Share via

After demoting and promoting a site's domain controller, the trust relationship between this workstation and the primary domain failed

Anonymous
2023-09-24T00:39:26+00:00

Howdy.

Last night, I force-demoted one of our site's domain controllers (known as SF-DC01), cleaned up Sites and Services and metadata. Today, I promoted it back to domain controller. It holds no FSMO roles. It replicates with another DC off-site (known as ORGNAME-DC2). Replication seems to be working now as I am not getting constant errors in Event Viewer about it since promotion, and those errors were the reason this method was employed. Site and Services also does not bark at me when I initiate a replication.

Now though, I can't log into any of the servers or workstations at that site, with the login screen stating "the trust relationship between this workstation and the primary domain failed". I know the solution is to log in as a local admin to the machine, and unjoin/rejoin the domain, but LAPS doesn't seem to have good local passwords for me and I am unable to log in locally to any machine. I figure DNS is wonky but I don't know what exactly to look for.

Windows for business | Windows Server | Directory services | Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-09-24T01:04:57+00:00

    Here's the results of dcdiag. DFS Replication seems to be failing

    Directory Server Diagnosis

    Performing initial setup:

    Trying to find home server...

    Home Server = SF-DC01

    * Identified AD Forest.

    Done gathering initial info.

    Doing initial required tests

    Testing server: SF-OFFICE\SF-DC01 

      Starting test: Connectivity 

     ......................... SF-DC01 passed test Connectivity

    Doing primary tests

    Testing server: SF-OFFICE\SF-DC01 

      Starting test: Advertising 

     ......................... SF-DC01 passed test Advertising 

  Starting test: FrsEvent 

     ......................... SF-DC01 passed test FrsEvent 

  Starting test: DFSREvent 

     There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL 

     replication problems may cause Group Policy problems. 

     ......................... SF-DC01 failed test DFSREvent 

  Starting test: SysVolCheck 

     ......................... SF-DC01 passed test SysVolCheck 

  Starting test: KccEvent 

     ......................... SF-DC01 passed test KccEvent 

  Starting test: KnowsOfRoleHolders 

     ......................... SF-DC01 passed test KnowsOfRoleHolders 

  Starting test: MachineAccount 

     ......................... SF-DC01 passed test MachineAccount 

  Starting test: NCSecDesc 

     ......................... SF-DC01 passed test NCSecDesc 

  Starting test: NetLogons 

     ......................... SF-DC01 passed test NetLogons 

  Starting test: ObjectsReplicated 

     ......................... SF-DC01 passed test ObjectsReplicated 

  Starting test: Replications 

     ......................... SF-DC01 passed test Replications 

  Starting test: RidManager 

     ......................... SF-DC01 passed test RidManager 

  Starting test: Services 

     ......................... SF-DC01 passed test Services 

  Starting test: SystemLog 

     ......................... SF-DC01 passed test SystemLog 

  Starting test: VerifyReferences 

     ......................... SF-DC01 passed test VerifyReferences

    Running partition tests on : ForestDnsZones 

      Starting test: CheckSDRefDom 

     ......................... ForestDnsZones passed test CheckSDRefDom 

  Starting test: CrossRefValidation 

     ......................... ForestDnsZones passed test CrossRefValidation

    Running partition tests on : DomainDnsZones 

      Starting test: CheckSDRefDom 

     ......................... DomainDnsZones passed test CheckSDRefDom 

  Starting test: CrossRefValidation 

     ......................... DomainDnsZones passed test CrossRefValidation

    Running partition tests on : Schema 

      Starting test: CheckSDRefDom 

     ......................... Schema passed test CheckSDRefDom 

  Starting test: CrossRefValidation 

     ......................... Schema passed test CrossRefValidation

    Running partition tests on : Configuration 

      Starting test: CheckSDRefDom 

     ......................... Configuration passed test CheckSDRefDom 

  Starting test: CrossRefValidation 

     ......................... Configuration passed test CrossRefValidation

    Running partition tests on : wfbm 

      Starting test: CheckSDRefDom 

     ......................... wfbm passed test CheckSDRefDom 

  Starting test: CrossRefValidation 

     ......................... wfbm passed test CrossRefValidation

    Running enterprise tests on : wfbm.com 

      Starting test: LocatorCheck 

     ......................... wfbm.com passed test LocatorCheck 

  Starting test: Intersite 

     ......................... wfbm.com passed test Intersite
    0 comments
  2. Anonymous
    2023-09-24T03:23:34+00:00

    Hey never mind, y'all. I'm rebuilding a new domain controller. Go with god.

    0 comments
  3. Anonymous
    2023-09-25T01:54:58+00:00

    Hello JUNIOR sysadmin,

    Thank you for posting in Microsoft Community forum.

    Thank you for your update and sharing.

    If you still have any question after you rebuild a new domain controller, please feel free to let us know.

    Have a nice day!

    Best Regards,
    Daisy Zhou

    0 comments