Categories
Powershell

Windows Domain Trust Relationship Failed

$creds = get-credential
Test-ComputerSecureChannel -Repair -credential $creds
Categories
Powershell

Powershell : Domain Binding & Description

To bind a machine to the domain, rename it and put it in the desired OU:

Add-Computer -DomainName $FQDN -NewName $COMPUTERNAME -Credential $DOMAINBINDACCOUNT -OUPath "OU=SOMEOU, DC=test, DC=com" -restart

To replace an AD Computer object’s Description field:

$description = "This is a test description"
$ADComputer = get-adcomputer <ENGS-XXXX> -properties Description
Set-ADComputer $ADComputer -Description "$($ADComputer.Description) $description"

Categories
Windows

Microsoft BitLocker TPM Initialization in Domain

First set the OU containers permissions to allow the NTSELF user of systems to write back TPM-ownerinformation, required when first initializing the TPM client:

1. Open Active Directory Users and Computers.

2. Select the OU where you have all computers which will have Bitlocker turned ON.

3. Right Click on the OU and click Delegate Control.

4. Click Next and then click Add.

5. Type SELF as the Object Name.

6. Select create a custom task to delegate.

7. From the object in the folder, select Computer Objects.

8. Under show these permissions, select all 3 checkbox.

9. Scroll down in permissions and select the attribute Write msTPM-OwnerInformation.

10. Click Finish.

11. CUSTOM: Now add the computer to the AD Group named “bitlocker”

12. CUSTOM: Finally power up client, turn on TPM and then initialize TPM in Windows

13. CUSTOM: Enable bitlocker (must be logged in as local/domain admin) and check AD comp object for keys

Next follow the MS article on configuring AD / Bitlocker

http://technet.microsoft.com/en-us/library/cc766015(v=ws.10).aspx

 

To manage the keys you’ll need to register the BitLocker viewer from RSAT as detailed by MS here http://support.microsoft.com/kb/928202

Must be run as a domain admin:     regsvr32.exe BdeAducExt.dll

 

 

Categories
Microsoft

trust relationship failed, windows domain

HKLM\System\CurrentControlSet\services\Netlogon\Parameters

Change the value:

DisablePasswordChange=1

 

2016-07-21 UPDATE:

Discovered this thread which mentions using PowerShell to reset the machine password, if you haven’t completed the registry change:

Open PowerShell as administrator. Run this command sequence:

$credential = Get-Credential

(enter domain admin account when prompted)

Reset-ComputerMachinePassword -Server <<YOUR DC NAME HERE>>

Thanks to: https://community.spiceworks.com/how_to/108912-fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed