trust relationship failed error

Fix Trust relationship failed issue without domain rejoining

In this article we will discuss the causes of Trust relationship failed error and some solutions on how to restore secure channel between workstation and domain.

In what case we can get this error? For example, when user is trying to login to workstation or server with domain account credential and after entering the username and its password a window appears (with an error message):

The trust relationship between this workstation and the primary domain failed

Or the error may be like this:

The security database on the server does not have a computer account for this workstation trust relationship

The trust relationship between this workstation and the primary domain failed

trust relationship failed

What is the cause for The trust relationship between this workstation and the primary domain failed error?

Let’s try to understand what does this error means and how to fix it.

When you connect the computer to Active Directory domain it sets a password (like for AD users). Trust at this level is provided by the fact that operation is performed by Domain administrator or another user with the same rights.

Each time when domain computer login to the domain, it establish a secure channel with a domain controller and send credentials. In that case, trust is established between the workstation and domain and further interaction occurs according to administrator-defined security policies.

The computer account password is valid for 30 days (by default) and then automatically changes. It is important to understand that the change of password initiated by computer is defined by Domain policies. This is similar to the changing user password process.

Tip. You can configure maximum account password age for domain computers using GPO Domain member: Maximum machine account password age, which is located in the following GPO editor branch: Computer Configuration-> Windows Settings-> Security Settings-> Local Policies-> Security Options. You can specify number of days between 0 and 999 (by default it is 30 days).

domain trust relationship failed

If password has expired, computer changes it automatically when login on the domain. Therefore, even if you did not Power on your computer for a few months, trust relationship between computer and domain still be remaining and the password will be changed at first registration in the domain.

Trust relationship failed if computer tries to authenticate on domain with an invalid password. Typically, this occurs after the system state was restore from an image (backup) or snapshot of the Virtual machine. In this case, the current value of password on the local computer and password in the domain will be different.

The most obvious classic way to restore trust relationship is:

  1. Reset local Admin password
  2. Move computer from Domain to workgroup
  3. Reboot
  4. Reset Computer account in the domain using ADUC console
  5. Rejoin computer to the domain
  6. Reboot again

This method is the easiest, but not the fastest and most convenient way and requires multiple reboots. Also, we know cases when user profile is not reconnecting correctly after rejoining.

We will show how to restore a trust relationship and restore secure channel without domain rejoin and reboot!

Using Netdom resetpwd to Fix Trust Relationship Failed

You can find Netdom utility in Windows Server since 2008 version, it can be installed on user PC from RSAT (Remote Server Administration Tools) package. To use it, login to the target system with Local administrator (!!!) credentials (by typing, “.\Administrator” to the logon window) and run following command:

Netdom resetpwd /Server:DomainController /UserD:Administrator /PasswordD:Password
  • Server – name of any domain controller
  • UserD – username with domain admin rights
  • PasswordD – user password
Netdom resetpwd /Server:lon-dc01 /UserD:dsmith /PasswordD:Str0NGestP@$$

netdom reset trust relationship

After successful execution of this command reboot is not required, just logout from a local account and login to the domain account.

Reset-ComputerMachinePassword using PowerShell

Cmdlet Reset-ComputerMachinePassword firstly appeared in PowerShell 3.0. You can install it manually ( on this platforms: Windows 7, Server 2008 and Server 2008 R2 (also requires Net Framework 4.0 or higher)

If you want to restore a trust relationship as a local Administrator, run PowerShell console and execute this command:

Reset-ComputerMachinePassword -Server DomainController -Credential Domain\Admin
  • Server – name of any domain controller
  • Credential – user with domain admin permissions
Reset-ComputerMachinePassword -Server lon-dc01 -Credential corp\dsmith


Command authorization window will appear and you must enter the password you specified for Domain administrator account.

Cmdlet does not display any messages on success, so just change the account, no reboot required.

Tip. Same operation can be performed using Powershell cmdlet Test-ComputerSecureChannel:

Test-ComputerSecureChannel -Repair -Credential corp\dsmith

You can check that secured channel has been successfully reestablished using following command:

nltest /

trust relationship fix

The following strings confirm that trust relationship has been repaired:

Trusted DC Connection Status Status = 0 0x0 NERR_Success

Trust Verification Status = 0 0x0 NERR_Success

As you can see, it is quite easy to solve Trust relationship failed issue in a domain! Hope this was useful for you!

You may also like:

Add Calendar Permissions in Office 365 via Powersh... This is a tutorial on how to add calendar permissions in Office 365 for your users via Powershell. You can add permissions onto a specific mailbox, or...
Configuring GPO Proxy Settings for Internet Explor... The article shows how to configure GPO proxy settings for Internet Explorer 11 browser using Active Directory Group Policies. In earlier versions of I...
Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
How to Get List of Installed Programs in Windows 1... In this simple guide we will show you two different ways of how to get list of installed programs in Windows 10, 8 or Windows 7 using built-in command...
How to copy files with BITS using PowerShell If you use local (and global) networks, you might know that files between systems are transferring by using SMB, FTP or HTTP protocols. The problem wi...