PDQ the trust relationship Between this workstation and the primary domain failed

Problem

You see the error message "Trust relationship between this workstation and the primary domain failed" on the screen when:

• Installing image creator component
• Accessing a remote machine's share

Cause

1. Invalid domain user credentials
2. When multiple computers exist with the same name inside a domain

Resolution

To resolve this problem, follow any of the solutions given below,

Rejoin the computer to the domain 

Follow the steps given below to remove the computer from the domain, and then connect the computer to the domain.

1. Use a local administrator account to log on to the computer. 
2. Select Start, press and hold (or right-click) Computer > Properties.
3. Select Change settings next to the computer name.
4. On the Computer Name tab, select Change.
5. Under the Member of heading, select Workgroup, type a workgroup name, and then select OK.
6. When you are prompted to restart the computer, select OK.
7. On the Computer Name tab, select Change again.
8. Under the Member of heading, select Domain, and then type the domain name.  
9. Select OK, and then type the credentials of the user who has permissions in the domain.
10. When you are prompted to restart the computer, select OK.
11. Restart the computer.

Rejoin the computer to the domain by running a script 

You can run a script to rejoin the computer to the domain. Run the following script on the machine where the issue has occurred using local admin privileges,

1. Copy and paste the below script to a text file and name it with .ps1 extension. 

   $credential = Get-Credential

   $serverstr = Read-Host - Prompt 'Enter domain name'

   Reset-ComputerMachinePassword -Credential $credential -Server $serverstr

2. Run the script with local admin privileges using powershell 3.0 or above. 
3. After you run the script, enter the domain admin credentials with privileges to change user password.
4. In the powershell command prompt, specify your domain name and press enter. Script will get executed now.  

Access workstation using it's local account

If you do not want to rejoin the machine to the domain or if the rejoining fails, you can try accessing the workstation machine using it's local account. 

Keywords: Trust relationship failed, rejoin computer to domain.

If, at logon, you receive an error message that the trust relationship between a workstation and the primary domain failed, and you cannot logon, there are several ways to deal with the issue. These solutions also work on Windows 11 systems, where you may still log on, but the network connections tray icon in the system claims that the computer is part of an unidentified network.

• Author
• Recent Posts

Welf has been working as a system administrator since the year 2000. He focuses on IT security for the Windows platform.

Contents

1. Why the trust relationship failed
2. Avoiding the trust relationship problem
3. Restoring the trust relationship

Why the trust relationship failed ^

Technically, a domain trust relationship is established when a machine joins the domain and is maintained automatically from then on. When the machine joins the domain, a machine password is created that the domain controllers use to authenticate the machine.

This password automatically changes every 30 days. One reason why the trust relationship might fail is that your domain controllers have replication problems and are no longer in sync. For instance, while only the new password is valid on DC1, the old password is still active on DC2. As soon as your client contacts DC2 for logon, it will throw that error. Since you cannot proactively prevent replication problems, this will not be addressed in this article.

The second more common reason for this error surfaces when you restore a domain-joined Windows from an image backup, and the backup was created before the last password change. As said, the password changes every 30 days; thus, if you create a backup on day 29, the password will already be expired if you restore the next day. If you then try to log on with a domain account, you will receive this error message:

The trust relationship between this workstation and the primary domain failed

The error message may vary depending on your Windows version. In Windows 11, you may even be able to log on, but then the network tray icon will display unidentified network. You may still be able to access domain resources, but since the firewall profile is not the domain profile, you'll definitely run into various issues.

Avoiding the trust relationship problem ^

To avoid the workstation losing trust with the Windows domain, you can use the command line tool nltest.exe right before imaging. It can change the machine password so you know for sure that this image can be restored at least 30 days after its creation:

Nltest.exe /sc_change_pwd:dom.local

Initiating a password change right before the backup

We cannot change the fact that system passwords in system images expire, but we can at least make sure that the restore works without issues within the 30-day period.

Restoring the trust relationship ^

When it comes to restoring the trust relationship, a simple trick is to disconnect the network cable immediately after the backup has been restored. Simply log on with any administrator account using cached credentials. To re-establish the trust relationship, enter this command on an elevated PowerShell:

reset-computermachinepassword –credential yourdom\resetaccount

Resetting the machine password

This method will only work if an admin has previously logged on and their credentials are in the cache. The domain account "resetaccount" will not need to be admin on the machine in question, nor be domain admin. However, it needs to hold the privilege to reset machine account passwords on the computer OU (or on that single computer object respectively).

If, however, no admin credentials are in the cache, you can use only a local administrator account. Perhaps you didn't create a local admin account and the built-in administrator account is disabled—what now?

The solution is to boot to the command prompt in WinRE and activate the local administrator account.

To make this easier, you can save the following lines to activate.bat on a USB drive:

reg load HKLM\TEMP c:\windows\system32\config\sam for /f "tokens=3" %%a in ('reg query HKLM\TEMP\SAM\Domains\Account\Users\000001F4 /v F') do set str=%%a set str=%str:2000011=2000010% reg add HKLM\TEMP\SAM\Domains\Account\Users\000001F4 /v F /t REG_BINARY /d %str% /f reg unload HKLM\TEMP

This script activates the local administrator account. If you know its password, you are good to go now, but if you don’t, you need to follow this procedure:

At the command prompt, run this command:

reg load HKLM\TEMP c:\windows\system32\config\sam

Open regedit and navigate to this location:

HKLM\TEMP\SAM\Domains\Account\Users\000001F4

Double-click the V-value, navigate to the position in the next screenshot, and replace the following positions marked in yellow with 00.

Before the change

What have we just done? These two values tell the system how long the LM/NTLM password hash of the built-in administrator account is, and we zeroed them, so the system thinks the password is empty.

After the change

Finally, at the command prompt, use:

reg unload HKLM\TEMP

Then restart, and you can now log on as built-in administrator without a password and reset the machine password. Afterwards, disable the built-in administrator again.

How do you fix the trust relationship between this workstation and primary domain failed?

How do you fix a broken trust relationship within a domain?

What causes the trust relationship between this workstation and the primary domain failed?

How do you build trust relationship with a domain?