DeployHappiness | Finding Computers with a Broken Trust Relationship
Error "Trust Relationshitp between Workstation and Primary Domain failed", is the most encountered message when you are dealing with. Microsoft Windows Active Directory. symptom. The trust relationship between the workstation and the Primary domain has failed. Workstations are falling out of the Creation Date: 27Jun Modified Date: 05Sep Does anybody know of a fix to this problem? domain but it could also be as stupid as the clock on the PC being set to the wrong time\date. . the PC will be re-associated to the domain and the relationship will be restored.
So how can you fix this error? Unfortunately, the simplest fix isn't always the best option.
active directory - Windows 7 Trust issues - Server Fault
The easy fix is to blow away the computer account within the Active Directory Users and Computers console and then rejoin the computer to the domain. Doing so reestablishes the broken-trust relationship. This approach works really well for workstations, but it can do more harm than good if you try it on a member server.
The reason for this has to do with the way that some applications use the Active Directory. Take Exchange Server, for example. Exchange Server stores messages in a mailbox database residing on a mailbox server. However, this is the only significant data that is stored locally on Exchange Server. All of the Exchange Server configuration data is stored within the Active Directory. In fact, it is possible to completely rebuild a failed Exchange Server from scratch aside from the mailbox database simply by making use of the configuration data that is stored in the Active Directory.
The reason why I mention this particular example is that the Exchange Server configuration data is stored within the computer object for that server. So with that in mind, imagine that a trust relationship was accidentally broken and you decided to fix the problem by deleting the Exchange Server's computer account and rejoining the computer to the domain. I hope you remember the password.
A Guide to Attacking Domain Trusts – harmj0y
Another option is to unplug the machine from the network and log in with domain user. You will be able to do disconnected authentication, but in the case of a reset machine, remember that you may have to use an old password. You need to make sure you have netdom. Where you get netdom.
Windows Server and Windows Server R2 ship with netdom. Google can help you get them. For other platforms see this link: If the broken machine is a domain controller it is a little bit more complicated, but still possible to fix the problem. Turn off the Kerberos Key Distribution Center service.
You can do this in the Services MMC snap-in. Set the startup type to Manual. Remove the Kerberos ticket cache. A reboot will do this for you, or you can remove them using KerbTray.
The resulting graphml can be visualized with yEd, as described here. This is how I produced the the previous visualization of the sample trust architecture: These next steps need to be executed for the hop from each each domain to another in the attack path. Unfortunately, there are a lot of caveats with this step. They can be added to local groups on individual machines, i.
They can be added to groups in the foreign domain. There are some caveats depending on trust type and group scope, described shortly. Foreign Group Membership The group membership case gets a bit tricky. I covered this in more depth in a previous postbut with linked attributes, Active Directory calculates the value of a given attribute, referred to as the back link e.
The gist is that group membership is ultimately preserved within the target group itself in the member property, and this all gets a bit complicated over trusts. Hopefully this will make more sense shortly. Domain Local Groups can have intra-forest cross-domain users users in the same forest as the group added as members, as well as inter-forest cross-domain users foreign security principals.
Global Groups can not have any cross-domain memberships, even within the same forest. So for our purposes we can ignore these. However, this also means that if we can bind to the global catalog of a forest, we can enumerate all of these specific cross-domain relationships easily.
Users that exist over external or forest trusts can still be added to domain local groups in the specified domain. Active Directory creates a foreign security principal object in the internal domain to represent each security principal from the trusted external domain.
Foreign ACL Principals Luckily most of the ntSecurityDescriptor property of Active Directory objects is 1 accessible to any domain authenticated user, and 2 replicated in the global catalog. Also, luckily for us, ForeignSecurityPrincipals are replicated in the global catalog, just like trusted domain objects mentioned in the Mapping Domain Trusts section.
- Troubleshooting AD: Trust Relationship between Workstation and Primary Domain failed
- DON’T REJOIN TO FIX: The trust relationship between this workstation and the primary domain failed
So if you want to quickly enumerate all foreign security principals i. And since these foreign principals can only be added to groups with a domain local scopewe can extract the domain the foreign user was added to from the distinguishedname, query that domain directly for domain local-scoped groups with members, assuming we have some type of direct or transitive trust with that target domain.
This allows us to compare the membership of these domain local groups each against the list of foreign users: This removes the requirement of having to perform complex analytics to extract these relationships after the data has been collected.
If that nested group relationship shows up in any attack paths, it will be automatically included in your graph with no extra effort.
The trust relationship between the workstation and the Primary domain has failed
Makes perfect sense, right? Just as most people remember the first time they saw Mimikatz extract a plaintext password out of memory, the memory of when I realized what this attack entailed is seared into my mind. It started as many of my brain-blowing moments have, by viewing a tweet from Benjamin Delpy in June ofand at first not understanding the implications: But first, in order for this to make complete sense, I have to explain sidHistory and the SID filtering security mechanism, and what this all means for domains within a forest.
If a user is migrated, their old security identifier SIDalong with the SIDs of any group they were previously a part of, can optionally be added to the sidHistory attribute of their new user account. Previously, abuse of this involved a pretty complex process, and included modifying the sidHistory in the Active Directory database ntds. We have done this in the field, and yes, it is awesome. This will only work for hopping between trusts within a forest.
This will not work for external or inter-forest trusts due to SID filtering, described in more detail in the Epilogue: SID Filtering section at the end of the post.
Finding Computers with a Broken Trust Relationship
A Case Study So, consider again the sample trust diagram: Say we land an account in external. From the external context, we can query the trusts that SUB has: But this only returns the direct trusts that sub. If we can query the global catalog not always possible from sub.