The trust relationship between this workstation and the primary domain failed

/  2 Comments

From time to time in a domain scenario you may come across the following error message on client computers:

trust

The trust relationship between this workstation and the primary domain failed.

This is because the computer’s password stored in Active Directory, and the computer’s password it thinks it has are different. This usually happens as a result of a system restore, file corruption or a directory restore on the server.

The Fix

  1. Go to the affected workstation and login as a local administrator
  2. In the run box, or start menu type ‘sysdm.cpl’ and press enter
  3. The system properties box opens – click ‘change’
  4. Either:
    • Remove and rejoin the computer to the domain by joining a workgroup, rebooting and rejoining the domain again
      or
    • If you have a multi-part domain name ie something.somethingelse.com, simply delete the .somethingelse.com part and click OK – the computer will rejoin the domain
  5. Restart the computer and all is well.

 

You can also try the following PowerShell commands on the client as Administrator:

Reset-ComputerMachinePassword -Server domaincontroller -Credential adminusername

Restart-Computer

2 Comments

  • YumiDoslein August 10, 2015 at 9:59 am Reply

    More information about the error:

    You can prevent the error: “The trust relationship between this…” with a domain GPO.

    Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

    Domain member: Disable machine account password changes

    Domain member: Maximum machine account password age

    Source:

    http://www.sysadmit.com/2015/08/mware-y-ad-la-relacion-de-confianza-entre-esta-estacion-de-trabajo-y-el-dominio-principal-fallo.html

    • hdic December 1, 2015 at 8:17 pm Reply

      This does work, but not always recommended. If an attacker was to steal the SAM file from a machine and successfully perform an offline crack, they would have machine access to your domain indefinitely (until you disabled the machine account in AD). When the password changed regularly, they would only have access for a limited time.

Leave a Reply to YumiDoslein Cancel reply

Your email address will not be published. Required fields are marked *