Active Directory

Trust relationship between this workstation and the primary domain failed

Trust relationship between this workstation and the primary domain failed

trust
trust

When you log on to a computer that is running Windows machine in a domain environment, you receive the following error message:

The trust relationship between this workstation and the primary domain failed.

What causes this error?

When the computer is no longer trusted in the domain, the “trust relationship between this workstation and the primary domain failed” error occurs. There is no secure channel between the workstation and Active Directory. The password for the local computer is not synchronized with the password for the machine in your Active Directory.

Here are a few examples of common scenarios in which this issue might occur:

  • Reinstall Microsoft Windows.
  • Perform a Windows reset.
  • Restore a virtual machine’s state.
  • Change more visible hardware components of a device, for example.
  • Clone a device without running Sysprep first.

How can you encounter this error?

A computer account is created in AD when you add a workstation to an Active Directory domain. This computer account, like a user account, has a password that is valid for 30 days before being renewed.

When a machine ‘logs in’ to Active Directory (after a reboot and before a user signs in), it checks the password for its computer account with the nearest domain controller (DC):

If they are synchronized, the computer authenticates to AD and life continue.
A grace period of up to 30 days is allowed if the device does not have a network connection to AD.

AD Machine account object corruption.

AD policy that would disable a computer after x number of days of not authenticating.

Resolution

  • Reset Computer Account

You must reset computer accounts using the Active Directory User and Computers tool, which is built into servers that have the Active Directory Domain Services role. The process is straightforward and works with server operating systems ranging from Windows Server 2003 to Windows Server 2016.

  1. Open dsa.msc and press Enter to open Active Directory User and Computers
  2. Expand domain name. In our example it is Windowstechno.local
  3. Choose Computer
  4. Navigate to the computer account which can not connect to a domain. In our example, it is computer- SRV01
  5. Right click on computer and choose Reset Account

Reset-Computer-Account

  • Rejoin the computer to the domain

To resolve this issue, remove the computer from the domain, and then connect the computer to the domain.

  1. Use a local administrator account to log on to the computer.

  2. Select Start, press and hold (or right-click) Computer > Properties.

  3. Select Change settings next to the computer name.

  4. On the Computer Name tab, select Change.

  5. Under the Member of heading, select Workgroup, type a workgroup name, and then select OK.

  6. When you are prompted to restart the computer, select OK.

  7. On the Computer Name tab, select Change again.

  8. Under the Member of heading, select Domain, and then type the domain name.

  9. Select OK, and then type the credentials of the user who has permissions in the domain.

  10. When you are prompted to restart the computer, select OK.

  11. Restart the computer.

Rejoin the computer to the domain by running a script 

You can run a script to rejoin the computer to the domain. Run the following script on the machine where the issue has occurred using local admin privileges,

  1. Copy and paste the below script to a text file and name it with .ps1 extension. 
    $credential = Get-Credential
    $serverstr = Read-Host - Prompt 'Enter domain name'
    Reset-ComputerMachinePassword -Credential $credential -Server $serverstr
  2. Run the script with local admin privileges using powershell 3.0 or above. 
  3. After you run the script, enter the domain admin credentials with privileges to change the user password.
  4. In the PowerShell command prompt, specify your domain name and press enter.

Access the workstation using its local account

If you do not want to rejoin the machine to the domain or if the rejoining fails, you can try accessing the workstation machine using its local account. 

Recommended content

RODC Installation Guide- Step by step guide to install read only domain controller

RODC Filtered Attribute Set

Installing and configuring a RODC in Windows Server-2012

How to find the GUID of Domain Controller

Understanding Group Policy Preferences

Group Policy Verification Tool GPOTool Exe

Group Policy Health Check on Specific Domain Controller

Netlogon Folder in Active Directory

Custom Attributes in Active Directory

Tombstone Lifetime of My Active Directory Forest

Computers AD Site From the Command Line

Active Directory Database Integrity

Disabling and Enabling the Outbound Replication

DFS Replication Service Stopped Replication

Strict Replication Consistency

The replication operation failed because of a schema mismatch between the servers involved

Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers

Replication information in txt file

Repadmin Replsummary

Enabling the outbound replication

Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno
Back to top button