The Trust Relationship failed between Doamin and Workstation (Original Article and solution done by Mr. Dan Peterson)

If you Google “the trust relationship between this workstation and the primary domain failed”, you get plenty of information from support blogs and Microsoft articles; however, most of them ask you to rejoin your machine to the domain. That’s not always possible.

 Underlying Reasons of the problem

---

The underlying problem when you see this error is that the machine you are trying to access can no longer communicate securely with the Active Directory domain to which it is joined.  The machine’s private secret is not set to the same value store in the domain controller.  You can think of this secret as a password but really it’s some bits of cryptographic data called a Kerberos keytab stored in the local security authority.  When you try to access this machine using a domain account, it fails to verify the Kerberos ticket you receive from Active Directory against the private secret that it stores locally.  I think you can also come across this error if for some reason the system time on the machine is out of sync with the system time on the domain controller.  This solution also fixes that problem.

This problem can be caused by various circumstances, but I most commonly run into it when I reset a virtual machine to a system snapshot that I made months or even years before.  When the machine is reset, it is missing all of the automatic password changes that it executed against the domain controller during the intervening months.  The password changes are required to maintain the security integrity of the domain.

 Standard Fix

---

Support blogs and Microsoft will generally tell you to rejoin the domain to restore the trust relationship.  Another option they will give is to delete the computer object and recreate it without a password and rejoin.

Microsoft support article on the topic: http://support.microsoft.com/kb/162797

I’m not a fan of any of these options.  This seems heavy handed and sometimes they aren’t even possible.

Recently, when I ran into this problem, the virtual machine that reset was an enterprise certificate authority joined to my test domain.  Well, guess what, Microsoft will not allow you to rename or unjoin a computer that is a certificate authority—the button in the computer property page is greyed out.  There may be another way to unjoin but I wasn’t going to waste time on it when it isn’t even necessary.

 Better Fix

---

Just change your computer password using netdom.exe!

netdom.exe resetpwd /s:<server> /ud:<user> /pd:*

<server> = a domain controller in the joined domain

<user> = DOMAIN\User format with rights to change the computer password

Here are the full steps:

1. You need to be able to get onto the machine. I normally just log in with the local Administrator account by typing, “.\Administrator” in the logon window. I hope you remember the password. If you’re creative and resourceful you can hack your way in without the password. Another option is to unplug the machine from the network and log in with domain user. You will be able to do disconnected authentication, but in the case of a reset machine, remember that you may have to use an old password. Your domain user’s cached credential has the same problem as the machine’s private secret.
2. You need to make sure you have netdom.exe. Where you get netdom.exe depends on what version of Windows you’re running. Windows Server 2008 and Windows Server 2008 R2 ship with netdom.exe you just have to enable the Active Directory Domain Services role. On Windows Vista and Windows 7 you can get it from the Remote Server Administration Tools (RSAT). Google can help you get them. For other platforms see this link:http://technet.microsoft.com/en-us/library/ee649281(WS.10).aspx”
3. Extra steps if the machine is a domain controller. If the broken machine is a domain controller it is a little bit more complicated, but still possible to fix the problem. I haven’t done this for a while, but I think this works:
   1. Turn off the Kerberos Key Distribution Center service. You can do this in the Services MMC snap-in. Set the startup type to Manual. Reboot.
   2. Remove the Kerberos ticket cache. A reboot will do this for you, or you can remove them using KerbTray.exe. You can get that tool here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17657
   3. Post change steps. Do these in conjunction with 5 below. Turn the Kerberos Key Distribution Center Service back on before rebooting. You should reboot the domain controller and then force replication in the Active Directory Sites and Services MMC snap-in.
4. Run netdom.exe to change the password.
   1. Open an administrative command prompt. On Windows platforms with UAC enabled, you will need to right-click on cmd.exe and select “run as Administrator”.
   2. Type the following command: netdom.exe resetpwd /s:<server> /ud:<user> /pd:*
5. Reboot the machine.

Here is more information on netdom.exe: http://support.microsoft.com/kb/325850I hope this is helpful.  This problem comes up every few months for me, so I wanted to document it for my own use.  It is difficult to find when you just search for the error you get in the login window.

Source: http://implbits.com/About/Blog/tabid/78/post/don-t-rejoin-to-fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/Default.aspx

My Note

Above solution never tried by me but seems to be effective. Durjoy

Some Effective Discussion

• Tmassaro • 3 months ago

  Thank you so much. We had an issue where our local admin password was unknown. We unplugged from the network and we back up and running in three min. Thank you so much for this article.
• 

  Wesley Olins • 6 months ago

  First reasonable conclusion I have seen over the standard “Unjoin then rejoin the domain” this changes the SID people and any trust relationships you had with this server or shared resources you had to this server change if you unjoin and rejoin! I will try this out next time I have to restore one of my VM’s as this is when we run into a problem.
  One question: Can this command be issued to the machine that can’t login to the domain from a machine that is on the domain? Just a thought since netdom.exe will execute commands to remote computers.

  • 

    Dan Peterson  Wesley Olins • 6 months ago

    Hmm… I haven’t tried to issue the command to remote computers. It would be nice if it did work. Could be problems depending on how you are authenticated when the trust relationship is broken down… If it does work, please post a comment.
    • 

      Patrick Sczepanski  Dan Peterson • 4 months ago

      You need to use a different netdom command to run remote:

      NETDOM RESET machine [/Domain:domain] [/Server:server] [/UserO:user] [/PasswordO:[password | *]]

      This way you can define the remote machine name and the user name and password of the remote machines local administrator account (or any other local account with administrative rights of course)
  • 

    Barry Wheeler  Wesley Olins • 3 months ago

    After reading this article to get an idea of what exactly had transpired with a machine, I signed on as a local administrator, used System Restore to restore a more recent restore point. Thanks for the pointers! great article.
• 

  Hamid Panahi • 4 months ago

  Your solution is AWESOME! Thanks it worked for me too. I also recently reset my machine into a system snapshot which was build 2 weeks ago! Another problem that I have with this is VPN connection! It also didn’t work but after using your solution it works.
• 

  German • 3 days ago

  Hi everyone

  Far simpler way to do is by clicking the network ID wizzard, select the (this computer is part of a business network and use it to connect to other computers at work) and click next, click on my company uses a network with a domain and click next and next again then type the administrator user name and password, choose the option to (not create a new user) and finish/apply. You will now be able to log in again.

  Regards.
  German
• 

  sizzler • 11 days ago

  logged in to say thanks, it worked. The scenario is this, we wanted to move to a new server and we had lots of users connected to the domain, after logging into the new server which had exactly same IP, Name and etc, we were getting this error, and now its fixed.
• 

  zombies • 12 days ago

  Top class article, thanks for the tip, saved a great deal of time
• 

  Nick Chapman • 18 days ago

  I’ve been finding the machine name in AD and right-clicking > ‘reset account’

  …that seems to do the trick in 1 of 1 test case for me on our domain.
• 

  Andrew Ivanov • 19 days ago

  Doesn’t work for me – netdom fails with “The specified domain either does not exist or could not be contacted”.
  • 

    implbits Mod  Andrew Ivanov • 19 days ago

    Check your DNS configuration. Try running: nslookup <domain name=””>

    Check your network configuration. Try running: ping <domain address=”” controller=”” ip=””>

    I am guessing that you really can’t resolve the domain name or the IP address of your domain controller is just unreachable.

    Dan</domain></domain>
• 

  Faris PV • 21 days ago

  I have the same problem… But i cant log in My local admin account bcz. i forgot it it,, any one can help me to do this..
• 

  Davide Marzucco • 25 days ago

  You are the one! Thanks for this very helpful solution! This is exactly what I was looking for! In my case the VM restored to an earlier checkpoint are running a failover cluster, so unjoining the domain was not an option!

  Thank you again!
  • 

    Davide Marzucco  Davide Marzucco • 25 days ago

    Ops. Dealing with clusters is not so easy! Now I restored the trust relationship between the cluster nodes and the domain, but there is still something broken with the computer account of the cluster name. I tried something with netdom and the cluster name as if it was another computer name, but it is not working…
    Any idea?
    • 

      Davide Marzucco  Davide Marzucco • 25 days ago

      If it could help anyone else, I found out a very simple solution! On the cluster manager itself, on the cluster name, just right-click and select Repair Active Directory Object, and it did the trick! 🙂
• 

  snopro • a month ago

  xp to 2008 r2, ran the netdom cammand as suggested and recieved following error: the machine account password for the local machine could not be reset. Insufficient system resources exist to complete the requested service. -help?
• 

  Ronan • a month ago

  Thank you – works very well!
• 

  cEricL • a month ago

  Wonderful, simply wonderful….
  Thanks Dan for not only finding a good solution but also putting it on the Internet with a clear title (DONT REJOIN TO FIX..etc).
  🙂
• 

  Guest • a month ago

  @Gata: go to www.microsoft.com/download and search for RSAT, download and install the version appropriate for the desktop OS you’re running.
• 

  Gata • a month ago

  What do you do if NETDOM is not on the computer trying to get on the domain? When I did a search for NETDOM on Windows 7 I found articles about the new Windows Powershell.
  • 

    Greg Charland  Gata • a month ago

    Gata, go to www.microsoft.com/download, search for RSAT, and download/install the version for the desktop OS you’re working with. Be advised that the Win 7 toolkit is about 300MB 😦
• 

  stovepipe • 2 months ago

  Fixed my problem in seconds, also caused by reverting to a VM snapshot. I can’t restart the OS due to unrelated reasons, so I was starting to wonder how the hell I’d get it back on the domain.
• 

  Chrisophe • 2 months ago

  Thanks a lot for your solution… Why doesn’t MS even suggest such a fix that is working 100% ?
  Thanks again
• 

  eik • 2 months ago

  Thanks for the info. This is what we do, dis-join and re-join everytime the issue raise. irritating when the server is in production which needed restart.

  Just would like to assure, is this the 1 time solution for the issue?

  Thanks.
• 

  Trevor Roberts Jr. • 2 months ago

  This post was really helpful! Thanks for taking the time to write it.
• 

  Bombay_4Eva • 3 months ago

  Thank You!! I ran into this issue after cloning one of my VM’s. could not get them on the domain.. this did the trick
• 

  Dspink • 4 months ago

  • −

  This worked great! I’m using PVS 6.1 to stream XenApp 6.5 servers. PVS is supposed to handle password updates automatically for machine accounts. But from time to time when creating new vdisks and the vdisks are in private mode (master or update machines) I get this domain trust error.
• 

  Caryena2 • 5 months ago

  This worked like a charm. Thank You. Tried to get IT Admin to resolve this issue with one of my VMs that prevented me from going to the …\C$ drive from my desktop for MONTH finally googled error myself and ran your solution.