Domain Trust failed on a VM

Kelly

The Server 2012 R2 CA I've been working on decided it hated my domain and has lost the trust relationship. I don't know the local admin account credentials. Do I have any other options short of rebuilding it?

black3dynamite

@kelly said in Domain Trust failed on a VM:

The Server 2012 R2 CA I've been working on decided it hated my domain and has lost the trust relationship. I don't know the local admin account credentials. Do I have any other options short of rebuilding it?

You could try booting a live linux iso and use a program called chntpw to reset the local admin password.

dafyre

Easy-ified version of it that I like to use is here:

http://pogostick.net/~pnh/ntpasswd/

It hasn't been updated since 2014 though. So it may or may not work with Server 2012 / R2.

scottalanmiller

@dafyre said in Domain Trust failed on a VM:

Easy-ified version of it that I like to use is here:

http://pogostick.net/~pnh/ntpasswd/

It hasn't been updated since 2014 though. So it may or may not work with Server 2012 / R2.

2012 R2 is 2014, so probably good to go.

jmoore

When I image I make the admin account accessible and set the password then just in case this happens because our workstations lose the trust relationship a lot here. I leaned the hard way to do this at the very first stage which is my image.

Kelly

Newest version of pogostick did the trick. Thanks for the help.

Kelly

Well, that got me in to the machine, but despite using Reset-ComputerMachinePassword and netdom I was not able to redo the trust. Since it a CA I can't remove it or rename it. Looks like I'll be spinning up a new subordinate CA.

dbeato

@kelly said in Domain Trust failed on a VM:

n to the machine, but despite using Reset-ComputerMachinePassword and netdom I was not able to redo the trust. Since it a CA I can't remove it or rename it. Looks like I'll be spinning up a new subordinate CA.

That's going to be a pain Hopefully you had a backup.

Jimmy9008

Disconnect the VM from the virtual NIC. Reboot VM from host management. Connect to VM from host management (the VM is now not on the network). Login with domain admin creds. This will be allowed as 'offline login/admin'.

Then put the VM back on to the network whilst logged on and rejoin the VM back to the domain. Then restart. Easy.

tiagom

@kelly

Run Test-ComputerSecureChannel -Verbose to confirm broken trust relationship.

To repair:

Reset the computer account in AD.

Run powershell as administrator on the machine with broken trust.

$c = Get-Credential
Enter domain admin creds

Test-ComputerSecureChannel -Verbose -Credential $c -Repair

tiagom

@jimmy9008 said in Domain Trust failed on a VM:

Disconnect the VM from the virtual NIC. Reboot VM from host management. Connect to VM from host management (the VM is now not on the network). Login with domain admin creds. This will be allowed as 'offline login/admin'.

Then put the VM back on to the network whilst logged on and rejoin the VM back to the domain. Then restart. Easy.

Rejoining to the domain will create a new SID. Not sure if that would cause issues for the CA in AD.