ISSUE
Upon restoring a server via Bare Metal, Instant Recovery or any method really, if the machine was previously joined to an Active Directory domain there's a possibility you'll run into the following error upon logon using your domain credentials:
RESOLUTION
The most common cause of the trust relationship failing upon restoring a workstation or server is the computer account password had been changed between the last backup taken and the restore attempt.
If you've got a domain admin credentials this condition is easily fixed by performing the following steps:
If you've got a domain admin credentials this condition is easily fixed by performing the following steps:
1. Log into the computer with local admin credentials such as Administrator.
If you do not have local admin credentials of the computer, disconnect the network adapter which will force the use of cached credentials. Do remember to reconnect the network adapter once logged on.
2. Ensure that the date and time matches an available domain controller.
3. Open a command prompt (cmd) as an Administrator.
4. At a command prompt, type the following command:
3. Open a command prompt (cmd) as an Administrator.
4. At a command prompt, type the following command:
netdom resetpwd /s:server /ud:domain\User /pd:*
A description of this command syntax is:
-
/s:server is the name of the domain controller to use for setting the machine account password.
-
/ud:domain\User is the user account that makes the connection with the domain you specified in the /s parameter. This must be in domain\User format. If this parameter is omitted, the current user account is used.
-
/pd:* specifies the password of the user account that is specified in the /ud parameter. Use an asterisk (*) to be prompted for the password.
5. Reboot
CAUSE
There are several different factors which prevent a workstation or server from authenticating to an Active Directory domain which is not just limited to the following.
- Time is skewed more than 5 minutes from the authenticating domain controller.
- The available domain controller is not a global catalog server.
- The computer account password does not match what is in Active Directory.
- The computer account has been deleted from Active Directory.
- The DNS servers specified are not one of the available domain controllers.