Earlier today, I ran across a computer with a broken trust relationship. I don’t know how long this machine had set there – in a corner – alone – afraid to authenticate with the nearest DC. I took pity on the little guy and helped him get back on his feet.
As always, the broken trust relationship issue boils down to a password mismatch between the computer and the domain. It isn’t that the computer forgot the password (though that would be embarrassing if it did). Instead, this problem is usually the result of IT error (such as a duplicated name or an accidental reset). I list many reasons and a remote way to fix broken trust relationships on this page.
8 is the loneliest number.
I became curious on how many other machines in my domain are in this same sad/confused state. Turns out, I had 8 of them – 7 of which I was able to fix remotely! Most of these machines were open lab computers. These labs often have a spare or two (which explains why these weren’t reported to our helpdesk).
Below, you will find a PowerShell script that will let you check your domain for broken trust computers. It works by looking for a system NETLOGON event ID 5722 on each DC. This event ID contains a computer name that failed to authenticate. The user running this script should be delegated the Event Log Reader permission on your domain controllers. This can be accomplished by adding the user to the built in AD security group: Event Log Readers.
Import-Module ActiveDirectory
Import-Module Microsoft.PowerShell.Management
$DateToStartSearch = (Get-Date).AddDays(-1)
$SMTPServer = ''
$From = ''
$To = ''
$Subject = 'Broken Trust - Image or rejoin to the domain'
$DCS = Get-ADDomainController -Filter * | Select HostName | sort Hostname
Clear-Variable NetLogonErrors -ErrorAction SilentlyContinue
foreach ($DC in $DCS){
$NetLogonErrors += (Get-EventLog -LogName System -Source NETLOGON -ComputerName $DC.HostName -InstanceId 5722 -After $DateToStartSearch |
select -ExpandProperty ReplacementStrings).trimend('$')
}
$NetLogonErrors = $NetLogonErrors | select -Unique | sort
$NetLogonErrors = $NetLogonErrors | Where-Object { $_ -ne "%%5" }
$NetLogonErrorsObjects = New-Object -TypeName PSObject -Property @{ComputerName = $NetLogonErrors}
foreach ($NetLogonErrorsObject in $NetLogonErrorsObjects.ComputerName){
if (((Get-ADComputer -Identity $NetLogonErrorsObject -Properties * | select -ExpandProperty PasswordLastSet) -gt $DateToStartSearch) -eq $False){
Send-MailMessage -SmtpServer $SMTPServer -From $From -to $To -Subject $Subject -Body $NetLogonErrorsObject
}
}
To use this script, you will need to set the configure the first few lines at the top. The first line sets the earliest the script will search. If you run the script once per day, you do not need to change the first line. If you set it to run once per week, change the value from -1 to -7. The next three lines are needed to send an email alert. The final $Subject line can be changed if you prefer a different email subject.
Once you fix a machine, it should not generate an email on the next regular script run. This is accomplished by comparing the $DatetoStartSearch value to the last time that machine changed it’s password. If you run the script manually, repaired machines may generate an email because that $DatetoStartSearch value will be refreshed again. If you wish to run this manually, comment out the first line on any sequential executions.