Systems Restore breaks domain trust

Right so we had a odd problem come into us the other week.

The issue was that windows 7 client machines were randomly losing their domain trust, so when the users tried to logon to these machines they were presented with the error:
“The trust relationship between this workstation and the primary domain failed”

<Picture>

This generally means that the machine account password(s) presented to AD by the workstation or incorrect, as explined by KB162797
“The computer’s machine account has the incorrect role or its password has become mismatched with that of the domain database.”

We know that a whole load of different things can put a workstation into the bad password state, but the one we are concentrating on is System Restore.

What was happening was that users were or something was cutting the power to the machine, such as a hard reboot/power off, this was causing corruption on disk and putting the machine into start-up repair, but start-up repair wasn’t not able to fix the corruption so it checked for a Restore point it found. This restore point was before the recent machine account password change cause the machine to lose its domain trust when it came back up.

This was documented by Microsoft as a problem with XP pro machine, in KB295049

This is also a problem with windows 7, and can be reproduce by following these steps:

  1. Create a restore point on a working machine.
  2. Run nltest.exe /cdigest:MESSAGETOHASH /domain:domain.com, to see what the current hashes are.
  3. Run nltest.exe /sc_change_pwd:domain.com, to change the machine account password.
  4. Run nltest.exe /cdigest:MESSAGETOHASH /domain:domain.com, again to make sure the hashes/machine account password has changed.
  5. Restore the system to the restore created above.

When the system finishes and comes back up we get the Trust Relationship error.
Now if you log on locally and undo the restore, it fixes the problem and no more trust error.

Thank You

Techtonis.