The trust relationship between this work station and the primary domain failed
Fixing "The Trust Relationship Between This Workstation and the Primary Domain Failed"
This error typically appears when a workstation joined to an Active Directory (AD) domain can no longer authenticate with the domain controller. It’s caused by a mismatch between the computer’s local account password and the one stored in AD — these are normally synchronized every 30 days.
Common Causes
- The device has been offline from the domain for over 30 days.
- The computer account was deleted or reset in AD.
- A different machine with the same name was added to the domain.
- The machine was restored from an old image or backup.
- Domain controller replication issues.
Symptoms
- Users cannot log in using domain credentials.
- Only local accounts can sign in.
- Error message: "The trust relationship between this workstation and the primary domain failed."
How to Fix It
Option 1: PowerShell (No Reboot Required)
If you have local admin rights, this is the fastest fix:
Test-ComputerSecureChannel -Repair -Credential (Get-Credential)
Alternatively:
Reset-ComputerMachinePassword -Server -Credential (Get-Credential)
These commands reset the machine password in AD and re-establish the trust.
Option 2: Traditional GUI Method
If PowerShell is unavailable or fails:
- Log in using a local admin account.
- Open System Properties (Win+R →
sysdm.cpl).
- Change the computer to a workgroup and restart.
- Rejoin the domain and restart again.
Option 3: PowerShell Unjoin/Rejoin
Advanced admins can automate the process:
$computer = Get-WmiObject Win32_ComputerSystem
$computer.UnjoinDomainOrWorkGroup("AdminPW", "AdminAccount", 0)
$computer.JoinDomainOrWorkGroup("Domain", "AdminPW", "AdminAccount", $null, 3)
Restart-Computer -Force
Extra Troubleshooting
- Check connectivity to the domain controller (`ping`, `ipconfig`).
- Verify the computer account exists and is enabled in AD.
- Check for duplicate device names or SIDs.
- Make sure system clocks are in sync (Kerberos is time-sensitive).
Prevention Tips
- Ensure devices regularly connect to the domain.
- Avoid restoring old backups without resetting trust.
- Use Sysprep before imaging to prevent SID conflicts.
Summary
This is a common AD trust issue. If possible, use the PowerShell `Test-ComputerSecureChannel -Repair` command. If not, rejoin the domain via the GUI. Always check network access and ensure the AD computer object is active before attempting fixes.
References
- Dell Support KB
- Reddit r/sysadmin
- Third Echelon Blog
- Petri IT Knowledgebase
- Reddit PowerShell Tip
- LazyAdmin Guide
- Microsoft Answers
- Microsoft Troubleshooting
- ServerFault Thread
- Dell KB (PH)
- Reddit Follow-up
- YouTube Demo
- Kaseya Helpdesk
- SuperUser Thread
Summary powered by Perplexity AI: pplx.ai/share