Trust Relationship between Workstation and Primary Domain failed

I can pretty much guarantee that if you work in a Windows Active Directory environment, you’ve probably had support calls from your users stating they cannot log into their computers because of the following error message, Trust relationship between workstation and primary domain failed.  Why does this happen? Well, there are several reasons but it has been my experience that the most common cause is the secure channel between the workstation and the domain controller gets mismatched therefore is broken.

trustrelationship1a

When a Computer account is joined to the domain, the Secure Channel password is stored with the computer account on the domain controller. By default this password will automatically change every 30 days. Upon starting the computer, Netlogon attempts to discover a DC. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC. If there are problems with secure channel’s password between Workstation and DC’s then they may not synchronize with each other.

So this begs the question, why does the secure channel password break in the first place. This is often caused by performing a Windows System Restore (or reverting to previous backup or snapshot) on the workstation, causing an old (previous) machine account password to be presented to the domain controller. The secure channel password, held by the workstation, does not match the one held by the AD, hence the trust relationship between workstation and primary domain failed error. I just had another user call after hours with this issue. Check out the prompt I got when I logged on locally to the computer.

trustrelationship1b

There are few ways to fix this but I’m going to talk about using a little known method which prevents you from having to un-join and rejoin the workstation from the domain.

Log onto the troubled workstation with a local account (since you can not log on to the domain). Right-click Computer or My Computer and select Properties, then Advanced System Settings. Select the Computer Name tab, then select the Network ID button.

trustrelationship1

Follow the wizard. Leave the default of This computer is part of a business network…. and select Next

trustrelationship2

Leave the default, My company uses a network with a domain and select Next

trustrelationship3

You will be presented with the next window below stating you will need domain credential with the ability to add computers to Active Directory

trustrelationship4

Enter in your administrative account, password and domain

trustrelationship5

 

You will then be prompted with the following popup stating that An account for this computer <computer> has been found in the domain <domain>. Would you like to use this? Select Yes.

trustrelationship6

On the next window, select Do not add a domain user account and select Next.

trustrelationship7

Finally, select Finish and reboot the computer.

trustrelationship1c

Once the workstation has completed rebooting, you will be able to log on to the domain.

There you have it, use the Network ID button to reset a dis-joined computer account without having to manually unjoin the domain, reboot, replicate active directory and rejoin the domain. I’ll be honest, I went a long time before ever using this method to fix this issue. Who knew? I hope you find this helpful, if so, leave us a comment.

References

http://social.technet.microsoft.com/wiki/contents/articles/9157.troubleshooting-ad-trust-relationship-between-workstation-and-primary-domain-failed.aspx

George Almeida

Welcome to my little corner of the blogosphere. I'm an Information Technology Director. I specialize in Windows operating systems, applications, servers, storage, networks and also have a technical background on the IBM iSeries platform. My only purpose for this blog is the hope that it helps someone, someday, somewhere. Any meager proceeds derived from our sponsors will be donated to charity.

You may also like...

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x