Windows R2 AD series five: How to troubleshoot user travel, off-domain issues

I believe everyone has come across this problem, a user travel, together with the added domain of the notebook out, a long time, back, we often found that the user's computer has been unable to log on to the domain, The error message is usually: the trust relationship between this workstation and the primary domain fails (a computer that is not in use or out of the domain environment will encounter this situation), the common solution is to quit the domain and rejoin, if this situation is more, each time this operation is more troublesome, then how can we fundamentally solve this problem?

The first thing to know is the reason for this problem, let's take a look at Microsoft's official explanation:

By default, in a domain environment, the maximum password validity period is set in the default Domain policy in order to keep the account secure. Domain clients are subject to this Group Policy even if they are offline. The notebook prompts the user to change the password 14 days before the password expires, but the password cannot be modified because it cannot connect to the domain controller. Once this deadline is exceeded, the domain account will be locked and the user will not be able to log on again.

Each Windows-based computer has a computer account password history (password), in order for the Windows system's computer to log on to the domain, the computer must establish a secure channel with the domain to be used for authentication. The Netlogon service on the client computer uses this client's computer account and a related password to establish a secure channel. If this computer account password and LSA are out of sync, then this computer will not be able to connect to the domain and there will be an error: The trust relationship between this workstation and the primary domain failed. This means that the safe passage is broken. (The default computer account password is changed 30 days)

Workaround:

First, run Gpmc.msc on the DC, right-click on the GPO that needs to be set, expand Computer Configuration → policies →windows settings → security settings → Local policies → security options, find:

Domain member: Maximum computer account password age (default 30 days, set a bit longer)

Domain member: Disable computer account password change (set to Enabled)

Domain controller: Deny computer account password change (set to Enabled)

Second, in the computer Configuration → policy →windows settings → security settings → account policy → password policy, find the maximum password age, the default is 42 days, it is recommended to modify the computer account password for the maximum age of the same.

This article is from the "Progress a little every day" blog, be sure to keep this source http://yujia2015.blog.51cto.com/59379/1707522

Windows R2 AD series five: How to troubleshoot user travel, off-domain issues