All to often I see people doing wrong corrective action whenever they encounter “The trust relationship between this workstation and the primary domain failed” error, it seems that even some Microsoft documentation gives you bad advice. What you have to do if you got this error is use proper resolution methods instead of lengthy and wrong join workgroup, then join to domain again approach.
In case you working with multiple VMs joined to domain and play with snapshots you may very likely run into this error at some point. Here is the screen shot:
This error caused by the fact that your computer account secure channel is broken. All computers joined to domain have SID along with their “username” and password albeit you never touch or input those things in any explicit way. Un-join and re-join again to domain procedure will create new SID for your computer which may be not the thing you want. When you log on to domain with user name and password secure channel is being established, but it can be broken in the following scenarios:
- Machine was offline more than 30 days since last computer password reset (it happens automatically for machine approximately every 30 days when it is online)
- OS was reinstalled (this process creates new machine SID)
- LSA on the machine is out of sync
Key thing to remember when you got this issue is never join workgroup and then to domain again as this process creates new SID and your machine will lose all its group memberships (if it had any, of course).
Right fixes:
- ADUC > Reset Computer, then rejoin machine to domain
- dsmod computer -reset, rejoin: dsmod computer “cn=COMPUTER-NAME,ou=Computers,dc=domain,dc=com” -reset
- nltest (no rejoin or reboot required): nltest /server:COMPUTER_NAME /sc_reset:domain\domain_controller_name
- PowerShell way: Test-ComputerSecureChannel -Repair (no rejoin or reboot required)
I strongly recommend you to remember option 4. So if you see “The trust relationship between this workstation and the primary domain failed” you know that secure channel is broken, you just logon as local administrator on this machine and run this:
Test-ComputerSecureChannel -Repair -Credential DOMAIN\User
Once done logoff your local user and logon back using domain credentials, problem solved!