In this article we will discuss the causes of “Trust relationship failed …” error and some solutions on how to restore secure channel between workstation and domain.
In what case we can get this error? For example, when user is trying to login to workstation or server with domain account credential and after entering the username and its password a window appears (with an error message):
The trust relationship between this workstation and the primary domain failed
Or the error may be like this:
The security database on the server does not have a computer account for this workstation trust relationship
Let’s try to understand what does this error means and how to fix it.
When you connect the computer to Active Directory domain it sets a password (like for AD users). Trust at this level is provided by the fact that operation is performed by Domain administrator or another user with the same rights.
Each time when domain computer login to the domain, it establish a secure channel with a domain controller and send credentials. In that case, trust is established between the workstation and domain and further interaction occurs according to administrator-defined security policies.
The computer account password is valid for 30 days (by default) and then automatically changes. It is important to understand that the change of password initiated by computer is defined by Domain policies. This is similar to the changing user password process.
Tip. You can configure maximum account password age for domain computers using GPO Domain member: Maximum machine account password age, which is located in the following GPO editor branch: Computer Configuration-> Windows Settings-> Security Settings-> Local Policies-> Security Options. You can specify number of days between 0 and 999 (by default it is 30 days).
If password has expired, computer changes it automatically when login on the domain. Therefore, even if you did not Power on your computer for a few months, trust relationship between computer and domain still be remaining and the password will be changed at first registration in the domain.
Trust relationships are broken if computer tries to authenticate on domain with an invalid password. Typically, this occurs after the system state was restore from an image (backup) or snapshot of the Virtual machine. In this case, the current value of password on the local computer and password in the domain will be different.
The most obvious classic way to restore trust relationship is:
- Reset local Admin password
- Move computer from Domain to workgroup
- Reset Computer account in the domain using ADUC console
- Rejoin computer to the domain
- Reboot again
This method is the easiest, but not the fastest and most convenient way and requires multiple reboots. Also, we know cases when user profile is not reconnecting correctly after rejoining.
We will show how to restore a trust relationship and restore secure channel without domain rejoin and reboot!
You can find Netdom utility in Windows Server since 2008 version, it can be installed on user PC from RSAT (Remote Server Administration Tools) package. To use it, login to the target system with Local administrator (!!!) credentials (by typing, “.\Administrator” to the logon window) and run following command:
Netdom resetpwd /Server:DomainController /UserD:Administrator /PasswordD:Password
- Server – name of any domain controller
- UserD – username with domain admin rights
- PasswordD – user password
Netdom resetpwd /Server:lon-dc01 /UserD:dsmith /PasswordD:Str0NGestP@$$
After successful execution of this command reboot is not required, just logout from a local account and login to the domain account.
PowerShell cmdlet Reset-ComputerMachinePassword
Cmdlet Reset-ComputerMachinePassword firstly appeared in PowerShell 3.0. You can install it manually (http://www.microsoft.com/en-us/download/details.aspx?id=34595) on this platforms: Windows 7, Server 2008 and Server 2008 R2 (also requires Net Framework 4.0 or higher)
If you want to restore a trust relationship as a local Administrator, run PowerShell console and execute this command:
Reset-ComputerMachinePassword -Server DomainController -Credential Domain\Admin
- Server – name of any domain controller
- Credential – user with domain admin permissions
Reset-ComputerMachinePassword -Server lon-dc01 -Credential corp\dsmith
Command authorization window will appear and you must enter the password you specified for Domain administrator account.
Cmdlet does not display any messages on success, so just change the account, no reboot required.
Tip. Same operation can be performed using Powershell cmdlet Test-ComputerSecureChannel:
Test-ComputerSecureChannel -Repair -Credential corp\dsmith
You can check that secured channel has been successfully reestablished using following command:
The following strings confirm that trust relationship has been repaired:
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
As you can see, it is quite easy to restore a trust relationship in a domain! Hope this was useful for you!