The trust relationship between the AD and the computer is based on the Computer Account Password which is saved as part of the computer object in the AD.
By default, trust relationship and computer account passwords are negotiated every thirty days, except for computer accounts that can be disabled by the administrator.
This password is generated, negotiated and maintained by the computer, entirely silently. A short history of passwords is supposed to be maintained by the AD for each computer object, in the case of some synchronization problems. However, this can easily be fubar’d if the computer undergoes one too many recovery sessions to restore points, is away from the domain too long to have been able to properly recognise the new password, or your AD has been restored to a previous restore point.
If you are capturing an image that is already joined to the domain, stop doing that.
The recommended fix from MS for a computer that no longer is trusted by the AD is:From the client, remove it from the domain. Delete the computer object from the AD. Join the computer to the domain.
… Or …Logon as a local Administrator CMD: netdom /resetpwd /server:YourDC /userD:Your.Domain\YourADAccount /passwordD:* /SecurePasswordPrompt
There are other scripting and powershell options as well.
See [url]http://support.microsoft.com/kb/216393[/url] for more information.
This problem can also be remediated by changing the default behaviour of the client by extending the lifespan of the computer account password through local Group Policy.