Trust Relationship Has Failed

I’ve got some Vista laptops and virtual machines which are joined to the NT domain at work, but tend to be disconnected from that network for long periods of time. Ordinarily, this would be fine, but domain policy requires that we change our passwords every month.

Sometimes I get the following message on a log in attempt:

The trust relationship between the workstation and the primary domain controller has failed.

In these cases I’m often positive that I’ve entered the correct username and current password. Alas the machine has been away too long, and has lost the domain’s trust.

Where were you? Why didn’t you call? Is that lipstick on your collar?

The good news is that you can remedy this situation by merely rejoining the domain. The bad news is that you need to log in to the machine in order to do that. This is complicated by the fact that, by default, Vista has the local administrator account disabled.

In theory, Vista has cached your old credentials and can validate against those without contacting the domain. Just provide your old password from a couple months ago, and you’re good to go. You remember it… right?

One critical point: if the machine is connected to the network, it seems that it will ignore the old locally-cached credentials and try to validate against the domain. This is guaranteed to fail, because of the broken trust relationship. So, before you start brute-forcing, unplug that Cat-5. Turn off that WiFi.

Once you are logged in, do this:

  1. Leave the domain, do not reboot yet.
  2. Enable the local administrator and set a password.
  3. Reboot.
  4. Log in as the local admin and rejoin the domain.

If you can’t remember your old password you may have to “flatten” your machine. This is probably a good time to consider Ubuntu.


5 Responses to “Trust Relationship Has Failed”

  1. 1 Alkivar April 28, 2008 at 2:30 pm

    and people wonder why businesses arent adopting vista in droves… LOL

  2. 2 Kevin Frei April 28, 2008 at 3:49 pm

    This has been the way Domain privileges work since very early (NT4 at least). And it’s not a Windows setting, it’s a Domain setting that your Domain admins configure. My domain at home never expires the workstation trust relationship (and that’s the default). It’s only for paranoid, er, uh, security concious (sp?) organizations that don’t want employees to be able to access stuff in remote locations if they’re not ever in the office, or, perhaps, after they’ve been let go 🙂

    If you run a server OS, this kind of crap is just the admittance fee. I guarantee that Ubuntu or any other OS that will run in an enterprise exposes the exact same kind of functionality…

    BTW – If you’re going to complain about Vista, complain about real things like the fact that it makes my dual core 4G laptop feel like a single core 1G running XP 😦

  3. 3 Mark May 1, 2008 at 5:57 am

    I don’t get it. I’m sitting right there in front of my laptop which *is* connected to CorpNet. I *do* know my current password. I *do* have rights to join machines to the domain. Why can’t the fucking thing just reestablish the trust relationship and log me in?

    Am I missing something? Is that a security hole of some kind?

  4. 4 Ali May 15, 2008 at 11:23 am

    Mark, I’m not entirely sure why it happens, but we were plagued by the same issue at the workplace here, too. I tried all the passwords and usernames I could (all legit and correct) but alas to no avail.

    I ended up plugging the laptop into another ethernet jack and eureka, like an unexpected but much-welcomed ray of sun through the clouds, I was able to login with one of the aforementioned user accounts.

    I took the opportunity to re-enable my Administrator account (why in the world would this be disabled by default??), unjoined the domain and rejoined it. I am now able to log in with my user accounts on the regular ethernet jack again.

    I just hope the damn trust doesn’t flake out on us again. I feel like we’re handling a time-bomb; surely not the most comforting of feelings.

  5. 5 Mark May 15, 2008 at 1:07 pm


    You can take some comfort in the fact that your workplace is no worse than Microsoft’s own CorpNet.

    Are you sure that the other ethernet jack was hot? It would be funny if this worked for you because switching jacks was tantamount to disconnecting from the network.

    Oh, and lastly, I’m sure the off-by-default local Administrator is a security feature. Nothing more secure than a bricked laptop.


Comments are currently closed.

%d bloggers like this: