trust relationship failed error

Fix Trust relationship failed issue without domain rejoining


In this article we will discuss the causes of Trust relationship failed error and some solutions on how to restore secure channel between workstation and domain.

In what case we can get this error? For example, when user is trying to login to workstation or server with domain account credential and after entering the username and its password a window appears (with an error message):

The trust relationship between this workstation and the primary domain failed

Or the error may be like this:

The security database on the server does not have a computer account for this workstation trust relationship

The trust relationship between this workstation and the primary domain failed

trust relationship failed

What is the cause for The trust relationship between this workstation and the primary domain failed error?

Let’s try to understand what does this error means and how to fix it.

When you connect the computer to Active Directory domain it sets a password (like for AD users). Trust at this level is provided by the fact that operation is performed by Domain administrator or another user with the same rights.

Each time when domain computer login to the domain, it establish a secure channel with a domain controller and send credentials. In that case, trust is established between the workstation and domain and further interaction occurs according to administrator-defined security policies.

READ ALSO  Setup Alerts for Tasks in SharePoint Online

The computer account password is valid for 30 days (by default) and then automatically changes. It is important to understand that the change of password initiated by computer is defined by Domain policies. This is similar to the changing user password process.

Tip. You can configure maximum account password age for domain computers using GPO Domain member: Maximum machine account password age, which is located in the following GPO editor branch: Computer Configuration-> Windows Settings-> Security Settings-> Local Policies-> Security Options. You can specify number of days between 0 and 999 (by default it is 30 days).

domain trust relationship failed

If password has expired, computer changes it automatically when login on the domain. Therefore, even if you did not Power on your computer for a few months, trust relationship between computer and domain still be remaining and the password will be changed at first registration in the domain.

Trust relationship failed if computer tries to authenticate on domain with an invalid password. Typically, this occurs after the system state was restore from an image (backup) or snapshot of the Virtual machine. In this case, the current value of password on the local computer and password in the domain will be different.

The most obvious classic way to restore trust relationship is:

  1. Reset local Admin password
  2. Move computer from Domain to workgroup
  3. Reboot
  4. Reset Computer account in the domain using ADUC console
  5. Rejoin computer to the domain
  6. Reboot again
READ ALSO  How to remotely enable Remote Desktop (RDP) using PowerShell

This method is the easiest, but not the fastest and most convenient way and requires multiple reboots. Also, we know cases when user profile is not reconnecting correctly after rejoining.

We will show how to restore a trust relationship and restore secure channel without domain rejoin and reboot!

Using Netdom resetpwd to Fix Trust Relationship Failed

You can find Netdom utility in Windows Server since 2008 version, it can be installed on user PC from RSAT (Remote Server Administration Tools) package. To use it, login to the target system with Local administrator (!!!) credentials (by typing, “.\Administrator” to the logon window) and run following command:

Netdom resetpwd /Server:DomainController /UserD:Administrator /PasswordD:Password
  • Server – name of any domain controller
  • UserD – username with domain admin rights
  • PasswordD – user password
Netdom resetpwd /Server:lon-dc01 /UserD:dsmith /PasswordD:[email protected]$$

netdom reset trust relationship

After successful execution of this command reboot is not required, just logout from a local account and login to the domain account.

Reset-ComputerMachinePassword using PowerShell

Cmdlet Reset-ComputerMachinePassword firstly appeared in PowerShell 3.0. You can install it manually (http://www.microsoft.com/en-us/download/details.aspx?id=34595) on this platforms: Windows 7, Server 2008 and Server 2008 R2 (also requires Net Framework 4.0 or higher)

If you want to restore a trust relationship as a local Administrator, run PowerShell console and execute this command:

Reset-ComputerMachinePassword -Server DomainController -Credential Domain\Admin
  • Server – name of any domain controller
  • Credential – user with domain admin permissions
Reset-ComputerMachinePassword -Server lon-dc01 -Credential corp\dsmith

Reset-ComputerMachinePassword

Command authorization window will appear and you must enter the password you specified for Domain administrator account.

READ ALSO  Join Domain and Login over a VPN Connection

Cmdlet does not display any messages on success, so just change the account, no reboot required.

Tip. Same operation can be performed using Powershell cmdlet Test-ComputerSecureChannel:

Test-ComputerSecureChannel -Repair -Credential corp\dsmith

You can check that secured channel has been successfully reestablished using following command:

nltest /sc_verify:corp.contoso.com

trust relationship fix

The following strings confirm that trust relationship has been repaired:

Trusted DC Connection Status Status = 0 0x0 NERR_Success

Trust Verification Status = 0 0x0 NERR_Success

As you can see, it is quite easy to solve Trust relationship failed issue in a domain! Hope this was useful for you!


You may also like:

Add Calendar Permissions in Office 365 via Powersh... This is a tutorial on how to add calendar permissions in Office 365 for your users via Powershell. You can add permissions onto a specific mailbox, or...
Configuring GPO Proxy Settings for Internet Explor... The article shows how to configure GPO proxy settings for Internet Explorer 11 browser using Active Directory Group Policies. In earlier versions of I...
Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
How to copy files with BITS using PowerShell If you use local (and global) networks, you might know that files between systems are transferring by using SMB, FTP or HTTP protocols. The problem wi...
Grant Full Access to All Mailboxes in Exchange 200... This is a short tutorial on how to add full access to all mailboxes in Exchange 2007 and 2010 for a an additional user. This can come in handy when sa...
[an error occurred while processing the directive]
Visio Professional 2016 Product Key  Office Home & Student 2016 Product Key  Office Professional Plus 2016 Product Key  Outlook 2016 Product Key  Project Professional 2016 Product Key  Windows Server 2008 Web Server R2 Product Key  Windows Server 2008 Standart R2 Product Key  Microsoft Windows Vista Home Premium With SP2   Windows 2003 Standart R2 SP2 Product Key  Office For Mac Home And Student 2011 Product Key  Adobe Acrobat XI Professional Product Key  Microsoft Windows Vista Business With SP2 Product  Windows 10 Enterprise Product Key  Windows 10 Education Product Key  Windows 10 Home Product Key  Windows 7 Ultimate SP1 Product Key  Windows 7 Starter To Home Premium Anytime Upgrade  Windows 7 Home Basic To Ultimate Anytime Upgrade  Windows 7 Home Premium To Ultimate Anytime  Windows 7 Professional To Ultimate Anytime Upgrade  Windows 8.1 Standard Product Key  Windows Vista To Windows 8 Professional Anytime  Windows 7 To Windows 8 Professional Anytime  Windows 7 Home Basic To Professional Anytime