In this article, we’ll discuss the causes for Trust relationship failed error. This guide covers possible solutions on how to restore a secure channel between the workstation and the Active Directory domain.
In what case you can face this error? For example, when a user is trying to login to a workstation or server with domain account credentials. After entering the username and password a window appears (with an error message):
The trust relationship between this workstation and the primary domain failed
Or the error looks like this:
The security database on the server does not have a computer account for this workstation trust relationship
Let’s try to understand what does this error means and how to fix it.
Active Directory Machine Account Password
When you join the computer to the Active Directory domain, the new computer account is created for your device and a password is set for it (like for AD users). Trust relationship at this level is provided by the fact that the domain join is being performed by a Domain administrator. Or another user with delegated administrative permissions performed the join.
Each time the domain computer logs in to the AD domain, it establishes a secure channel with the nearest domain controller. DC sends the computer credentials. In that case, the trust established between the workstation and domain. Further interaction occurs according to administrator-defined security policies.
The computer account password is valid for 30 days (by default), and then changes. You must keep in mind that the computer changes the password according to the configured domain Group Policy. This is like a changing user’s password process.
Tip. You can configure the maximum account password age for domain computers using the GPO parameter Domain member: Maximum machine account password age. It is located in the following Group Policy editor section: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. You can specify the number of days between 0 and 999 (by default it is 30 days).
You can configure the machine account password policy for a single computer through the registry.
To do this, run regedit.exe and go to the HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry key. Edit the parameter MaximumPasswordAge and set the maximum validity time of the computer password in the domain (in days). Another option is to completely disable the computer account password change. Do this by setting the REG_DWORD parameter DisablePasswordChange to 1.
The computer account passwords don’t expire in Active Directory. This is happening because of the Domain Password Policy doesn’t apply to the AD Computer objects. Your computer can use the NETLOGON service to change the password during the next domain logon. This is possible if its password is older than 30 days. Note that the local computer password is not controlled by AD, but by the computer itself.
The computer tries to change its password on the domain controller. Only after a successful change, it updates its local password. Local copy of the password is stored in the registry key HKLM\SECURITY\Policy\Secrets$machine.ACC).
You can view the last password set time for a computer object account in the AD domain using the PowerShell cmdlet Get-ADComputer. You can do this from the AD for Windows PowerShell module. Run the command with the computer name:
get-adcomputer -Identity Lon-Com212 -Properties PasswordLastSet
Therefore, even if you did not power on your computer for a few months, the trust relationship between computer and domain still be remaining. In this case, the computer password will be changed at first registration of your workstation in the domain.
What is the Cause for “The Trust Relationship between this Workstation and the Primary Domain Failed” Error?
How to Check Secure Channel Between Workstation and the Primary Domain?
You can verify that the computer local password is synced with the computer account password on the domain controlled. Do this with the Test-ComputerSecureChannel cmdlet. You can use a simple form:
Or you can add –Verbose switch parameter:
VERBOSE: Performing the operation “Test-ComputerSecureChannel” on target “Compname1”.
VERBOSE: The secure channel between the local computer and the domain theitbros.com is in good condition.
Fixing Trust Relationship by Domain Rejoin
First of all, open the Active Directory Users and Computers snap-in (ADUC). Make sure the problematic computer account is present in the domain, and it’s not disabled.
The most obvious old-school way to restore the trust relationship of your computer in the domain is:
- Reset local Admin password on the computer;
- Unjoin your computer from Domain to Workgroup;
- Reset Computer account in the domain using the ADUC console;
- Rejoin computer to the domain;
- Reboot again.
Tip. It is important to make sure the time difference between the domain controller and the client computer is less than 5 minutes. To configure time synchronization in a domain, see the article Configuring NTP on Windows using GPO.
Reset-ComputerMachinePassword: How to Fix Failed Trust Relationship with PowerShell?
You can reset the computer password using the PowerShell cmdlet Reset-ComputerMachinePassword. This is the fastest and most convenient way to reset the password of a computer and doesn’t require a reboot. Unlike the Netdom utility, PowerShell 3.0 or newer is available on all Microsoft OSs starting with Windows 8/Server 2012. You can install it manually (see here) on Windows 7, Server 2008, and Server 2008 R2 (also requires Net Framework 4.0 or higher).
If you want to restore a trust relationship under a local Administrator, then run the elevated PowerShell console. Execute this command:
Reset-ComputerMachinePassword -Server DomainController -Credential DomainAdmin
- Server – the name of any domain controller;
- Credential – domain user (with permission to add the computer to the domain) or domain admin account.
Reset-ComputerMachinePassword -Server lon-dc01 -Credential corpdsmith
The credentials window will appear, and you must type the domain account password.
Tip. You can also repair a secure channel between the computer and Active Directory domain using PowerShell cmdlet Test-ComputerSecureChannel:Test-ComputerSecureChannel -Repair -Credential corpdsmith
Using Netdom resetpwd to Fix Trust Relationship Failed without Reboot
You can find Netdom utility in Windows Server since the 2008 version. It can be installed on the client’s PC as a part of the RSAT (Remote Server Administration Tools) package. The method is fast and efficient. To use it, login to the target system with the local Administrator (!!!) credentials (by typing, “.Administrator” to the logon window), open the elevated cmd.exe prompt, and run the following command:
Netdom resetpwd /Server:DomainController /UserD:Administrator /PasswordD:Password
- Server – the name of any domain controller;
- UserD – username with domain admin or delegated privileges;
- PasswordD – admin password.
Netdom resetpwd /Server:lon-dc01 /UserD:dsmith /PasswordD:Str0NGestP@$
After the successful execution of this command, a reboot is not required. Just logout from a local account, and log in under domain credentials.
You can check a secure connection with the AD domain using Netdom with the following command:
Netdom Verify WK_Salary12 /Domain:corp.contoso.com /UserO:dsmith /PasswordO:*
This method does not always work. It’s not always possible to authorize on the domain controller under the administrator account from a computer with broken-trust relationship.
Reset Active Directory Secure Channel and Computer Password Using NLTEST
In addition, you can reset the computer’s password in the domain and secure channel using the built-in Nltest tool:
You can check that the secure channel has been successfully reestablished using the following command:
The following strings confirm that the trust relationship has been repaired:
Trusted DC Connection Status Status = 0 0x0 NERR_Success Trust Verification Status = 0 0x0 NERR_Success
Fixing: The security database on the server does not have a computer account for this workstation trust relationship
When the error “The security database on the server does not have a computer account for this workstation trust relationship” appears, you need to check the domain controller error logs for the Event ID 2974:
The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=TERMSRV/PDC
CN=PC1,OU=Computers,DC=theitbros,DC=com Winerror: 8647
Make sure your computer object has a populated SPN property value in the following format:
You can copy the computer FQDN (Fully Qualified Domain Name) from the dNSHostName attribute. If these SPN records are missing, you must create them manually.
Now restart your computer and try to logon under domain credentials.
Duplicated SPNs in the domain can be found using the ldifde utility:
ldifde -f C:\ps\SPNList.txt -t 3268 -d DC=theitbros,DC=com -l serviceprincipalname -r (serviceprincipalname=*)
As you can see, it’s quite easy to solve the Trust relationship failed issue in a domain! Hope this was useful for you!
- Installing Active Directory Users and Computers MMC Snap-in on Windows 10 - November 26, 2020
- Convert Thick Provision Lazy Zeroed Disk to Thin on VMware ESXi - November 25, 2020
- Fix: Connection to Microsoft Exchange is Unavailable in Outlook - November 20, 2020