For testing purposes I am trying to purposefully break trust relationships with the Windows Domain. What is the quickest way to kill it off? "Unfortunately", broken trust relationships don't regularly occur with my set up so I'd like a way to artificially break one. If possible, I'd like to be able to trigger this from both the server and client side. Using Windows Server 2016 Core and Windows 7/8.1 clients. Best AnswerRight click the computer object in Active Directory Users and Computers... select Reset Account. This will break the trust between the computer account and the domain. You can use Powershell, netdom, or nltest to recreate/fix the trust. Related SolutionsWhy do Windows Trusted Domain DNS queries not work on Windows 7I don't think your domain controller is ignoring anything - this is all a function of the client and which queries it chooses to send along to the domain controller. Parts of your question are a tad confusing but you should just add one domain suffix to the DNS config of each PC that matches the local forest and another domain suffix that matches the remote forest. List the local forest first. Child Domain vs Trust RelationshipThe strongest reason to not go with a single domain (and forest) is if you absolutely have to have separate admins in each forest. That's the security boundary. If the same folks are going to have the full set of keys, then make it easy on them. To be clear, I'm not talking about delegation for certain tasks - this is the group of people who are going to be enterprise admins. This doesn't change my recommendations much, because you can delegate things out as needed, as I said above. If part of the org has local admins that need to be able to edit the GPO that is assigned to their OU, you can give that to them, as an example. However, if they need total control over their part of the domain, to the point that they need to be able to lock you out of it, then you need separate forests, and might have a tough time sharing exchange. So, since you're sharing "security and exchange", it sounds like a single domain is still the right way to go. If when you try log on to a computer that is running Windows 10 in a domain environment, and you receive the error message The trust relationship between this workstation and the primary domain failed, then this post is intended to help you with the most suitable solution to resolve the issue. This error occurs because of a “password mismatch.” In Active Directory environments, each computer account also has an internal password – if the copy of the computer account password that is stored within the member server gets out of sync with the password copy that is stored on the domain controller then the trust relationship will be broken as a result. The trust relationship between this workstation and the primary domain failedIf you’re faced with this issue, you can try our recommended solutions below in no particular order and see if that helps to resolve the issue.
Let’s take a look at the description of the process involved concerning each of the listed solutions. 1] Reconnect the computer to the DomainThis solution as recommended by Microsoft requires you to simply reconnect the computer failing to log on, to the domain. To reconnect the computer to the domain, do the following:
On boot, you can log on with your domain user account successfully. 2] Re-establish TrustThis solution requires you to re-establish trust between the domain controller and client to resolve The trust relationship between this workstation and the primary domain failed issue. Here’s how: |