A pretty common problem that most system administrators have seen once is the error “the trust relationship between this workstation and the primary domain failed”. This error occurs after you have logged in on a domain computer.
When this error occurs you won’t be able to login with any domain account on the computer. Only a local account will work. The problem is that the trusted relationship with the domain controller has failed.
In this article
In this article, we will look at how to quickly fix the error on a single computer and look at other options as well.
Trust Relationship has Failed Error
Before we take a look at how to fix the trust relationship between this workstation and the primary domain failed error, let’s take a quick look at what causes the error. Understanding the cause can help you prevent the error in the feature.
When a computer is joined to a domain, a password for the computer object is synced between the Active Directory and the computer. This password is renewed every 30 days automatically by default. If the passwords don’t match, then you will get the error message and won’t be able to log in.
The most common reasons that cause this error are:
- Computer hasn’t been connected to the domain for more than 30 days
- New computer with the same name added to the domain
- Computer object is removed from the Active Directory
- Cloned computer without using Sysprep
- Restored an old backup of the computer
- Replication issues between your domain controllers
How to Fix Trust Relationship between this Workstation and the Primary Domain failed
The easiest option to restore the Trust Relationship is to unjoin the computer from the domain and rejoin it again. This step requires a reboot but is easy to do and only takes 5 min in total. You will need to log in with the local admin account the perform the steps below:
Time needed: 5 minutes
- Login as local Administrator
Make sure that you are logged in as local administrator on the computer
- Open the Computer Properties
Open Start and type
System. Select System from the suggested list. (Sometimes it’s listed a bit lower under Settings)
Another option is to open the Explorer > Right-Click on This PC and choose Properties
- Open Domain or workgroup
In the system setting, open the Domain or workgroup link
- Change the Computer domain or workgroup
In the Computer Name tab, click on Change… to change the computers domain or workgroup
- Make it part of the Workgroup TEMP
Under Member of, select Workgroup and enter the name Temp. Click on ok and enter the domain admin credentials.
- Restart the computer
Click on Ok again, and Restart the computer.
- Re-join the Domain
We can now rejoin the computer to the domain.
Repeat the steps above, but make it member of the domain in Step 5. You will need to reboot the computer one more time to complete the process.
We can also unjoin and rejoin the domain with PowerShell. The advantage of this method is that you don’t need to reboot between the two steps:
# Src : https://community.spiceworks.com/topic/2321591-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed#entry-9199478
$computer = Get-WmiObject Win32_ComputerSystem
$computer.UnjoinDomainOrWorkGroup("AdminPW", "AdminAccount", 0)
$computer.JoinDomainOrWorkGroup("Domain", "AdminPW", "AdminAccount", $null, 3)
Restart-Computer -Force
Repair Trust Relationship without Reboot
It’s also possible to repair the trust relationship without the need to unjoin and rejoin the domain. This method is particularly handy when you need to solve the problem on multiple computers. For the step below to work, the computer object needs to exist in the Active Directory.
- Open the Active Directory Users and Computers
- Right-click on your Domain and choose Find…
- Change Find to Computers
- Search on the computer name
If the computer object exists in the AD, then we can log in on the computer with a local admin account and run the PowerShell command below. You will be prompted to enter the domain admin password:
Reset-ComputerMachinePassword -Server DomainServer -Credential DomainName\Administrator
This will reset the computer password and sync it with the Active Directory server. Next, we will need to test if the Trust Relationship is restored, to do this we can use the Test-ComputerSecureChannel cmdlet.
Test-ComputerSecureChannel
If the cmdlet returns False, then we can repair it using the following command. Again you will be prompted to enter the domain administrator password
Test-ComputerSecureChannel -Repair -Credential DomainName\Administrator
After running the command you should be able to login again with a domain account. There is no need to reboot the computer with these steps.
Wrapping Up
The methods described above are the easiest and most convenient ways to solve the error “the trust relationship between this workstation and the primary domain failed”. After you have fixed the issue, make sure that you look into the cause of the problem, to prevent it from happening again.
I hope you found this article helpful, if you have any questions, just drop a comment below.
