Trust relationship broken
-
Fog version 1.2.0
I have setup the Active directory defaults. Used fogcrypt to encrypt the domain admin account password. When I try to have Fog join the computer to the domain after downloading the image I get this error when trying to login the computer.“The trust relationship between this workstation and the primary domain failed”
It does rename the computer correctly, but will not join it to the domain.
Thanks,
-
In AD, is the system disabled?
-
[quote=“Tom Elliott, post: 36451, member: 7271”]In AD, is the system disabled?[/quote]
The system has not been disabled.
Additional info, It is a windows 7 image, and AD 2013.
-
[quote=“SupEric, post: 36452, member: 25086”]The system has not been disabled.
Additional info, It is a windows 7 image, and AD 2013.[/quote]
When the machine first starts after a download I logged in an copied the fog.log file. Then the machine wants to restart and after the restart is says the trust relationship is broken when I try logging in.
I have attached the fog.log file from the machine.
Any ideas?
[url=“/_imported_xf_attachments/1/1364_foglog.zip?:”]foglog.zip[/url]
-
How are you telling the system to join the domain?
Particularly, from your fog.log:
[code]FOG::HostnameChanger Module is disabled on this host[/code]This means that FOG isn’t doing the name change or joining the host to domain, but rather maybe a snapin?
-
[quote=“Tom Elliott, post: 36534, member: 7271”]How are you telling the system to join the domain?
Particularly, from your fog.log:
[code]FOG::HostnameChanger Module is disabled on this host[/code]This means that FOG isn’t doing the name change or joining the host to domain, but rather maybe a snapin?[/quote]
Fog used to joun them to the domain and for some reason it has stopped working. When we inventory the computer we tell it to jooin the computer to the domain using default settings and the we put the active directory defauilts in on the fog configuration screen. What do we need to do to make Fog join the computers to the domain?
-
in fog 1.0+ the username field needs to only have the username, no domain
AD credentials are stored per host, and you may need to update your hosts with any changes -
[quote=“Junkhacker, post: 36538, member: 21583”]in fog 1.0+ the username field needs to only have the username, no domain
AD credentials are stored per host, and you may need to update your hosts with any changes[/quote]Cool, I have updated the fields to just the username no domain if front, in both the computer settings and in the Active directory defaults. Testing now.
Thanks!!!
-
Unfortunatley after downloading, it has the same message. Trust relationship failed.
-
This error happens if I image a station on our domain and I forget to delete the computer from AD before it re-joins the domain post-imaging.
-
i believe this can also happen if you upload an image of a computer that is already joined to the domain
-
The trust relationship between the AD and the computer is based on the Computer Account Password which is saved as part of the computer object in the AD.
By default, trust relationship and computer account passwords are negotiated every thirty days, except for computer accounts that can be disabled by the administrator.
This password is generated, negotiated and maintained by the computer, entirely silently. A short history of passwords is supposed to be maintained by the AD for each computer object, in the case of some synchronization problems. However, this can easily be fubar’d if the computer undergoes one too many recovery sessions to restore points, is away from the domain too long to have been able to properly recognise the new password, or your AD has been restored to a previous restore point.
If you are capturing an image that is already joined to the domain, stop doing that.
The recommended fix from MS for a computer that no longer is trusted by the AD is:
- From the client, remove it from the domain.
- Delete the computer object from the AD.
- Join the computer to the domain.
… Or …
- Logon as a local Administrator
- CMD: netdom /resetpwd /server:YourDC /userD:Your.Domain\YourADAccount /passwordD:* /SecurePasswordPrompt
There are other scripting and powershell options as well.
See [url]http://support.microsoft.com/kb/216393[/url] for more information.
This problem can also be remediated by changing the default behaviour of the client by extending the lifespan of the computer account password through local Group Policy.
