Fix Trust relationship failed issue without domain rejoining

In this article, we will discuss the causes of Trust relationship failed error and some solutions on how to restore secure channel between the workstation and the Active Directory domain.

In what case we can get this error? For example, when a user is trying to login to workstation or server with domain account credentials and after entering the username and its password a window appears (with an error message):

The trust relationship between this workstation and the primary domain failed

Or the error looks like this:

The security database on the server does not have a computer account for this workstation trust relationship

the trust relationship between this workstation and the primary domain failed

Let’s try to understand what does this error means and how to fix it.

Active Directory Machine Account Password

When you join the computer to Active Directory domain, the new computer account is created for your device and a password is set for it (like for AD users). Trust relationship at this level is provided by the fact that the domain join is performed by a Domain administrator or another user with delegated administrative permissions.

Each time when domain computer login to the AD domain, it establishes a secure channel with the nearest domain controller and sends the computer credentials. In that case, trust is established between the workstation and domain and further interaction occurs according to administrator-defined security policies.

The computer account password is valid for 30 days (by default) and then automatically changes. You must keep in mind that the password is changed by the computer according with the configured domain Group Policy. This is similar to the changing user password process.

Tip. You can configure the maximum account password age for domain computers using the GPO parameter Domain member: Maximum machine account password age, which is located in the following Group Policy editor section: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. You can specify the number of days between 0 and 999 (by default it is 30 days).

You can configure the machine account password policy for a single computer through the registry. To do this, run regedit.exe and go to the HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry key. Edit the parameter MaximumPasswordAge and set the maximum validity time of the computer password in the domain (in days). Another option is to completely disable the computer account password change by set the REG_DWORD parameter DisablePasswordChange to 1.

trust relationship failed powershell trust relationship

The Active Directory domain stores the current computer password, as well as the previous one. If the password was changed twice, the computer that is using an old password will not be able to authenticate on the domain controller and establish a secure connection channel.

The computer account passwords do not expire in Active Directory, because the Domain Password Policy don’t apply to the AD Computer objects. Your computer can use the NETLOGON service to change the password automatically during the next domain logon if its password is older than 30 days (note that the local computer password is not controlled by AD, but by the computer itself).

READ ALSO  How to Check Windows Uptime?

The computer tries to change its password on the domain controller, and only after a successful change it updates its local password (a local copy of the password is stored in the registry key HKLM\SECURITY\Policy\Secrets$machine.ACC).

You can view last password set time for a computer object account in the AD domain using the PowerShell cmdlet Get-ADComputer (from the AD for Windows PowerShell module). Run the command with the computer name:

get-adcomputer -Identity Lon-Com212 -Properties PasswordLastSet

trust relationship between this workstation and the primary domain failed

Therefore, even if you did not power on your computer for a few months, the trust relationship between computer and domain still be remaining and the computer password will be changed at first registration of your workstation in the domain.

What is the Cause for “The Trust Relationship between this Workstation and the Primary Domain Failed” Error?

This error indicates that this computer in no longer trusted and diconnected from the Active Directory since the local computer password doesn’t match this computer object password stored in the AD database.

Trust relationship may fail if the computer tries to authenticate on a domain with an invalid password. Typically, this occurs after reinstalling Windows, then the system state was restored from an image (backup), Virtual machine snapshot, or when performing computer cloning without running sysprep. In this case, the current value of the password on the local computer and the password stored for a computer object in the AD domain will be different.

How to Check Secure Channel between Workstation and the Primary Domain?

You can verify that the computer local password is in sync with computer account password on the domain controlled with the Test-ComputerSecureChannel cmdlet. You can use a simple form:

Test-ComputerSecureChannel

reset-computermachinepassword

Or you can add –Verbose switch parameter:

Test-ComputerSecureChannel -Verbose

trust relationship failed powershell

VERBOSE: Performing the operation “Test-ComputerSecureChannel” on target “Compname1”.

True

VERBOSE: The secure channel between the local computer and the domain theitbros.com is in good condition.

Fixing Trust Relationship by Domain Rejoin

First of all, open the Active Directory Users and Computers snap-in (ADUC) and make sure that the problem computer account is present in the domain and is not disabled.

repair trust relationship powershell

The most obvious old-school way to restore the trust relationship of your computer in the domain is:

  1. Reset local Admin password on the computer;
  2. Unjoin your computer from Domain to Workgroup;
    fix domain trust relationship
  3. Reboot;
  4. Reset Computer account in the domain using the ADUC console;
    powershell fix trust relationship
  5. Rejoin computer to the domain;
  6. Reboot again.

This method is the easiest, but not the fastest and most convenient way and requires multiple reboots. Also, we know cases when the local user profiles are not reconnecting correctly after computer domain rejoining.

READ ALSO  How to Get Windows 10 User Login History Using PowerShell?

We will show how to reestablish a trust relationship and restore a secure channel without domain rejoin and reboot!

Tip. It is extremely important to make sure that the time difference between the domain controller and the client computer’s less than 5 minutes. To properly configure time synchronization in a domain, see the article Configuring NTP on Windows using GPO.

Reset-ComputerMachinePassword: How to Fix Failed Trust Relationship with PowerShell?

You can reset the computer password using the PowerShell cmdlet Reset-ComputerMachinePassword. This is the fastest and most convenient way to reset the password of a computer and doesn’t require reboot. Unlike the Netdom utility, PowerShell 3.0 or newer is available on all Microsoft OSs starting with Windows 8/Server 2012. You can install it manually (see here) on Windows 7, Server 2008 and Server 2008 R2 (also requires Net Framework 4.0 or higher).

If you want to restore a trust relationship under a local Administrator, run the elevated PowerShell console and execute this command:

Reset-ComputerMachinePassword -Server DomainController -Credential DomainAdmin
  • Server – the name of any domain controller;
  • Credential – a domain user (with permission to add the computer to the domain) or domain admin account.
Reset-ComputerMachinePassword -Server lon-dc01 -Credential corpdsmith

powershell repair domain trust

The credentials window will appear and you must type the domain account password.

Cmdlet doesn’t display any messages on success, so just re-login under domain account, no reboot required.

If your received the error message “The RPC server is unavailable” or “An Active Directory Domain Controller (AD DC) for the domain could not be contacted” then try to run the Reset-ComputerMachinePassword cmdlet, check DNS settings on your computer and DNS zones by following the guide  Active Directory domain controller could not be contacted.

Tip. You can also repair secure channel between computer and Active Directory domain using PowerShell cmdlet Test-ComputerSecureChannel:

Test-ComputerSecureChannel -Repair -Credential corpdsmith

Using Netdom resetpwd to Fix Trust Relationship Failed without Reboot

You can find Netdom utility in Windows Server since 2008 version. It can be installed on client PC as part of the RSAT (Remote Server Administration Tools) package. The method is fast and efficient. To use it, login to the target system with the local Administrator (!!!) credentials (by typing, “.Administrator” to the logon window), open the elevated cmd.exe prompt and run following command:

Netdom resetpwd /Server:DomainController /UserD:Administrator /PasswordD:Password
  • Server – the name of any domain controller
  • UserD – username with domain admin or delegated privileges
  • PasswordD – admin password
Netdom resetpwd /Server:lon-dc01 /UserD:dsmith /PasswordD:Str0NGestP@$

reset trust relationship

After successful execution of this command, reboot is not required, just logout from a local account and log in under domain credentials.

You can check a secure connection with the AD domain using Netdom with the following command:

Netdom Verify WK_Salary12 /Domain:corp.contoso.com /UserO:dsmith /PasswordO:*

This method does not always work, because it is not always possible to authorize on the domain controller under the administrator account from a computer this broken-trust relationship.

READ ALSO  Join Domain and Login over a VPN Connection

Reset Active Directory Secure Channel and Computer Password Using NLTEST

In addition, you can reset the computer’s password in the domain and secure channel using the built-in Nltest tool:

Nltest /sc_change_pwd:corp.Contoso.com

This command will try to repair the secure channel by resetting the password both on the local computer and on the domain computer, and it doesn’t require domain rejoining or rebooting.

However, unlike Netdom and Reset-ComputerMachinePassword, which allow you to specify user credentials, Nltest works in the context of the current user. Accordingly, if you logon to the computer under the local account and attempting to execute the command, you will receive an access denied error. Because of this, the method doesn’t always work.

You can check that the secure channel has been successfully reestablished using the following command:

nltest /sc_verify:corp.contoso.com

reset computer account trust relationship

The following strings confirm that the trust relationship has been repaired:

Trusted DC Connection Status Status = 0 0x0 NERR_Success

Trust Verification Status = 0 0x0 NERR_Success

Fixing: The security database on the server does not have a computer account for this workstation trust relationship

When the error “The security database on the server does not have a computer account for this workstation trust relationship” appears, you need to check the domain controller error logs for the Event ID 2974:

The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=TERMSRV/PDC
CN=PC1,OU=Computers,DC=theitbros,DC=com  Winerror: 8647

This issue indicates that the SPN (Service Principal Name) computer account attribute in AD is not properly populated or there are several computers in the domain with the same value in the servicePrincipalName attribute.

Find the problem computer object in the ADUC console, go to the Attribute Editor tab and check the value of the servicePrincipalName attribute

Make sure your computer object has a populated SPN property value in the following format:

  • HOST/computername1
  • HOST/computername1.theitbros.com
  • RestrictedKrbHost/computername1
  • RestrictedKrbHost/computername1.theitbros.com
  • TERMSRV/computername1
  • TERMSRV/computername1.theitbros.com

You can copy the computer FQDN (Fully Qualified Domain Name) from the dNSHostName attribute. If these SPN records are missing, you must create them manually.

trust relationship between workstation and primary domain failed

Now restart your computer and try to logon under domain credentials.

Duplicate SPNs in the domain can be found using the ldifde utility:

ldifde -f C:\ps\SPNList.txt -t 3268 -d DC=theitbros,DC=com -l serviceprincipalname -r (serviceprincipalname=*)

As you can see, it is quite easy to solve Trust relationship failed issue in a domain! Hope this was useful for you!

Cyril Kardashevsky
Latest posts by Cyril Kardashevsky (see all)

11 comments

  1. Hi

    I searching for information WHEN a shutdown computer loose contact with AD and need to be ReJoined.

    This article first states that, despite password expired in 30days, the computer will fix that during first startup, even if it´s down for a few months.

    Later, the article states that the Trust Relationship will fail due to the computer was turned off for a long time.

    So, at a first glance it states: Computers will not expire/loose contact with AD despite shutdown for a long time, at least a few months. But still, if shutdown for a long time they will loose the trust relationship anyhow.

  2. hi

    i have serious issues !

    i have LAPS on my Domain,

    1. trust relationship failed ! —-> so no domain logon possible

    2. LAPS not helping when we dont have trust relationship ( + local admin removal policy enabled) —->so no local logon possible

    what sould i do?!!

  3. Unplug the computer from the network. You can then logon using cached credentials on the PC provided you have logged on the the PC at least once as a domain admin. Replace the network cable and reset secure channel.

  4. Thank you so much for this information.
    Here is how i fixed it (local admin was deactivated)
    1. Try login -> doesnt work
    2. Remove network connection (unplug ethernet)
    3. Login with domain credentials
    4. PS: Reset-ComputerMachinePassword -Server DomainController -Credential DomainAdmin
    5. Logout
    6. Plug-in Ethernet
    7. Try login -> works

  5. This resolved my issue by using the PowerShell option. Thanks for explaining everything! You saved my bacon!
    –Wheels

  6. So I have had this happen to my entire system. Every server I had has lost the trust relationship. What would cause this to happen? This has caused some serious outages and disruptions. I still have a couple of servers that lose the Trust relationship randomly.

    Is it possible that a user account could be the problem? The reason I ask is because I use a very specific UN: and PW: for the services running on every server.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.