Windows – Trust Relationship between Workstation and Primary Domain Failed

June 26, 2014

There is a fix but not so easy to accomplish remotely of you don’t have the proper tools installed on the machine.

image

Netdom

In order to use the netdom tool you must have Remote Server Administration Tools (RSAT) installed.

Install the Remote Server Administration Tools (RSAT).

  1. Go to Control Panel -> Programs and Features -> Turn Windows features on or off
  2. In the treeview, go to Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools and select AD DS Tools. Click OK.

NETDOM should be located in your SYSTEM32 folder.

To reset the computer’s password:

  • Log into the affected client with a local account with administrative privileges
  • Open an elevated PowerShell or Command prompt
  • Run the Netdom command
    netdom.exe resetpwd /servername.domain /ud:ad\jsmith /pd:*
    • The user specified with the “/ud:” must have rights to change the computer object password
    • The “/pd:*” switch will hide the entered password
  • Reboot

If you like to use Powershell be aware that is is depending on the PS Version installed Sad smile

PowerShell v2 – Test-ComputerSecureChannel

    • Log into the affected client with a local account with administrative privileges Open an elevated PowerShell prompt Load the Active Directory PowerShell module
Import-Module activedirectory

Test the secure channel

Test-ComputerSecureChannel

If the command returns false, run the command with the “-Repair” switch

Test-ComputerSecureChannel -Repair -Credential $(Get-Credential)

verify the secure channel using the Test-ComputerSecureChannel

Test-ComputerSecureChannel

Reboot

PowerShell v3 or higher – Reset-MachineAccountPassword

    • Log into the affected client with a local account with administrative privileges Open an elevated PowerShell prompt Load the Active Directory PowerShell module
Import-Module activedirectory

Test the secure channel

Test-ComputerSecureChannel

If the command returns false, run the Reset-MachineAccountPassword command

Reset-MachineAccountPassword -Credential $(Get-Credential)

verify the secure channel using the Test-ComputerSecureChannel

Test-ComputerSecureChannel

Reboot

Alternative :

Try to download machinepwd: http://www.joeware.net/freetools/tools/machinepwd/index.htm and then run it on the workstation.

If that machinepwd fails:

  1. Reset the computer account in AD
  2. On the workstation, run: machinepwd /fix

If you have User Account Control (UAC) enabled then you must start the the command prompt in “Run as Administrator” mode.

This should force the workstation to re-sync the machine password with AD, and re-establish the trust relationship.

 

Alternatively use NetDom.exe and more

Success !