trust relationship failed error

Fix Trust relationship failed issue without domain rejoining


In this article we will discuss the causes of “Trust relationship failed …” error and some solutions on how to restore secure channel between workstation and domain.

In what case we can get this error? For example, when user is trying to login to workstation or server with domain account credential and after entering the username and its password a window appears (with an error message):

The trust relationship between this workstation and the primary domain failed

Or the error may be like this:

The security database on the server does not have a computer account for this workstation trust relationship

login administrator

trust relationship failed

Let’s try to understand what does this error means and how to fix it.

When you connect the computer to Active Directory domain it sets a password (like for AD users). Trust at this level is provided by the fact that operation is performed by Domain administrator or another user with the same rights.

Each time when domain computer login to the domain, it establish a secure channel with a domain controller and send credentials. In that case, trust is established between the workstation and domain and further interaction occurs according to administrator-defined security policies.

The computer account password is valid for 30 days (by default) and then automatically changes. It is important to understand that the change of password initiated by computer is defined by Domain policies. This is similar to the changing user password process.

READ ALSO  Active Directory auditing: No simple road to success

Tip. You can configure maximum account password age for domain computers using GPO Domain member: Maximum machine account password age, which is located in the following GPO editor branch: Computer Configuration-> Windows Settings-> Security Settings-> Local Policies-> Security Options. You can specify number of days between 0 and 999 (by default it is 30 days).

domain member

If password has expired, computer changes it automatically when login on the domain. Therefore, even if you did not Power on your computer for a few months, trust relationship between computer and domain still be remaining and the password will be changed at first registration in the domain.

Trust relationships are broken if computer tries to authenticate on domain with an invalid password. Typically, this occurs after the system state was restore from an image (backup) or snapshot of the Virtual machine. In this case, the current value of password on the local computer and password in the domain will be different.

The most obvious classic way to restore trust relationship is:

  1. Reset local Admin password
  2. Move computer from Domain to workgroup
  3. Reboot
  4. Reset Computer account in the domain using ADUC console
  5. Rejoin computer to the domain
  6. Reboot again

This method is the easiest, but not the fastest and most convenient way and requires multiple reboots. Also, we know cases when user profile is not reconnecting correctly after rejoining.

READ ALSO  View Microsoft Exchange 2007 Mailbox Sizes

We will show how to restore a trust relationship and restore secure channel without domain rejoin and reboot!

Netdom utility

You can find Netdom utility in Windows Server since 2008 version, it can be installed on user PC from RSAT (Remote Server Administration Tools) package. To use it, login to the target system with Local administrator (!!!) credentials (by typing, “.\Administrator” to the logon window) and run following command:

Netdom resetpwd /Server:DomainController /UserD:Administrator /PasswordD:Password
  • Server – name of any domain controller
  • UserD – username with domain admin rights
  • PasswordD – user password
Netdom resetpwd /Server:lon-dc01 /UserD:dsmith /PasswordD:Str0NGestP@$$

netdom

After successful execution of this command reboot is not required, just logout from a local account and login to the domain account.

PowerShell cmdlet Reset-ComputerMachinePassword

Cmdlet Reset-ComputerMachinePassword firstly appeared in PowerShell 3.0. You can install it manually (http://www.microsoft.com/en-us/download/details.aspx?id=34595) on this platforms: Windows 7, Server 2008 and Server 2008 R2 (also requires Net Framework 4.0 or higher)

If you want to restore a trust relationship as a local Administrator, run PowerShell console and execute this command:

Reset-ComputerMachinePassword -Server DomainController -Credential Domain\Admin
  • Server – name of any domain controller
  • Credential – user with domain admin permissions
Reset-ComputerMachinePassword -Server lon-dc01 -Credential corp\dsmith

powershell credential

Command authorization window will appear and you must enter the password you specified for Domain administrator account.

READ ALSO  How to remotely enable Remote Desktop using PowerShell

Cmdlet does not display any messages on success, so just change the account, no reboot required.

Tip. Same operation can be performed using Powershell cmdlet Test-ComputerSecureChannel:

Test-ComputerSecureChannel -Repair -Credential corp\dsmith

You can check that secured channel has been successfully reestablished using following command:

nltest /sc_verify:corp.contoso.com

powershell nltestl

The following strings confirm that trust relationship has been repaired:

Trusted DC Connection Status Status = 0 0x0 NERR_Success

Trust Verification Status = 0 0x0 NERR_Success

As you can see, it is quite easy to restore a trust relationship in a domain! Hope this was useful for you!


You may also like:

Active Directory auditing: No simple road to succe... Auditing Active Directory almost always finds place at the top of the administrator’s to-do list. There are a number of pressing needs that make audit...
Grant Full Access to All Mailboxes in Exchange 200... This is a short tutorial on how to add full access to all mailboxes in Exchange 2007 and 2010 for a an additional user. This can come in handy when sa...
Add Calendar Permissions in Office 365 via Powersh... This is a tutorial on adding calendar permissions in Office 365 for your users via Powershell. You can add permissions onto a specific mailbox, or you...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...