Fixing “the trust relationship between this workstation and the primary domain failed” without leaving the domain or restarting.

Sometimes you’ll find that for any one of a multitude of reasons, a workstation’s computer account becomes locked or somehow otherwise disconnected from the actual workstation (say, if a machine with the same name joins the network, or if it’s been offline for a very long time). When you try to log on to the domain you’ll get a message that states:


“the trust relationship between this workstation and the primary domain failed”


Now, what I would normally do in this situation is un-join and re-join the workstation to the domain, which works, but creates a new SID (Security Identifier) and can therefore break existing trusts in the domain with that machine, and of course it requires a reboot. So if you don’t want to reboot, and you don’t want to break existing trusts, do this:


Use netdom.exe in a command prompt to reset the password for the machine account, from the machine with the trust problem.


netdom.exe resetpwd /s:<server> /ud:<user> /pd:*

<server> = a domain controller in the joined domain

<user> = DOMAIN\User format with rights to change the computer password


* = the domain user password


That should do it, in *most* cases.

Troubleshooting SYSVOL replication between domain controllers, using DCDIAG

Since we had a power outage a few days ago, I’ve seen some problems with replication of the sysvol folder throughout the domain controllers, most likely due to some file corruption on one domain controller that halted replication to the remaining domain controllers. (The domain controller in question had a disk fail in the RAID 1 array, which then refused to rebuild due to disk issues on the existing live disk.)

The sysvol folder is where all group policies and logon scripts are held, and is accessible by all domain members in order to process the policies and scripts. The “original” is held on the first domain controller in the domain.

Replication of the sysvol folder is separate to Active Directory replication. Sysvol replication relies on the File Replication Service running on the domain controller, and any failures are logged in the windows event logs.

Firstly, we had to work out what was going on. This is best done by examining the event logs for these errors, and running some diagnostic tools on the servers – in this case, DCDIAG. DCDIAG is part of the Server 2003 support tools package.

The output looks like this:


Domain Controller Diagnosis
Performing initial setup:
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\”DOMAIN CONTROLLER”
      Starting test: Connectivity
         ......................... “DOMAIN CONTROLLER” passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\”DOMAIN CONTROLLER”
      Starting test: Replications
         ......................... “DOMAIN CONTROLLER” passed test Replications
      Starting test: NCSecDesc
         ......................... “DOMAIN CONTROLLER” passed test NCSecDesc
      Starting test: NetLogons
         ......................... “DOMAIN CONTROLLER” passed test NetLogons
      Starting test: Advertising
         ......................... “DOMAIN CONTROLLER” passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... “DOMAIN CONTROLLER” passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... “DOMAIN CONTROLLER” passed test RidManager
      Starting test: MachineAccount
         ......................... “DOMAIN CONTROLLER” passed test MachineAccount
      Starting test: Services
         ......................... “DOMAIN CONTROLLER” passed test Services
      Starting test: ObjectsReplicated
         ......................... “DOMAIN CONTROLLER” passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... “DOMAIN CONTROLLER” passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... “DOMAIN CONTROLLER” failed test frsevent
      Starting test: kccevent
         ......................... “DOMAIN CONTROLLER” passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 08/17/2012   15:44:48
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 08/17/2012   15:44:50
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 08/17/2012   15:44:51
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 08/17/2012   15:44:52
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 08/17/2012   15:44:52
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 08/17/2012   15:44:52
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 08/17/2012   15:44:53
            (Event String could not be retrieved)
         ......................... “DOMAIN CONTROLLER” failed test systemlog
      Starting test: VerifyReferences
         ......................... “DOMAIN CONTROLLER” passed test VerifyReferences
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   Running partition tests on : nic
      Starting test: CrossRefValidation
         ......................... nic passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... nic passed test CheckSDRefDom
   Running enterprise tests on : nic.local
      Starting test: Intersite
         ......................... nic.local passed test Intersite
      Starting test: FsmoCheck
         ......................... nic.local passed test FsmoCheck


The failed tests above are due to past errors being in the event log from before the sysvol fix. If you’re having sysvol replication errors, you’ll see the replication tests failing, along with systemlog and frsevent failures.


To fix this, the intact sysvol folder needs to be forced to replicate across the domain. The process is as follows:

Stop the FRS service on all domain controllers.

Locate the Burflags entry under the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

And change the DWORD value to D4 on the “source” domain controller (this is to flag an authoritative restore, and D2 on the child domain controllers (non-authoritative). Before doing this, take a backup of the sysvol folder, but make sure you store it on the same partition, otherwise permissions may change, and this would impact group policy if you had to restore it.

Then restart the FRS service on all domain controllers (the D4 one first) and wait for replication to occur. This can take up to a few hours, depending on the infrastructure, number of domain controllers, and size of the sysvol folder.


Afterwards, running

Net share

At a command prompt will also show you the shared folders on the domain controller – so once this replication is complete, you should see the sysvol and netlogon shares present.


Then you can also run DCDIAG tests on each domain controller to confirm.


Why the entertainment industry needs to emulate The Pirate Bay, not ban it.

I watch movies at home, and at the cinema. A lot. Most of the scheduled stuff on TV is crap, so I will watch 3 to 4 films each week.

When it comes to obtaining the film itself, I have a few choices:

  • Buy the DVD – but that’s expensive for a film that I might only watch once, and it’s not instant (I’d have to go out and buy it, or order it online and wait for delivery)
  • Wait for it to be shown on TV, but that’s going to be a long, long time for most decent new releases.
  • Rent it from itunes – not only is that expensive, but it might not be in their library, I only get it for a limited time so I can’t spread viewing it over a few days.


Movies without adverts.

Movies that play on almost any device.

Just about any film ever made, regardless of which studio made it.

Simultaneous worldwide availability.

Excellent quality, and there’s usually a warning or two if not.

No buffering issues as with streaming services.

Whole TV series wrapped up in a single download.

Unlimited download speed for most content.

Music that’s not available on Spotify iTunes etc.

There’s probably more, but I can’t think of them right now.

I’d gladly pay for that kind of service if the “properly licensed digital services” could do it. However, they’re too busy trying to protect their OLD business model to listen to what people actually want.

Find mailboxes that are set to automatically forward email in Exchange 2010

Every time someone leaves your organisation, you’ll probably need to forward their mail to another mailbox, but over time this can get disorganised and messy. Use the below command to extract a .csv formatted table of mailboxes that have a forwarding address:

Get-Mailbox -resultsize 6000 | Where {$_.ForwardingAddress -ne $null} | Select Name, ForwardingAddress, organizationalunit, whencreated, whenchanged, DeliverToMailboxAndForward | export-csv E:\forwardedusers.csv

I set a limit of 6000 because we have almost that many mailboxes, and the limit in this case is the number of mailboxes this will query, rather than the number of actual results. I’m sure this means that there’s a more efficient way of running this query, but it’s not like you’re doing this every day, so it doesn’t really matter.

Once you’ve got this information, you might want to match this up with further details about the users that own these mailboxes. Use the Active Directory powershell tools with Server 2008 to extract this information.

Fire up a powershell on a domain controller (or remotely), and run “import-module activedirectory”.

Then execute:

Get-Aduser -SearchBase "DC=yourdomain,DC=local" -properties SamAccountName,description | export-csv c:\allusers.csv

At the “Filter:” prompt, type:

name –like “*”

Than get this data into excel in two different worksheets.

Use the VLOOKUP tool to compare the two worksheets (in a third one), and collate the fields for the user’s name, forwarding address, and description:

In your “working worksheet” make the first column pull the display name from the mail worksheet, then name the second column “description” (this is what I’m looking for, anyway), and the third columns can be any other data you’d like to show, such as OU, modified dates, or suchlike.

In the description column, enter:


“mail” refers to the worksheet containing data extracted from Exchange, and A2 should be the first user’s Name field (copy this downwards to that you’re looking up A3, A4, A5, etc.

“allusers” refers to the Active directory information worksheet – so in this case it will attempt to match the mail A2 field with anything in the D column in allusers (this being the first column in the $D:$E array, and will then return the corresponding value from the E column in allusers (because I’ve specified “2”, which in my case is the description field.) The FALSE bit at the end ensures that you’re searching for an exact match.

Copy this formula down along with the list of users that have email forwarding enabled, and you’ll have a list of forwarded users along with their names, descriptions, modified dates, OUs, and any other data you like.

Find out which security group members are in one or more Exchange 2010 databases

First, run this command on a domain controller to extract the members of a security group:

net group "Security group name" >c:\groupmembership.csv

Then run this in an Exchange 2010 shell to extract the mailbox names from the database:

Get-Recipient -PropertySet ConsoleLargeSet  -ResultSize '9000' -SortBy DisplayName -RecipientType 'UserMailbox' -Filter '((Database -eq ''CN=DATABASENAME,CN=Databases,CN=Exchange Administrative Group (YOURADMINGROUP),CN=Administrative Groups,))' | Export-csv C:\userslist.csv

Then paste your names lists into excel in two columns, one named group membership, and one database users. Use the below formula in the third column to find the names that occur in both columns of data.

=VLOOKUP([first column entry,[Range E.G. A:A],1,FALSE)



Get a full list of address spaces in an Exchange 2010 Send Connector

You might want to back up the list of address spaces in a Microsoft Exchange 2010 send connector, just for backup purposes, migration, or testing.

Use this code to extract the address spaces and pipe them into a csv file. Then open in excel, using space characters as the delimiter (multiple spaces count as a single delimiter).

(Get-SendConnector -Identity "ADDRESSSPACENAME").AddressSpaces |  ft -autosize > c:\temp\addressspaces.csv

Why you should be using Open DNS


What is OpenDNS?

Open DNS is a free DNS lookup service, provided as an alternative to using your ISP’s DNS service. It provides additional features for filtering, web security, statistics, and speed improvements. The business collects revenue from adverts served from search pages, and from the enterprise products they offer, which provide more detailed reporting and more granular features. It’s suitable for use by home users and businesses.

  1. Features
    1. Web content filtering by category
    2. Malware url blocking by default
    3. Phishing website protection
    4. Statistics of DNS resolution
    5. Blocking of malware infected devices “phoning home”
    6. Notification of above devices attempting to phone home
    7. Typo correction (e.g. will resolve to
    8. Custom URL whitelists and blacklists
    9. DNS caching – if authoritative DNS fails, requests will resolve to the last good IP address.
    10. Multiple networks on one account
    11. Potential speed improvements
    12. Zero cost
  1. Benefits
    1. An extra layer of web access filtering can block access to websites by category, such as pornography, malware, adware, and others.
    2. Where your web filtering application or server may fail, Open DNS will pick up the slack, and block inappropriate sites, malware, or phishing attacks. This should result in significantly fewer virus infections.
    3. Where a machine is infected, it will not be able to contact malware servers to update itself or spread further (assuming the malware uses DNS to lookup the home servers). Statistics will show you when devices do attempt to contact malware servers, highlighting potential problems with infection.
    4. Staff will be further protected from online scams and phishing attempts, protecting both them and the business.
    5. Easy-to-read and access statistics will show us which domain names are requested most frequently, and at what times of day. It also highlights where local addresses are being incorrectly forwarded, and may aid fault resolution or identification of previously unknown faults.
    6. Typo correction improves the safety of online activity for users, and improves the user experience, potentially resulting in fewer helpdesk calls.
    7. Where an authoritative DNS server fails to resolve a request, Open DNS will use the last known good IP address. This should also protect against malicious DNS attacks, such as that against NetNames earlier this month.
    8. OpenDNS is usually faster than ISP DNS servers, resulting in an improved user experience.