daknetworks.com

You are here: Blog The Trust Relationship Between This Workstation and the Primary Domain Has Failed

The Trust Relationship Between This Workstation and the Primary Domain Has Failed

The Trust Relationship Between This Workstation and the Domain Has Failed

Reset-ComputerMachinePassword

Just as a USER-ACCOUNT is an object in AD, a COMPUTER-ACCOUNT is an object in AD. This has a password but the password isn't working. Let's reset the password.

  • $credential = Get-Credential
    (enter the domain admin account when prompted)
  • -type: Reset-ComputerMachinePassword -Server ClosestDomainControllerNameHere -Credential $credential

Test-ComputerSecureChannel

Now, let's test the secure channel

  • -start > programs > powershell (as administrator)
  • -type: Test-ComputerSecureChannel

It will come back either TRUE or FALSE. If it's false, let's try and repair it.

  • -login to localadmin-account on local system and type: Test-ComputerSecureChannel -repair
  • -if that didn't work, try: Test-ComputerSecureChannel -Repair -Credential
    (Use the username/password of the domain admin account)
  • -if you need to run remotely: Invoke-Command -ComputerName REMOTE-COMPUTER-NAME-HERE -ScriptBlock { Test-ComputerSecure Channel } -Credential (Get-Credential -UserName 'admin-here' -Message 'User')
  • -if you need a one-liner: Test-ComputerSecureChannel -Repair -Credential (New-Object System.Management.Automation.PSCredential 'domain\adminaccounthere',(convertto-securestring $('password-here') -asplaintext -force))

What I usually find is that I can't run the commands remotely because the trust is broken. And when I run locally, it simply runs "False."

So I copy a powershell script onto the computer with the file name rejoin-domain.ps1

==================
$computer = Get-WmiObject Win32_ComputerSystem
$computer.UnjoinDomainOrWorkGroup("password-here", "administrator", 0)
$computer.JoinDomainOrWorkGroup("domain.tld", "password-here", "administrator", $null, 3)
Restart-Computer -Force
==================

Then run the powershell through a remote command line like this:
powershell c:\path-to-file\rejoin-domain.ps1

Netdom

An older way of fixing this was with NETDOM

-type: netdom reset computer /domain:domainname /userd:domainadmin /passwordd:password

What Lead Me Here

I found out the relationship failed by:

  • -right-click a folder that is a shared folder for a group on the domain.
  • -click properties
  • -click security tab (at the top)
  • -click advanced button (at the bottom)
  • -effective-access tab
  • -select a user
  • -click VIEW-EFFECTIVE-ACCESS

Contact Dak Networks

Please contact us at the following.