Trust Relationship between Workstation and Primary Domain failed
I can pretty much guarantee that if you work in a Windows Active Directory environment, you’ve probably had support calls from your users stating they cannot log into their computers because of the following error message, Trust relationship between workstation and primary domain failed. Why does this happen? Well, there are several reasons but it has been my experience that the most common cause is the secure channel between the workstation and the domain controller gets mismatched therefore is broken.
When a Computer account is joined to the domain, the Secure Channel password is stored with the computer account on the domain controller. By default this password will automatically change every 30 days. Upon starting the computer, Netlogon attempts to discover a DC. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC. If there are problems with secure channel’s password between Workstation and DC’s then they may not synchronize with each other.
So this begs the question, why does the secure channel password break in the first place. This is often caused by performing a Windows System Restore (or reverting to previous backup or snapshot) on the workstation, causing an old (previous) machine account password to be presented to the domain controller. The secure channel password, held by the workstation, does not match the one held by the AD, hence the trust relationship between workstation and primary domain failed error. I just had another user call after hours with this issue. Check out the prompt I got when I logged on locally to the computer.
There are few ways to fix this but I’m going to talk about using a little known method which prevents you from having to un-join and rejoin the workstation from the domain.
Log onto the troubled workstation with a local account (since you can not log on to the domain). Right-click Computer or My Computer and select Properties, then Advanced System Settings. Select the Computer Name tab, then select the Network ID button.
Follow the wizard. Leave the default of This computer is part of a business network…. and select Next
Leave the default, My company uses a network with a domain and select Next
You will be presented with the next window below stating you will need domain credential with the ability to add computers to Active Directory
Enter in your administrative account, password and domain
You will then be prompted with the following popup stating that An account for this computer <computer> has been found in the domain <domain>. Would you like to use this? Select Yes.
On the next window, select Do not add a domain user account and select Next.
Finally, select Finish and reboot the computer.
Once the workstation has completed rebooting, you will be able to log on to the domain.
There you have it, use the Network ID button to reset a dis-joined computer account without having to manually unjoin the domain, reboot, replicate active directory and rejoin the domain. I’ll be honest, I went a long time before ever using this method to fix this issue. Who knew? I hope you find this helpful, if so, leave us a comment.
References