Fix Domain Trust Relationship Issues: Multiple Solutions

"The trust relationship between this workstation and the primary domain failed." This error message stops you from logging in, accessing network resources, or using domain services. The computer can't authenticate with the domain controller because the secure channel (trust relationship) is broken.

This guide covers multiple solutions to fix trust relationship issues, from the proper fix (resetting the computer account) to temporary workarounds that get you back up and running quickly. Whether you need a permanent fix or just need to bypass the issue temporarily, these solutions will help.

What Is a Domain Trust Relationship?

Every computer joined to a Windows domain maintains a secure channel (trust relationship) with a domain controller. This secure channel uses a computer account password that's automatically changed every 30 days. When this password gets out of sync, or the secure channel breaks, you get the trust relationship error.

Common causes include:

• Password synchronization failure: The computer and domain controller have mismatched passwords
• Time differences: Large time differences between computer and domain controller (Kerberos requires time sync within 5 minutes)
• Domain controller changes: The domain controller the computer was using is no longer available
• Extended offline periods: Computer was offline longer than 30 days (password expired)
• Domain controller migration: Old domain controller was removed without proper decommissioning
• Computer account issues: Account disabled, deleted, or corrupted in Active Directory

Solution 1: Reset Computer Account (Proper Fix)

The proper way to fix a broken trust relationship is to reset the computer account in Active Directory, then reconnect the computer to the domain. This re-establishes the secure channel.

Step 1: Reset Computer Account in Active Directory

On a domain controller or computer with RSAT tools installed:

1. Open Active Directory Users and Computers
2. Navigate to the Computers container (or the OU where the computer account is located)
3. Right-click on the computer account
4. Select Reset Account
5. Click Yes to confirm

Alternatively, use PowerShell on a domain controller:

Reset-ComputerMachinePassword -Server YourDomainController -Credential (Get-Credential)

Or reset the specific computer account:

Get-ADComputer -Identity "ComputerName" | Reset-ADComputerMachinePassword

Step 2: Reconnect the Computer to Domain

On the affected computer, you have a few options:

Option A: Using System Properties

1. Log in with a local administrator account (or cached domain credentials if available)
2. Right-click This PC → Properties
3. Click Change settings (or Advanced system settings)
4. Click Change in the Computer Name tab
5. Click OK (don't change anything, just confirm the domain membership)
6. When prompted, enter domain administrator credentials
7. Restart the computer when prompted

Option B: Using PowerShell (Run as Administrator)

Test-ComputerSecureChannel -Repair -Credential (Get-Credential)

Enter domain administrator credentials when prompted. This command resets the secure channel without requiring a restart.

Option C: Using Command Prompt (Run as Administrator)

netdom reset ComputerName /Domain:YourDomain.com /UserD:Administrator /PasswordD:Password

Replace ComputerName with the computer name, YourDomain.com with your domain, and provide domain administrator credentials.

Solution 2: Remove and Rejoin Domain (Quick Fix)

If you can access the computer (with cached credentials or local admin), you can remove it from the domain and rejoin it. This is often faster than resetting the account.

Step 1: Remove from Domain

1. Log in with a local administrator account
2. Right-click This PC → Properties
3. Click Change settings
4. Click Change
5. Select Workgroup and enter a workgroup name (e.g., "WORKGROUP")
6. Click OK
7. Enter local administrator credentials when prompted
8. Restart the computer

Step 2: Rejoin Domain

1. After restart, log in with the local administrator account
2. Right-click This PC → Properties
3. Click Change settings
4. Click Change
5. Select Domain and enter your domain name
6. Click OK
7. Enter domain administrator credentials when prompted
8. Restart the computer when prompted

Note: You may need to delete the old computer account from Active Directory before rejoining, or the computer will rejoin with the same account automatically.

Solution 3: PowerShell Reset (Fastest Fix)

If you can access the computer with local administrator rights, PowerShell provides the quickest fix:

Using Test-ComputerSecureChannel with Repair

Open PowerShell as Administrator and run:

Test-ComputerSecureChannel -Repair -Credential (Get-Credential)

Enter domain administrator credentials when prompted. This command:

• Tests the secure channel
• If broken, repairs it by resetting the machine password
• Doesn't require a restart

Using Reset-ComputerMachinePassword

Reset-ComputerMachinePassword -Server YourDomainController.domain.com -Credential (Get-Credential)

Replace YourDomainController.domain.com with your domain controller's FQDN. Enter domain administrator credentials when prompted.

Solution 4: Temporary Bypass (Quick Access)

If you need immediate access to the computer but can't fix the trust relationship right away, you can use temporary workarounds:

Option 1: Use Cached Credentials

If the user has logged into this computer before, cached credentials may still work:

1. At the login screen, enter the domain username and password
2. If it says "The trust relationship failed," try clicking "Switch user" or "Other user"
3. Enter the credentials in format: DOMAIN\Username
4. Cached credentials may allow login even with broken trust

Limitations: You may not be able to access network resources, but you can access the local computer and potentially fix the trust relationship.

Option 2: Use Local Administrator Account

If you know the local administrator password:

1. At the login screen, click "Other user" or "Switch user"
2. Enter: .\Administrator (or ComputerName\Administrator)
3. Enter the local administrator password
4. You can now access the computer and fix the trust relationship

Option 3: Enable Local Administrator (If Disabled)

If local administrator is disabled and you can't access the computer:

1. Boot from a Windows installation media or recovery environment
2. Open Command Prompt (Shift+F10 during setup)
3. Navigate to Windows system32: cd /d C:\Windows\System32
4. Rename utilman.exe: ren utilman.exe utilman.exe.bak
5. Copy cmd.exe: copy cmd.exe utilman.exe
6. Reboot and click the Ease of Access icon on login screen
7. Command Prompt opens - enable local admin: net user administrator /active:yes
8. Set password: net user administrator NewPassword
9. Restore utilman.exe: Boot to recovery again and rename back

Warning: This is a security workaround. Restore utilman.exe after fixing the trust relationship.

Solution 5: Command Line Reset (netdom)

If you have RSAT tools or Remote Server Administration Tools installed, you can use netdom to reset the secure channel:

netdom reset ComputerName /Domain:YourDomain.com /UserD:DomainAdmin /PasswordD:Password

Or interactively (safer, doesn't expose password in command history):

netdom reset ComputerName /Domain:YourDomain.com /UserO:DomainAdmin

This will prompt for the password. After running, restart the computer.

Solution 6: Fix Time Synchronization Issues

If time differences are causing the trust relationship to fail:

1. Check current time on the computer: w32tm /query /status
2. Sync time with domain controller: w32tm /resync /force
3. Verify time sync: w32tm /query /status
4. If still broken, try resetting the secure channel using Solution 1 or 3

Time differences greater than 5 minutes will break Kerberos authentication and cause trust relationship failures.

Preventing Trust Relationship Issues

To prevent trust relationship issues from occurring:

• Keep computers connected: Ensure computers connect to the domain regularly (at least every 30 days)
• Configure time sync: Ensure computers sync time with domain controllers (usually automatic)
• Properly decommission DCs: When removing domain controllers, decommission them properly (see domain controller migration guide)
• Monitor for issues: Check event logs for authentication errors
• Don't delete computer accounts: Avoid manually deleting computer accounts in AD unless necessary

Which Solution Should You Use?

Choose based on your situation:

• Can access computer with local admin? Use Solution 3 (PowerShell) - fastest and cleanest
• Need immediate access? Use Solution 4 (temporary bypass) to get in, then fix properly
• Can't access computer? Reset computer account in AD (Solution 1, Step 1), then use Solution 4 to access and reconnect
• Want cleanest fix? Use Solution 1 (reset account + reconnect) - most thorough
• Time sync issues? Fix time first (Solution 6), then reset secure channel if needed
• Quick fix needed? Solution 2 (remove/rejoin) works but is more disruptive

Summary

Trust relationship issues are common but fixable. The proper fix is to reset the computer account in Active Directory and reconnect the computer, but PowerShell's Test-ComputerSecureChannel -Repair is often the fastest solution if you have local admin access. For immediate access when you can't fix right away, use cached credentials or local administrator accounts as a temporary workaround.

Always ensure proper time synchronization and keep computers connected to the domain regularly to prevent these issues. When domain controllers are migrated or decommissioned, always do so properly to avoid breaking trust relationships across the domain.