the computer account in Active Directory is newer and different than the computer password on the restored virtual machine.

When you join a computer to an on-premise Active Directory, a corresponding computer account object is created in Active Directory, similar to a user account. The computer account includes a password which should be in sync with the computer itself.

By default, the domain members submit a password change every 30 days. You can change this in the following registry setting.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

MaximumPasswordAge



Solution

In order to be able to log on to the computer by using a domain user account, we need to reset the computer password on the computer itself and the computer object in Active Directory.

Therefore we need to logon to the computer by using a local administrator account.

Then we need to launch the command prompt as administrator and enter the following command to reset the password on the computer itself and also the computer object in Active Directory.

The netdom command is only available on windows server OS, for workstations you can use Reset-ComputerMachinePassword PowerShell cmdlet shown below.

netdom resetpwd /s:DC.domain.com /ud:domain\Administrator /pd:”password”

# replace DC.domain.com with the FQDN from one of your domain controllers and domain\Administrator with your domain and a local administrator account.

/s = FQDN of the domain controller running the PDC Emulator Service.
/ud = Domain Administrator Account
/pd = Passord for the Domain Administrator Account


As mentioned for workstations you have to use the following PowerShell cmdlet.

Reset-ComputerMachinePassword -Server DC.domain.com -Credential domain\Administrator


After that you should be able to log on again with a domain user account.



Links

Domain member: Maximum machine account password age
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age