Sometimes the trust relationship between a computer (physical server, VM, Hyper-V Host, etc) and the domain controller fails. This is usually evident when you attempt to sign in to the server via RDP and you receive an authentication related message or time mismatch error.
First, you will want to check the obvious such as making sure the time is the same on both computers, verifying that the computer account on AD exists and is not disabled and that your credentials are valid and not expired among other things. When all of those check out it may mean that kerberos authentication is broken. Also, if you manage the server from another computer you may receive a detailed kerberos authentication error.
Often times, this can be resolved by signing into the server locally and de-joining/re-joining the computer to the domain. However, this requires at least one reboot, and potentially other problems, so you may not want to do that. You may be able to fix the problem with Powershell 3.0 as follows. If you do not have Powershell 3.0 you will need to install it or try alternate method #2.
- Sign In to the Computer locally (not the domain controller) - you may still be able to RDP into the computer using the IP (instead of name) and you must sign in with a local Administrator account
- Open Powershell
- Type $cred = Get-Credential
- Enter a Domain Administrator account when prompted.
- Type Reset-ComputerMachinePassword -Credential $cred -Server [domain name of primary DC ex- dc-hostname.domain]
Alternate Method #1
- Sign In to the Computer locally (not the domain controller) - you may still be able to RDP into the computer using the IP (instead of name) and you must sign in with a local Administrator account
- Open Powershell
- Type Test-ComputerSecureChannel -Repair -Credential (get-credential)
Alternate Method #2
- Download and install the Remote Server Administration Tools from Microsoft onto the Computer - not the domain controller.
- Open an elevated command prompt on the Computer.
- Type netdom.exe resetpwd /s:dc-hostname.domain /ud:domainadminusername /pd/*
- Enter a Domain Administrator account when prompted
FAQs
Resolution. To resolve this issue, remove the computer from the domain, and then connect the computer to the domain. Use a local administrator account to log on to the computer.
What is the relationship between the primary domain and the trusted domain failed? ›
A trust relationship between the primary domain and the trusted domain failed. If you're getting this error message when navigating to the main EIOBoard site for your on-premise server, the most likely issue is that the firewall/domain is trusting the default documents but not allowing a redirect from them.
How to remove trust relationship between two domains? ›
Firstly you have to stop domain x trusting domain y, then remove domain x's ability to trust domain y:
- Logon as Administrator to domain x.
- Start User Manager for Domains, and click Trust Relationships from the Policies menu.
- Select domain y from the Trusted Domains and click Remove and confirm.
The most common cause of the trust relationship failing upon restoring a workstation or server is the computer account password had been changed between the last backup taken and the restore attempt. If you've got a domain admin credentials this condition is easily fixed by performing the following steps: 1.
How do I resolve a trust relationship error remotely? ›
- Download and install the Remote Server Administration Tools from Microsoft onto the Computer - not the domain controller.
- Open an elevated command prompt on the Computer.
- Type netdom.exe resetpwd /s:dc-hostname.domain /ud:domainadminusername /pd/*
- Enter a Domain Administrator account when prompted.
Resolution
- Use a local administrator account to log on to the computer.
- Select Start, press and hold (or right-click) Computer > Properties.
- Select Change settings next to the computer name.
- On the Computer Name tab, select Change.
- Under the Member of heading, select Workgroup, type a workgroup name, and then select OK.
Cause. This error occurs when the secure channel between the affected machine and AD is broken. The secure channel is the mechanism by which domain-joined machines communicate securely with domain controllers, and it relies upon the password associated with a computer account.
How to check domain trust relationship? ›
Using a graphical user interface
- In the left pane, right-click on the trusting domain and select Properties.
- Click the Trusts tab.
- Click the domain that is associated with the trust you want to verify.
- Click the Edit button.
- Click the Verify button.
Create the two-way trust through the GUI
Open the Active Directory Domains and Trusts Snap-in from the Administrative Tools on the Domain Controller in domainA. Right-click the domain name and select Properties. Select the tab Trusts. Select New Trust.
What is the relationship between trust and domain? ›
Trust relationships are an administration and communication link between two domains. A trust relationship between two domains enables user accounts and global groups to be used in a domain other than the domain where the accounts are defined.
Navigate to System and Security, and then click System. Under Computer name, domain, and workgroup settings, click Change settings. Under the Computer Name tab, click Change. Under Member of, click Domain, type the name of the domain that you wish this computer to join, and then click OK.
What does resetting a computer account in AD do? ›
Active Directory Users and Computers (DSA)
This resets the machine account. Resetting the password for domain controllers using this method is not allowed. Resetting a computer account breaks that computer's connection to the domain and requires it to rejoin the domain.
How to rejoin domain when trust relationship is lost in Windows 10? ›
Manual Rejoin: Right-click on “This PC” (or “My Computer”) and select “Properties.” Click on “Change settings” next to “Computer name, domain, and workgroup settings.” Click “Change” and select “Domain.” Enter the domain name and provide credentials. Restart the computer when prompted.
What does the trust relationship between the primary domain and the trusted domain failed PowerShell? ›
PowerShell Method:
Manual Rejoin: Right-click on “This PC” (or “My Computer”) and select “Properties.” Click on “Change settings” next to “Computer name, domain, and workgroup settings.” Click “Change” and select “Domain.” Enter the domain name and provide credentials. Restart the computer when prompted.
What does the trust relationship between this workstation and the primary domain failed reset account? ›
This error is usually caused by the computer account's password in the domain being invalid or broken. You can try to solve the problem by resetting the computer account or rejoining the domain. Reset the computer account. Open Active Directory Users and Computers.
What is the difference between primary domain and trusted domain? ›
A primary domain is the domain that is responsible for establishing further trust relationships and performing authentication (or for passing an authentication request on to an appropriate trusted domain).
