Active Directory

Windows 8: fixing trust relationship issues

Dear Jermal, here is some info that you may find useful in the future. I hope that you share with your friends, coworkers and the readers of your blog.

From time to time I have found myself having to reset the computer account of a workstation that was left offline. In most cases this workstation was a virtual machine with a computer password that expired. A clear sign of this is the message “The trust relationship between this workstation and the primary domain failed.” 

This can be fixed by classic steps of removing the computer from the domain and then joining it back. You could also attempt to log into active directory users and computers and reset the computer object; I haven’t had much success with this. Perhaps I’m to impatient to wait for replication.

Another method is to use PowerShell and the Test-ComputerSecureChannel method.

By loading up PowerShell (as Administrator) you can run the Test-ComputerSecureChannel cmdlet (pronounced “command-let”). Running this command on a working machine will return the value of “True”

If the Test-ComputerSecureChannel cmdlet returns False, use the Repair switch to repair the secure channel. That command will look like this: “Test-ComputerSecureChannel

I hope this helps,




P.S. – You will need to be logged in under a cached Administrator account on the computer; To do this you just remove yourself from the network and log in under your credentials.


Freeware Active Directory, Exchange, Lync provisioning tool

I can’t wait to play with this free software called Z-Hire. Z-Hire is a employee provisioning that handles account creations in Active Directory, Exchange, Lync. With just a few simple clicks (one click) accounts for Active Directory, Exchange, and Lync will be created.

Z-Hire doesn’t just assist those account administrators with creating new accounts; It simplifies account closures. Z-Hire can even create accounts in Office 365 and SalesForce. So take a look at it. I am sure you will find it very useful. Best of all, its free.

Link to help info:

Download Z-Hire from TechNet


System Requirements
– Windows 7 X64 w/ .NET 3.5 and .NET 4.0 (Domain Joined)
– Windows Server 2008 X64 w/ .NET 3.5 and .NET 4.0 (Domain Joined)
– Windows Server 2008 R2 X64 w/ .NET 3.5 and .NET 4.0 (Domain Joined)

Permission Requirements
– Ability to create Active Directory user
– Ability to create Exchange Mailbox
– Ability to create / enable Lync user

Supported Environments
– Active Directory (all versions)
– Exchange 2007 (all versions)
– Exchange 2010 / 2013 (all versions)
– Lync 2010 / 2013 (both Standard and Enterprise versions)
– Office 365 Cloud
– SalesForce CRM Cloud

Active Directory Replication Status Tool

The Active Directory Replication Status Tool (ADREPLSTATUS) analyzes the replication status for domain controllers in an Active Directory domain or forest.

The Active Directory Replication Status Tool (ADREPLSTATUS) analyzes the replication status for domain controllers in an Active Directory domain or forest. ADREPLSTATUS displays data in a format that is similar to REPADMIN /SHOWREPL * /CSV imported into Excel but with significant enhancements.
Specific capabilities for this tool include:

• Expose Active Directory replication errors occurring in a domain or forest
• Prioritize errors that need to be resolved in order to avoid the creation of lingering objects in Active Directory forests
• Help administrators and support professionals resolve replication errors by linking to Active Directory replication troubleshooting content on Microsoft TechNet
• Allow replication data to be exported to source or destination domain administrators or support professionals for offline analysis

Download the Active Directory Replication Status Tool


like us on facebook –

How to use Netdom.exe to reset machine

That which you do not know, the doing will quickly teach you. – Po (Kung Fu – 1972)

Here is a situation where you have a virtual machine joined to an active directory domain and it’s reverted to an earlier state which then invalidates its domain security key. Rather than removing this machine and joining it again you can regain domain access by simply logging into the machine as a member of the local administration group and run the following command in an elevated command prompt:

netdom.exe resetpwd /s:<Primary DC Name> /ud:<DomainUsername> /pd:<Username Password>

This will update the machines security key on the virtual machine and the domain. And after a reboot of the machine you are able to log in and function a member of the domain again.

More info on netdom commands here:

And a big thanks Michael Girard who posted this as part of my ‘Flashback Friday’ post on Facebook where I had asked people to share what they had learned this week.

Please stop by when you have a chance.

Lync not populating contact cards phone numbers from Active Directory

So you have Lync, and every time you want to look up an extension of someone in your office you are left with nothing. Why, Why is this, why doesn’t things just work. As frustrating as this may be it happens for a reason.

Lync expects all the phone numbers in Active Directory to be in the E.164 format. In short they should be something such as this:  +1-111-5550000 etc… If they are not like this, you will need to normalize them if you want Lync to public them.

Normalization Rules
Normalization rules define how phone numbers expressed in various formats are to be routed for the named location. The same number string may be interpreted and translated differently depending on the locale from which it is dialed. Normalization rules are necessary for call routing because users can, and do, use various formats when entering phone numbers in their Contacts lists.

Method used to fix this
I utilized the contact card functionality of Lync and a series of regular expressions found around the web and came up with a Company_Phone_Number_Normalization_rules.txt located in the Lync share 1-webservices-1abfiles followed by a quick “Update-CsAddressbook” all you need to do is give some time for the address book to regenerate.

I give a big thanks to the guys / gals over at Network Administration Secrets for this one.