I've got some new computers which are all 2022 servers, and they're linked in a domain that has gone through several upgrades. Occasionally, we encounter a trust relationship failure on one of the workstations—though it's pretty rare. Even more infrequently, it happens with one of the servers. The information from Microsoft is quite overwhelming due to the various factors involved. Right now, we have two Hyper-V virtual domain controllers on different hosts, plus a standalone instance of SQL on its own Hyper-V VM. What would be a good starting point to troubleshoot this small network?
6 Answers
Make sure to validate your NTP and DNS settings as well. It’s a good idea to enable advanced audit policies too, so you have better visibility in your event logs when failures occur. I suggest setting a primary DC as the main time source for NTP and ensuring all other machines sync with it.
I had a similar problem with a client before, and implementing a time sync policy via Group Policies fixed it completely. I set up both client and server side time sync, and after that, I never faced trust issues again. If you haven't resolved it yet, I can share the solution I used!
Are you using imaging tools? If a computer SID is duplicated—like using the same image multiple times—it can lead to trust issues. Non-normalized images can often be the culprit here.
It sounds like you might be dealing with time synchronization issues with your Domain Controllers. These can definitely cause trust relationship failures. You might want to check the settings for time synchronization, especially since you’re using Hyper-V. Disabling the Time Sync guest integration on your DCs can help.
Absolutely, that’s crucial! It’s been a while, but I recall that messing with the integration settings made a huge difference.
If it's only happening sporadically, DNS is likely your main suspect. It's pretty common for trust issues to stem from DNS problems. Also, check the netlogon failures in your event logs for more specifics on the failures—sometimes a device just isn't registering its new IP correctly in DNS.
Another thing to consider is packet loss or fragmentation between your domain controllers. I ran into that as a root issue recently. You might want to investigate your network and storage stability. Checking the DFSR logs could provide you some insight into what's going on.
Great advice! Also, remember to disable the time sync setting on your Hyper-V machines from the host—it can create a lot of confusion!