How can I get the Trust Relationship to the domain to stop failing?

I just installed Windows 10. I was part of a domain. When I try to log in I get,

"The trust relationship between this workstation and the primary domain failed."

Since I do not remember my local accounts, am I left with resetting the local administrator password with a third party tool such as the Offline Windows Password & Registry Editor and rejoining the domain or using netdom on the client.

Is there another way to make the trust relationship come back?

edit: I have tried to reset the machine account in Active Directory Users and Computers. Same error. (yes, I rebooted).

johnny

Posted 2015-07-30T17:47:18.093

Reputation: 1 783

I changed the suggested edits, partially. I believe it is relevant to put the Pogostick link so it is clear what I mean by resetting. That I need a third party tool such as that. – johnny – 2015-07-30T17:58:08.817

possible duplicate of Re-joining a computer to domain

– Ƭᴇcʜιᴇ007 – 2015-07-30T18:11:26.560

AFAIK (and as the answers in the marked possible dupe seem to also concur) the only way to rebuild that trust it to dis-join the computer from the domain, delete it's AD account, and then re-join. – Ƭᴇcʜιᴇ007 – 2015-07-30T18:14:37.247

You might look into Reset-ComputerMachinePassword

– Ben N – 2015-12-28T22:55:32.360

1The answers all show how to fix the broken trust/domain-relationship, however I'm curious if anyone wants to answer WHY THIS HAPPENS as asked by @johnny in the title? – gregg – 2019-07-11T19:12:35.997

Answers

You can fix this without removing/rejoining the domain if:

A) You have a local admin account on the machine that you know the password for, or

B) You have logged in to the machine with a domain account with admin credentials in the past.

If A, just log in with the local admin credentials and then proceed to the next part. If B, disconnect the network cord, disable wireless, etc, and then log in as your local admin domain account.

Open PowerShell and run the following commands:

$credential = Get-Credential

Enter a domain admin account.

Reset-ComputerMachinePassword -Server DomainControllerName

This command will reset the machine password with the domain controller and you should be able to resume normal domain network access now.

I found this solution here and found it has worked multiple times: https://community.spiceworks.com/how_to/108912-fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed

music2myear

Posted 2015-07-30T17:47:18.093

Reputation: 34 957

And maybe you know how you would do this remotely using a domain admin account, for the case of if you don't have access to the local admin account, and the server is a VM, so you can't unplug the network cable? – vapcguy – 2017-08-03T18:45:15.403

Being a VM shouldn't make a difference. Both HyperV and ESXi are capable of virtually disconnecting network cables. Remote access generally assumes some domain communication in most cases and so may not work, though if you have access to the hypervisor you'll have console access which is the same as physical access when dealing with VMs. However, as clearly stated in my answer, you do need an admin account which is recognized by the faulty computer. The two cases (knowing a local admin account, knowing a domain account with admin rights) are both dealt with in my answer. – music2myear – 2017-08-03T18:54:37.013

Fortunately I found this... https://superuser.com/questions/555297/re-joining-a-computer-to-domain?noredirect=1&lq=1

– vapcguy – 2017-08-04T22:55:54.033

1Running those two commands as detailed above failed for me. Combining them fixed the trust relationship! Reset-ComputerMachinePassword -Server DomainControllerHostName -Credential DomainAdmin@domain.com – gregg – 2019-07-11T19:06:22.713

I can't comment on the solution provided by music2myear, however there seems to be another step to the process. In the comments below the article linked in music2myear's answer, a more complete answer is provided.

Open PowerShell and run the following commands:

$credential = Get-Credential

Enter a domain admin account.

Reset-ComputerMachinePassword -Server DomainControllerName -Credential $credential

I was not able to get my issue resolved until providing the credential as the last parameter.

As another note, I assumed my domain controller to be, well, the domain name (i.e. MyDomain.local), however for the DomainControllerName, I had to provide the Computer/Host Name of the domain controller.

Aaron St. Clair

Posted 2015-07-30T17:47:18.093

Reputation: 181

Thanks for the clarification. I don't know if a different powershell version might automatically use the $credential argument stored previously, but your method is more explicit and should work in more cases. – music2myear – 2016-09-29T15:42:47.007

The Domain Controller (DC) is not the same as the Domain Name (DN). The DC is the computer (or one of the computers) with the DC role in a Windows network with a domain. The DN is the name give to that domain when you set it up. – music2myear – 2016-09-29T15:48:30.300

1@music2myear Careful using the acronym "DN". The real "DN", as it relates to AD, actually means distinguishedName and that looks like CN=servername,DC=domain,DC=com. Totally different. But your comment is correct. – vapcguy – 2017-08-03T18:48:24.303

I had a similar issue after upgrading a machine to Windows 10, although I knew the local admin password! In my case, I thought that renaming the computer to get a new AD account for it would solve it, (as this is often sufficient when a VM drops out due to reverting a snapshot) but it did not work for this case.

The solution was a full removal of the computer from the domain, reboot, join back in, and reboot again.

tim

Posted 2015-07-30T17:47:18.093

Reputation: 11