Purpose:
You receive an error indicating the trust relationship between a workstation and domain has failed.
There are a variety of reasons why this can occur; the commonality being the machine's password was unable to renew with a DC (this is a CLIENT-initiated event). For example, a VM has been reset to a snapshot from > 90 days ago (greater than 2 password iterations) or a GPO that prevents the password update. Another possible cause is a restore (authoritative or nonauthoritative) of a DC.
NOTE: Leaving a machine off the domain for an extended period of time will not cause this issue. Once a machine has reconnected to the domain, the password, regardless of age, will update. If a trust relationship fails in this case, the fact it was off the domain for an extended period is correlative, not causative.
Resolution:
To resolve this issue you need to either rejoin the computer to the domain (using the Old-Timey Method) or reset the machine password.
The following method can be performed on the machine throwing the error and does not require a reboot. This method does require PowerShell (WMF) version 3 or greater.
First, you can test whether the machine has lost the trust relationship. Open an elevated PowerShell prompt and run the following:
Test-ComputerSecureChannel
If the trust relationship is broken, you will get a return of 'false'. If the trust relationship is not broken, you will get a return of 'true'.
If the trust relationship is broken, you can correct this by running one of the following from an elevated PowerShell prompt on the impacted machine:
Test-ComputerSecureChannel -Repair
or
Reset-ComputerMachinePassword -Credential (Get-Credential) -Server [DomainController]
NOTES:
- Credentials are supplied in the usual domain\username format.
- In certain cases, the above PowerShell will not work, even if all prerequisites have been met. In that case, you will most likely need to manually remove/add the machine to the domain or use the netdom.exe utility. You can manually add or remove/add machines using PowerShell as well. For example (change SomeDomain to your domain),
Remove-Computer -Credential (Get-Credential) -Force
Add-Computer -DomainName SomeDomain -Restart -Force