Active Directory, Windows

Troubleshooting “The trust relation between this workstation and primary domain failed” error without domain rejoin

Hi Friends

Hope this post finds you in good health and spirit. Today we will discuss a very common error and its troubleshooting. You must have got the “The trust relation between this workstation and primary domain failed” error multiple times. How do you solve the problem ? Rejoin client computer to domain ? This is not a good idea. For answer keep reading.

Why we get this error ?

Every client in domain has an domain account and  its own password just like user account. This account is created by default in Computer container. Client computer uses his account and password to authenticate himself into domain. Computer accounts also reset their password for security reason. By default they reset their password every 30 days.

Note: Computer account password changes are driven by the client computer account, and not by domain controller.

There can be multiple circumstances when password reset between client computer and domain controller becomes out of sync for example:

  1. When computer is out of network for more than 30 days ( default password age).
  2. You restored your machine from old backup.
  3. You did reset of computer account from domain controller.
  4. You reverted to old checkpoint.

Due to any of the reason you get the above mentioned error.

12

Solution

To solve this problem, many admins rejoin client computer to domain.This works but its not a good idea because its time consuming affair. Single machine can take excess of 10 mins so what if we need to do same on multiple computers ? Whole day activity. Duh ! Here are two solution which can solve the problem without rejoining domain.

Using PowerShell – If you are using PowerShell 2.0 and above then login to your client computer using local admin account and run this command:

Reset-ComputerMachinePassword -Server -Credential  

Credential should be the of user account with permission. Your local admin account should work.

Server will be domain controller account.

12.png

It will prompt for password of account so provide the same

You may also use Test-ComputerSecureChannel command. This command checks trust relation between local computer and domain. Ideally its result should be True but unfortunately in event of error you will get False as result. To solve the issue run this command:

Test-ComputerSecureChannel [-Repair]

This command resets the secure channel between the local computer and its domain.

That’s it. It will reset your computer account. There is no need to restart your client machine either.

Using Netdom: This is another method for resetting account for legacy machine. If you don’t have support for PowerShell 2.0 then you can use Netdom. This method is beautifully described here:

http://www.cievo.sk/2012/02/21/reset-computer-accounts-in-active-directory-domain/

Ok, so our job is done. But what to do if in case company have lot of roaming users and they seldom come to office? When they come help desk will be getting call with same error.

They will get this error as discussed earlier in post. Won’t it be better to disable password reset or at least increase the duration? This will be helpful as we won’t get the error at all. If you also think so here is the solution.

You can configure password reset duration or settings by registry or by GPO policy.

Registry

HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters

DisablePasswordChange (default off) prevents the client computer from changing its computer account password. To disable, give it a value of 1.

MaximumPasswordAge (default 30 days) determines when the computer password needs to be changed. Change it to whatever number of days you think may be enough.

12

GPO Policy

Computer Configuration\windows Settings\Security settings\Local Policies\Security Options

Domain member: Disable machine account password changes

Domain member: Maximum machine account password age

12.png

You should input the value which best suits your environment.

Ok. So we have solved the problem, congratulation 🙂

I will see you soon with some other technical post. Till then take good care of yourself. Bye.

Published by Vinit Pandey

I am Microsoft Certified Trainer ( MCT) with couple of other certifications including MCSE, MCITP and MCTS. My core technologies are Windows Servers and clients, System Center products including MECM, Intune, Systrack, Nexthink, Yellow.AI, PowerShell, Nomad, Tachyon, Shopping, SCOM, SCVMM, Hyper-V, Failover Clustering and Azure. I have done B.Tech in electronics and communication stream. I have total 15+ experience in IT field. Presently, I am working with Larsen and Toubro Infotech as Experience Architect. My job includes transition, transformation and migration activities which we perform for our esteemed clients. Often I need to provide consultancy to my clients in migration and planning projects. I am from Chousa (Buxar) which has a lot of historical significance. In my free time I love to blog and play with Shreya (my daughter) and Tiger ( my pet dog).

3 thoughts on “Troubleshooting “The trust relation between this workstation and primary domain failed” error without domain rejoin

Leave a comment