Highlighted

No domain trust relationship after SSR recovery

Dear All,

I came across an unusual situation and count on your help since I cannot resolve it.

Scenario: Domain network with W2012R2 server as a DC, a spare DC and several other servers both virtual and physical. Several dozen workstations.

One of the workstations (W7pro-64) got a failure with cyclic BSOD. Disks C:,D: and SYSTEM_DRV were restored from the 24-hour-old backup. "Preserve domain trust token on target drive" option is checked, though I do not know if it's correct. Anyway I see no way change this.

After that the trust relationship was with the domain was broken with the following symptoms:

1. Login not possible with network cable plugged. The system refused to recognize any domain users.

2. RDP connections to the workstation fail.

3. Impossible to connect to MS Exchange.

Additional information:

Domain Member
PolicySettingWinning GPODomain member: Maximum machine account password age 999 days Default Domain Policy

What I tried:

1. Nltest query

C:\>nltest /query
Flags: 0
Connection Status = 1786 0x6fa ERROR_NO_TRUST_LSA_SECRET
The command completed successfully

2. Nltest reset

C:\>nltest /sc_reset:<DOMAIN>
I_NetLogonControl failed: Status = 1786 0x6fa ERROR_NO_TRUST_LSA_SECRET

3. Netdom reset

Also no luck - access denied.

4. Netsh

netsh winsock reset

netsh int ip reset

and attempt to join the domain with the wizard. No luck.

5. Multiple attempts to unjoin the domain.

Every possible combination. Under domain users with administrative rights, under enabled local admin account. With network cable plugged and unplugged. The result is the same - ACCESS DENIED.

6. wmic

start /B /W wmic.exe /interactiveSmiley Surprisedff ComputerSystem Where "Name='%computername%'" Call UnJoinDomainOrWorkgroup FUnjoinOptions=0

No result at all.

7. POwershell cmdlet

Reset-ComputerMachinePassword

Reset-ComputerMachinePassword -Server "DC01" -Credential Domain01\Admin01

Also leads to access denied error

 

 

 All the methods I tried have one symptom in common - access is denied.

I think that there is some fundamental problem in recovery. 

Please, advise how to resolve the problem.

Tags (2)
4 Replies

Re: No domain trust relationship after SSR recovery

@yk_nb

It looks like you are using SSR 2013 R2, is that correct?

If yes, my recommendation would be to download a trial copy of the latest version of System Recovery (18 SP1):

https://www.veritas.com/trial/en/us/system-recovery-18

Install this on any machine (Windows 7 or newer), then create a new recovery disk. Then use this new recovery disk and try another restore to see if you see the same symptoms.

Re: No domain trust relationship after SSR recovery

Thank you very much for this bright idea. I will definitely try it. 

Can you advise on essential recovery options?

Tags (2)

Re: No domain trust relationship after SSR recovery

The idea was good.

But did not help.

Tags (2)

Re: No domain trust relationship after SSR recovery

@yk_nb

So you see the exact same issue then?

This details the steps for a full system restore: https://www.veritas.com/support/en_US/article.100001643.html

Assuming you have an active support contract, we'll probably need a support case opened so this can be investigated properly.