Windows 10: Trust Relationship failed

When a user is trying to login to workstation or server with domain account credential and after entering the username and its password, they might receive:

The trust relationship between this workstation and the primary domain failed

Or the error may look something like:

The security database on the server does not have a computer account for this workstation trust relationship

Now obviously, something went wrong, or someone initiated or changed the password for this trust/your computer. Now one of the things people mostly tend to do is re-install the computer. This is (in normal circumstances) not necessary at all.

The fix

  1. Disable your wireless and remove any network cables.

  2. Log in as a local administrator to your computer

  3. Enable network connectivity again once you are in

  4. Start an elevated powershell window and execute this command:

    • Reset-ComputerMachinePassword -Server DomainController -Credential Domain\Admin
      • Server – name of any domain controller

      • Credential – user with domain admin permissions

    • Or:
      Test-ComputerSecureChannel -Repair -Credential Domain\Admin
  5. A credential window will appear in which you should provide user-credentials for an Domain administrator or user account with privileges to change computer passwords and/or add computer-accounts.

  6. If everything went fine, you get no message.

  7. Reboot or try to log in again.

Background

When you join your computer to an Active Directory domain, a so-called computer account is created for your device and receives a password for it (just like regular users). Trust relationship at this level is provided by the fact that operation is performed by an domain administrator or other user with the appropriate permissions.

Each time when a computer tries to login to the AD domain, it establishes a secure channel with the closest domain controller and sends its credentials. A trust is established between the computer and the domain and is followed-up with further interaction like setting up administrator-defined security policies.

By default, the computer account password is valid for 30 days and changes automatically. It is important to understand that the password rotation process is defined by the domain's group policies. This is similar to the changing user password process.

Computer accounts do not have password expiry like other accounts in Active Directory. Computers using Netlogon automatically change the password during the next domain logon if its password is older than 30 days. The computer first tries to change its password at the domain controller, and after succession, it updates its local password.

Author: Angelique Dawnbringer Published: 2019-05-30 16:04:00 Keywords:
  • Microsoft Windows 10
  • Active Directory
  • Trust Relationship failed
Modified: 2019-05-30 16:30:42