Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: trust relationship bet. this workstation & the primary domain failed

23 Nov 2010   #11
pparks1

Windows 7 Ultimate x64
 
 

For my images, I build the reference machine, put it on the domain, set up all of the apps that I need...then I run sysprep and set it to OOBE (out of box experience). When the image is deployed elsewhere, upon first boot you choose a machine name, username and whether or not to put it on the domain. Sysprep removes the unique identifiers from the machine....and the mini-setup puts new ones in place. So, rather than a a multi-hour install, you answer about 5 questions and you are done.


My System SpecsSystem Spec
.
23 Nov 2010   #12
xarden

Windows 7 Enterprise
 
 

Thats also right. The unattend.xml should be able to answer most of those questions for you.

5 questions on each 7000 machines is a lot of questions.
My System SpecsSystem Spec
23 Nov 2010   #13
WindowsStar

Windows 7 Enterprise (x64); Windows Server 2008 R2 (x64)
 
 

Quote   Quote: Originally Posted by xarden View Post
Quote   Quote: Originally Posted by WindowsStar View Post
Same image on many machines with the same name. You cannot do that unless they are all on different domains????
An example would be to build on machine A, join AD, make image, drop image onto another machine, use both machines.
Ensuring both machines are of exact motherboard specs/chipsets, this will work without the disk or OS crashing.

Perhaps I should specify two terms we also use regarding images: Gold, and Prep.
Gold images are build on 3 machines, all identical. These images do not get deployed anywhere except these three machines, solely for the purpose of using Box2 to build ImageA, Box3 for ImageB, Box4 for ImageC. When finished building ImageA, deploy ImageD to Box2. When finished with ImageB, but need more work on ImageA, deploy ImageA on Box3.

Prep images, are the above mentioned Gold's, which have run through the sysprep procedure. At reboot, the image is taken before restarting.
The Prep images are the ones that get deployed to the field.

Quote:
Respectfully this is a rookie mistake. If you pull a machine and don't remove it from the domain you will most likely forget to remove the name from AD. It is best if you are removing a machine to just un-join it that way you are sure you have done it right. I know there are times you CANNOT do this hard drive crashes (etc.) but in that case you would be removing the name from AD manually while re-imaging the machine to get it back on line. I see so many AD's that are polluted with all kinds of names that never get removed because they don't un-join the machine or forget to remove the name from AD. This gets much much worse when you have 4, 5 or 10 Administrators and everyone is just removes the machine without any thought to AD. Then you get some junior admin trying to add a machine with a name that is already in AD and they don't know why and spend 3 days trying to figure it out, huge waste of time. -WS
I agree.
Our dev domain is full of obsolete machines that have been reimaged without prior disjoining.

The senior site techs who do the imaging in the production labs/classrooms should be aware of the proper procedure you describe. They should be disjoining the current machine before deploying a new/updated Prep image.
We dont do this in dev.

Once deployed, the machine is restarted. During sysprep, several custom scripts are run. One picks up the machine name from DNS, and attempts to join AD. But if it already exists in AD (error 5?), then a random alphanumeric name is created and used instead.
This is partly to ensure the machine gets joined flawlessly for the enduser in the morning.
2nd partly, if a machine fails to boot due to whatever error (tweaking failed, virus, etc.) and the machine cannot boot to the OS to be able to be disjoined, The machine simply get reimaged.
The latter is what would be most contributing to any obsolete items in the production AD.

So you're most certainly not wrong.
But we also have several systems that need to work together, so we do have a couple 'less than ideal' ways of going about things. But it all works, and it all works very well in the end.
Thanks for the update and sharing!
My System SpecsSystem Spec
.

23 Nov 2010   #14
WindowsStar

Windows 7 Enterprise (x64); Windows Server 2008 R2 (x64)
 
 

Quote   Quote: Originally Posted by pparks1 View Post
For my images, I build the reference machine, put it on the domain, set up all of the apps that I need...then I run sysprep and set it to OOBE (out of box experience). When the image is deployed elsewhere, upon first boot you choose a machine name, username and whether or not to put it on the domain. Sysprep removes the unique identifiers from the machine....and the mini-setup puts new ones in place. So, rather than a a multi-hour install, you answer about 5 questions and you are done.
We used to do this, however SysPrep does not seem to undo Group Policy Settings correctly if at all, or return the machine back to a pre-domain state. This may not be an issue in a Single-Domain but in a Multi-Domain it is a nightmare, because the machine is tattooed with the domain you joined to, and all that domains information and GPOs. I am not saying this does not work just that we found that super clean images that have never added to any domain work the best and we get least amount of down time and least amount of maintenance, repairs, strange issues, unknown issues, etc. creating and using the images this way. Just a matter of preference I am sure. Thanks for sharing!
My System SpecsSystem Spec
23 Nov 2010   #15
pparks1

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by WindowsStar View Post
We used to do this, however SysPrep does not seem to undo Group Policy Settings correctly if at all, or return the machine back to a pre-domain state. This may not be an issue in a Single-Domain but in a Multi-Domain it is a nightmare, because the machine is tattooed with the domain you joined to, and all that domains information and GPOs. I am not saying this does not work just that we found that super clean images that have never added to any domain work the best and we get least amount of down time and least amount of maintenance, repairs, strange issues, unknown issues, etc. creating and using the images this way. Just a matter of preference I am sure. Thanks for sharing!
You could be right. For me, the boxes that I image always go back into that very same domain...so the group policy components and such would always need to be in place anyway.
My System SpecsSystem Spec
Reply

 trust relationship bet. this workstation & the primary domain failed




Thread Tools




Similar help and support threads
Thread Forum
The trust relationship between this workstation and the primary domain
Hi, i hope anybody can help me about this error under Windows Server Standard SP2 and some of my client pc always showing "The trust relationship between this workstation and primary domain". it happens to in my company always so if anyone could help me to solve this problem it will be much...
General Discussion
The Trust relationship between the workstation and Domain Failed -Win7
Hi all, Over the last week or so, we have experienced an epidemic of Windows 7 PCs displaying the message "The trust relationship between this workstation and the primary domain has failed". We have had to manually unjoin and rejoin over 140+ PCs in the last week alone, however some of...
Network & Sharing
Time service issues causing Domain trust relationship to be broken
We have a select group of approximately 20+ domain computers having the same issue when they boot their computer in the mornings. The time changes back to the exact time when they shutdown the evening before. It appears that it begins to complete an incomplete shutdown, but users stating they are...
Network & Sharing
Workstation Giving logon errors. "The trust relationship"
Hi, i have a set of office computers linked to the main local Domain server. Its been a while now that some computers has been giving logon errors telling me "The security database on the server does not have a computer account for this workstation trust relationship". I could only temporarily fix...
Network & Sharing
Samba as PDC: "The trust relationship ... failed" *from the beginning*
Hi, When I try a net logon from Windows 7 64-bit Business (don't have any other Windows machines), I get "The trust relationship between this workstation and the primary domain failed". The discussion I've found around the Web regarding this error message seems to be only in the context of...
Network & Sharing
Lost network trust on 2003 windows domain
Hi All. Thank you in advance for your assistance with this matter. I'm running W7 Ultimate on a network w/ 2003 Windows domain. When I first added this computer to the domain, everything worked fine for about a month. Then one morning I came into the office, tried logging in and received a...
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 19:26.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App