The Error “Trust Relationship between Workstation and Primary Domain failed” does not come up often but it is scary when it does. The quick explanation for this error is that the Active Directory stores a password for the computers connecting to it and the machine that has this error somehow did not sync correctly while using that password. Microsoft knows about this problem and made these tools specifically to fix it.
Most sites tell you to un-register the computer with the domain, then re-register it. This, in most cases, will create a new user profile. You will then need to rebuild and copy files and configurations from the old user directories to the new. Fortunately, there is a simpler and easier way of doing this.
Both the above method and the one I am about to describe require you to login to the local machines’ admin account. Here is a good time to point out that you should retain the username and password for all of your workstations administrator type account just for this purpose.
Up to Windows 2012
Up to Windows Server 2012, you can use the Netdom command from either an elevated PowerShell or command prompt. In windows 10 and Server 2016 they dropped this command and instead use the Reset-ComputerMachinePassword in PowerShell to accomplish this. Windows Server 2012 can use either method.
To use the Netdom command you will need to first login as a local administrative user. If you forgot the password there are methods of recovering it but I won’t discuss them in this article. After logging in you will need to open the command prompt with Administrator privileges. Then run the command as follows:
netdom resetpwd /server:DC_NAME /userd:USERNAME /password:PASSWORD
You will want to change the following to match your system:
- DC NAME to the name of your Domain Controller.
- USERNAME to a domain user that has rights to join new computers to the Domain.
- PASSWORD to either the above USERNAME’s password or use an * to have the computer prompt you for it.
After this completes you can just reboot your computer and login again under your Domain. Everything should work as normal.
Windows 2012 to current
For Windows 2012 and beyond the same method is accomplished in PowerShell using the Reset- ComputerMachinePassword commandlet
Again, you will need to login with a local Administrator privileged account. Then Open PowerShell with Administrator Privileges. Once PowerShell is open you will use the following commandlet :
Reset-ComputerMachinePassword -Server “DC01” -Credential Domain01\Admin01
You will want to change the following to match your system:
DC01 to the name of your Domain Controller.
Domain01\Admin01 to your domain before the \ and a user that has rights to join new computers to the Domain after the \.
This will then prompt you for the Password for the user you specified.
Afterwards exit PowerShell and reboot your computer and login in again under your Domain. Everything should work as normal.