The trust relationship between this workstation and the primary domain failed

Purpose:

You receive an error indicating the trust relationship between a workstation and domain has failed.

There are a variety of reasons why this can occur; the commonality being the machine's password was unable to renew with a DC (this is a CLIENT-initiated event). For example, a VM has been reset to a snapshot from > 90 days ago (greater than 2 password iterations) or a GPO that prevents the password update. Another possible cause is a restore (authoritative or nonauthoritative) of a DC.

NOTE: Leaving a machine off the domain for an extended period of time will not cause this issue. Once a machine has reconnected to the domain, the password, regardless of age, will update. If a trust relationship fails in this case, the fact it was off the domain for an extended period is correlative, not causative.

Resolution:

To resolve this issue you need to either rejoin the computer to the domain (using the Old-Timey Method) or reset the machine password.

The following method can be performed on the machine throwing the error and does not require a reboot. This method does require PowerShell (WMF) version 3 or greater.

First, you can test whether the machine has lost the trust relationship. Open an elevated PowerShell prompt and run the following:

Test-ComputerSecureChannel

If the trust relationship is broken, you will get a return of 'false'. If the trust relationship is not broken, you will get a return of 'true'.

If the trust relationship is broken, you can correct this by running one of the following from an elevated PowerShell prompt on the impacted machine:

Test-ComputerSecureChannel -Repair

or

Reset-ComputerMachinePassword -Credential (Get-Credential) -Server [DomainController]

NOTES:

  1. Credentials are supplied in the usual domain\username format.
  2. In certain cases, the above PowerShell will not work, even if all prerequisites have been met. In that case, you will most likely need to manually remove/add the machine to the domain or use the netdom.exe utility. You can manually add or remove/add machines using PowerShell as well. For example (change SomeDomain to your domain),
Remove-Computer -Credential (Get-Credential) -Force
Add-Computer -DomainName SomeDomain -Restart -Force

See Also:

Machine Account Password Process

Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.