Sanchit Pandit's Blog
Microsoft Windows AD: Fix Trust relationship Failed Issue Without Domain Rejoining

Microsoft Windows AD: Fix Trust relationship Failed Issue Without Domain Rejoining

Sanchit Pandit's photo
Sanchit Pandit
·

4 min read

A failed trust relationship between the workstation and the domain is a common problem for AD administrators. When this problem occurs, the domain user can’t login to their domain-joined computer and receives an error:

The trust relationship between this workstation and the primary domain failed.

Or:

The security database on the server does not have a computer account for this workstation trust relationship.

repair trust relationship powershell

This article explains the possible causes of the Failed Trust Relationship error and how to restore a secure channel between the workstation and the Active Directory domain.

How to Fix Trust Relationship Issue without Domain Rejoining

To fix the problem, you need to login to the problem computer under an account with local administrator permissions. You can sign-in Windows under the local Administrator account (by typing, “.\yourlocaladminuser” in the logon prompt), or unplug the network cable to login using the cached credentials of one of the previously signed in AD users (plug the cable back in after signing into Windows).

Open an elevated PowerShell console and check the secure channel between the computer and the Active Directory domain:

Test-ComputerSecureChannel -Verbose

The secure channel between the local computer and the domain is broken.

If the command returns ‘False ‘, it means that you need to fix the trust between the workstation and the domain.

repair domain trust powershell

Check your computer name:

hostname

fix domain trust relationship powershell

Open the Active Directory Users and Computers snap-in (ADUC) and search for your computer account object. Make sure that this computer account exists and has not been disabled or removed from Active Directory.

powershell repair domain trust

Run the following PowerShell command to repair the secure channel with AD:

Test-ComputerSecureChannel -Repair -Credential contoso\administrator

reset trust relationship powershell

In the Credential parameter, specify the domain user credentials with permission to join computers to AD or your domain admin account.

If the computer password has been successfully reset and synchronized with the AD, the command will return:

The secure channel between the local computer and the domain was successfully repaired.

Check that the trust relationship between the workstation and the domain has been restored.

Test-ComputerSecureChannel -Verbose

powershell fix trust relationship

VERBOSE: The secure channel between the local computer and the domain contoso.com is in good condition.

This should help you to repair the trust relationship without rejoining the domain and rebooting.

Hint*. Prior to the PowerShell 5.0 release, you should use a different command to repair the trust relationship that has failed:*

Reset-ComputerMachinePassword -Credential corp\dsmith

Rejoin the Failed Computer to the Active Directory Domain

Another classic way to fix the trust relationship is to reset the local admin password, unjoin and rejoin the computer to the domain. Note that this requires rebooting the computer at least twice.

  1. Reset local Admin password on the computer;

  2. Unjoin your computer from Domain to Workgroup. Open the System Properties dialog box (sysdm.cpl), click Change, select that the computer is a member of a Workgroup, type the workgroup name and hit OK;

    the trust relationship between this workstation and the primary domain failed

  3. Restart the computer.

  4. Reset the computer account in the domain using the ADUC console.

    powershell repair trust relationship

  5. Join the computer to the domain under the same hostname;

  6. Reboot again.

The same task can be done using two PowerShell commands:

  1. Leave the domain and force the host to reboot:

Remove-Computer -UnjoinDomaincredential CONTOSO\AdminAccount -PassThru -Verbose –Restart

  1. Then sign-in under the local administrator account and join your Windows host to Active Directory:

Add-Computer -DomainName CONTOSO -PassThru –Verbose -Restart

What is the Cause of a Failed Trust Relationship Error?

The cause of this problem is that the local machine account password doesn’t match the computer’s password stored in Active Directory. This password is generated when a computer object joins an AD domain and automatically changed every 30 days.

This machine account password is stored in both the Active Directory database and a local registry key and used to authenticate computer in domain. The computer won’t be able to establish a secure channel with the domain if these passwords don’t match.

Typically, this can happen:

  • If you restore the machine from a backup or a VM snapshot.

  • After you reset or reinstall Windows.

  • After cloning a Windows device without first running Sysprep;

  • If the computer object in Active Directory has been manually reset or removed;

  • Duplicate objects in AD with the same host name or SPN;

  • Replication issues in AD that cause the computer password to not be synchronized to the logon DC;

  • If the domain controller restore (authoritative or non-authoritative) has been performed.

Computer account passwords don’t expire in Active Directory and the computer accounts are not affected by the domain password age policy. This means that even if you have not turned on your computer for a few months, the trust relationship between the computer and the domain is in a healthy state. In this case, the computer password will be changed at the first registration of your workstation in the domain.

Active Directory