The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,783 other followers

When a PC lost its trust relationship with a domain controller: “The trust relationship between this workstation and the primary domain failed”

Posted by jpluimers on 2016/10/17

(Don’t ask for details; at a site with Microsoft Data Protection Manager an external company monitoring that DPM didn’t notice various backups – including the domain controller – were months old despite daily tape changes; so then the RAID fell out because multiple disks failed within hours, contingency aftermath took weeks)

When you logon to a client machine and get “The trust relationship between this workstation and the primary domain failed”

  1. do not rejoin your client machine to the domain
  2. ensure on the client machine:
    1. you can logon without a domain account (part of any contingency plan should be logging in with a local account or without a domain controller if you have the – potential risky – cached domain logon enabled, otherwise you’ve to do more nasty measures)
    2. you have PowerShell v3 or later on the client machine
  3. on the client machine
    1. Ensure it’s connected to the same network as the domain controller
    2. Ensure you can ping the domain controller
    3. Test with Powershell Test-ComputerSecureChannel to see if the connection is indeed lost:
      1. if it returns True then you have a different problem (have not seen this, but just in case: this blog post won’t solve that)
      2. if it returns False, then continue with the next step
    4. Run Powershell Test-ComputerSecureChannel -Repair and check if the output is True (when False there )

Note there are various posts suggesting to use Powershell Reset-ComputerMachinePassword and netdom.exe resetpwd /s:dc-hostname.domain /ud:domainadminusername /pd:*. Though faster than rejoining the domain, the Powershell Test-ComputerSecureChannel is even faster and easier.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: