Fixing a Broken Connection to Active Directory

()

Active Directory (AD) is the name of Microsoft’s proprietary directory service. It is used in corporate environments and utilizes a Windows Server operating system. Active Directory enables network administrators to manage the permissions of users and their access to network resources. The client computers used in an AD environment will normally be running a version of Microsoft Windows and will be joined to the Active Directory domain. When users log in on their computers their details are authenticated against AD and they are granted appropriate access to resources.

Error Message When Attempting to Connect to Corporate Network

One of the most frustrating messages a user can receive when attempting to log in to a domain-joined computer is the following.

The security database on the server does not have a computer account for this workstation trust relationship

or ‘The trust relationship between this workstation and the primary domain failed’.

For whatever reason, the connection between the client computer and the domain controller has been broken and they are unable to log in. Whilst this is an irritating scenario, it’s not that difficult to resolve.

Short-term Fix for Logging in

In order to resolve this issue, it’s necessary to have access to both a local administrator account on the workstation in question, and to a network administrator account. In a corporate environment, this will normally mean that the user requires assistance from their local IT support. It is however, usually possible for them to gain access to their computer in the short-term whilst they await full resolution of the issue.

In order for the client to log in to their computer with their normal sign-in details, they simply need to disconnect the computer from the internet. This means unplugging any ethernet connection to the computer, and also disabling the WiFi, or connecting to a non-corporate WiFi network. By doing so they isolate their computer from the corporate network which means that any log-in attempt will not be authenticated against Active Directory.

In this scenario authentication takes place against locally stored credentials. After logging in, the client can reconnect their computer to the internet. The computer will function but they won’t have access to all the network resources they might normally use, since they are not actually connected to the corporate domain.

Logging in to the Computer as an Administrator

This approach could also be used to log in to the computer using a network administrator account, if that account had been used at least once previously to do so. It may well be the case that such an account was used when the computer was first set up. If not, you should log in using a local administrator account by typing .\ in front of the username and entering the local administrator username and password.

Removal of the Computer from Active Directory

Having gained access to the computer using either the local or network administrator account, you can set about resolving the issue. Before doing so, it’s necessary to remove the computer from AD. The easiest way to do this is using Windows Powershell. To do this, log in to any domain-connected computer as a network administrator and follow these steps.

  1. Click on the windows button at the bottom left of the screen, start typing powershell and then click on Windows PowerShell when it appears as the best match.
  2. In the powershell window which appears, type the following command, replacing Name with the name of the problematic computer.
Recommended...  Adobe Reader DC version 17.009.20044 Released

 Remove-ADComputer -Identity “Name” <Enter>

  • When prompted to confirm the action, simply type Y and the computer will be removed from the domain.

Rejoining the Computer to Active Directory

Having removed the problematic computer from Active Directory, you can then return to the computer and perform the following steps to resolve the issue at hand.

  1. Ensure that you are connected to the corporate network either over ethernet or using WiFi.
  2. Click on the windows button at the bottom left of the screen, start typing control panel and then click on Control Panel when it appears as the best match.
Fixing a Broken Connection to Active Directory 1
Fixing a Broken Connection to Active Directory 7
  • Type name into the search box in the resulting window.
Fixing a Broken Connection to Active Directory 2
Fixing a Broken Connection to Active Directory 8
  • Click on Rename this computer and a small window entitled System Properties will appear.
Fixing a Broken Connection to Active Directory 3
Fixing a Broken Connection to Active Directory 9
  • Click on Change… and you will be presented with another window entitled Computer Name/Domain Changes
Fixing a Broken Connection to Active Directory 4
Fixing a Broken Connection to Active Directory 10
  • Assuming that you don’t want to change the computer name, but simply resolve the broken connection to the domain, click the radio button beside Workgroup: and type anything you like into the box. I usually simply enter TEMP. Then click OK.
  • You will be presented with a warning that ‘After you have left the domain, you will need to know the password of the local administrator account to log in to your computer. Click OK to continue.’ If necessary, reset the password of the local administrator account at this stage, or create a new local administrator account. Click OK to continue.
  • You will then be prompted to enter the details of a network administrator as you are now about to remove the computer from the domain. Enter the username and password and click OK.
Fixing a Broken Connection to Active Directory 5
Fixing a Broken Connection to Active Directory 11
  • You will receive a message welcoming you to the temporary workgroup you just created. Now restart the computer and log in using local administrator credentials.
  • After logging in, repeat steps 2-5.
  • Click on the radio button beside Domain, type in the name of your corporate domain controller and click OK.
  • You will again be prompted to enter the details of a network administrator as you are now about to rejoin the domain. Enter the username and password and click OK.
  • You will receive a message welcoming you to the corporate domain. Now restart the computer and you should be able to log in as normal. Before doing so you should add the computer to any required groups in Active Directory and move it to the correct Organizational Unit (OU).

By using the above method you can fix broken active directory moreover there are ways to restore active directory

This guide to resolving a broken connection to Active Directory was written by Norm McLaughlin. Norm is the founder and owner of Norm’s Computer Services, a computer repair and IT support business in Brisbane, Australia.

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave us a message...

This site uses Akismet to reduce spam. Learn how your comment data is processed.