Gemini: Restore computer to domain

I recently migrated my Windows Primary Domain Controller from one server to another.A workstation running Windows 10 could not recognize the shared drive. So I changed the DNS to the new server and flushed the DNS. When I rebooted the workstaion it refused to logon the domain user as the 'trust relationship' between the workstation and the Primary domain controller was broken. There is no local user with admin privileges on the workstation. How do I bring back the workstation into the domain?

✦ This is a classic and tricky situation. The "broken trust
relationship" error occurs because the computer's account
password, which it uses to securely communicate with the domain
controller, is out of sync. Since you have no local administrator
account, you can't log in to fix it directly.

The solution involves using a Windows installation media to gain
temporary administrative access from the login screen, creating a
new local admin user, and then using that user to repair the trust
relationship.

Here is a step-by-step guide.

Disclaimer:
This procedure involves modifying system files. While generally
safe when followed carefully, it's always recommended to have a
backup of any critical data on the workstation before proceeding.

Part 1: Gaining Administrative Access

You will need a Windows 10 installation USB or DVD.

  1. Boot from Installation Media:
    • Insert the Windows 10 installation media into the
      workstation.
    • Restart the computer and boot from the media. You may need
      to change the boot order in the BIOS/UEFI settings.
  2. Open Command Prompt:
    • On the initial Windows Setup screen, press Shift + F10 to
      open a Command Prompt.
  3. Replace Utility Manager with Command Prompt:
    • First, you need to find the drive where Windows is
      installed. It's usually C: or D: in the recovery
      environment. You can find it by typing diskpart and then
      list volume.
    • Assuming the Windows drive is C:, execute the following
      commands to back up the Utility Manager (utilman.exe) and
      replace it with the Command Prompt (cmd.exe):
    1 move c:\windows\system32\utilman.exe
    c:\windows\system32\utilman.exe.bak
    2 copy c:\windows\system32\cmd.exe
    c:\windows\system32\utilman.exe
  4. Reboot:
    • Close the command prompt and reboot the workstation
      normally, removing the installation media.
    Part 2: Creating a New Local Administrator
  5. Open the SYSTEM Command Prompt:
    • On the Windows login screen, click the Ease of Access icon
      (it looks like a clock or a person) in the bottom-right
      corner.
    • Because of the change made in Part 1, a Command Prompt will
      open with NT AUTHORITY\SYSTEM privileges.
  6. Create a New Local Admin User:
    • In the command prompt, type the following commands,
      replacing NewAdmin and Password123 with a username and
      strong password of your choice.
    1 net user NewAdmin Password123 /add
    2 net localgroup administrators NewAdmin /add
  7. Close the Command Prompt. Part 3: Repairing the Trust Relationship
  8. Log In:
    • You should now see your new local user on the login screen.
      Log in as that user (.\NewAdmin).
  9. Repair the Trust:
    • Once logged in, right-click the Start button and select
      Windows PowerShell (Admin).
    • In the PowerShell window, type the following command. It
      will test and attempt to repair the secure channel to the
      domain.
    1 Test-ComputerSecureChannel -Repair -Credential
    (Get-Credential)
    • A credential box will pop up. Enter the username and
      password for a Domain Administrator account and click OK.
    • If the command returns True, the trust relationship has
      been successfully repaired.
  10. Reboot the Workstation. Part 4: Cleanup and Verification
  11. Log In with Domain Account:
    • After rebooting, you should now be able to log in with the
      original domain user account without the trust relationship
      error.
  12. Restore Utility Manager (Important Security Step):
    • To restore the original Ease of Access functionality and
      secure your system, you must reverse the change from Part
      1.
    • Boot from the Windows 10 installation media again.
    • Press Shift + F10 to open the command prompt.
    • Execute this command (assuming C: is your Windows drive):
    1 move c:\windows\system32\utilman.exe.bak
    c:\windows\system32\utilman.exe
    • Reboot normally.
    After this, your workstation will be back in the domain and fully
    functional. You can choose to keep the local admin account you
    created for future emergencies or delete it.

Leave a Reply

Your email address will not be published. Required fields are marked *