locked
The trust relationship error (domain <--> client PC) RRS feed

  • Question

  • Hy all!

    We have a problem, one of our clients. " trust relationship between this workstation and primary domain failed." Its a Windows server 2012 environment.

    We found many solution that writes "exit the client from the domain, and then rejoin", but are there any permanent solution, which working and does not need to exit the client from the domain?


    Friday, September 19, 2014 2:50 PM

Answers

  • Hi,

    Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computer account back to the domain.

    There might be multiple reasons for this kind of behavior. Here are a few of them:

    1. Single SID has been assigned to multiple computers.
    2. If the Secure Channel is Broken between Domain controller and workstations
    3. If there are no SPN or DNS Host Name mentioned in the computer account attributes
    4. Outdated NIC Drivers.

    When a Computer account is joined to the domain, Secure Channel password is stored with computer account in domain controller. By default this password will change every 30 days (This is an automatic process, no manual intervention is required). Upon starting the computer, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC.

    If there are problems with system time, DNS configuration or other settings, secure channel’s password between Workstation and DCs may not synchronize with each other.

    A common cause of broken secure channel [machine account password] is that the secure channel password held by the domain member does not match that held by the AD. Often, this is caused by performing a Windows System Restore (or reverting to previous backup or snapshot) on the member machine, causing an old (previous) machine account password to be presented to the AD.


    Follow below link which explains typical symptoms when Secure channel broken,

    Typical Symptoms when secure channel is broken

    http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx

    For detailed information, please refer to the link below,

    Troubleshooting AD: Trust Relationship between Workstation and Primary Domain failed

    http://social.technet.microsoft.com/wiki/contents/articles/9157.troubleshooting-ad-trust-relationship-between-workstation-and-primary-domain-failed.aspx

    Best Regards.



    Steven Lee

    TechNet Community Support


    • Edited by Steven_Lee0510 Tuesday, October 7, 2014 5:42 AM
    • Marked as answer by eXHeLp Friday, October 10, 2014 7:05 AM
    Tuesday, October 7, 2014 5:42 AM

All replies

  • Hi

    You will need to remove the machine from the domain and join it back. i have seen lots of this happening especially when machines are cloned.

    There is a registry fix you can try but it is quicker doing the above.


    Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by Steven_Lee0510 Tuesday, October 7, 2014 5:42 AM
    Friday, September 19, 2014 3:03 PM
  • I have to hurry and I forgot to write that, this is happens when I try to log in to the PC, the machines aren't cloned, totally different machines, this error comes randomly. :/
    We already setted up a lots of thing on these PC's because these are accountant PCs, so first of all we want to try to solve it witount this domain thing. 

    • Edited by eXHeLp Sunday, September 21, 2014 3:39 PM
    Sunday, September 21, 2014 3:34 PM
  • Hi,

    Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computer account back to the domain.

    There might be multiple reasons for this kind of behavior. Here are a few of them:

    1. Single SID has been assigned to multiple computers.
    2. If the Secure Channel is Broken between Domain controller and workstations
    3. If there are no SPN or DNS Host Name mentioned in the computer account attributes
    4. Outdated NIC Drivers.

    When a Computer account is joined to the domain, Secure Channel password is stored with computer account in domain controller. By default this password will change every 30 days (This is an automatic process, no manual intervention is required). Upon starting the computer, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC.

    If there are problems with system time, DNS configuration or other settings, secure channel’s password between Workstation and DCs may not synchronize with each other.

    A common cause of broken secure channel [machine account password] is that the secure channel password held by the domain member does not match that held by the AD. Often, this is caused by performing a Windows System Restore (or reverting to previous backup or snapshot) on the member machine, causing an old (previous) machine account password to be presented to the AD.


    Follow below link which explains typical symptoms when Secure channel broken,

    Typical Symptoms when secure channel is broken

    http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx

    For detailed information, please refer to the link below,

    Troubleshooting AD: Trust Relationship between Workstation and Primary Domain failed

    http://social.technet.microsoft.com/wiki/contents/articles/9157.troubleshooting-ad-trust-relationship-between-workstation-and-primary-domain-failed.aspx

    Best Regards.



    Steven Lee

    TechNet Community Support


    • Edited by Steven_Lee0510 Tuesday, October 7, 2014 5:42 AM
    • Marked as answer by eXHeLp Friday, October 10, 2014 7:05 AM
    Tuesday, October 7, 2014 5:42 AM