the “trust” is the AD function.
Basically when you create an object in the LDAP, it gets a SID with a kerbos
the computer joining also gets this sid & kerbos
if the sid matches & the kerbos does not , then there is an trust failure, you can regen these keys
also i said about the patch
in the LDAP record for the computer you will see:
localPolicyFlags
msDS-SupportedEncryptionTypes
IF you see:
localPolicyFlags
mS-DS-CreatorSID ←
msDS-SupportedEncryptionTypes
THAT is what messes up the “already exists” .The key in “mS-DS-CreatorSID” , is only there under specific situations & if the new “joiner admin” does not match that SID, then you get an error, related to already exists.
I know it is this flag, because if I delete this from the LDAP, magically the workstation then joins …
{i had to write a script to remove it, one of our now “EX” admins had been using his personal account with admin priv.}
I have also seen this flag go “bad” sometimes, containing nothing that looks like any SID, so even if you use the same Admin to rejoin the WS it still fails.