none
"The trust relationship between this workstation and the primary domain failed"

    Question

  • I have one DC with Windows server 2008 R2 name abc.com

    and one of my Domain Member 2008R2 name Client1.abc.com is connected to this domain, when i tried to login on that Client1.abc.com with this credential abc.com\administrator

     i get the following error "The trust relationship between this workstation and the primary domain failed" , i cannot rejoin this machine on this domain because of this machine is Sharepoint hosted server, so what will the good solution for this please help me 


    Sanjibk MCSE

    Thursday, March 01, 2012 10:21 AM

Answers

  • Hi,

    This problem should be caused by the computer's machine account has the incorrect role or its password has become mismatched with that of the domain database. You can log on locally as local administrator. In the Network tool of Control Panel, select Change and enter a Workgroup name, leaving the domain. Restart the computer and log on locally as a local administrator.

    Based on the current situation, please confirm with SharePoint forum to check if the SharePoint Server can rejoin the domain.

    SharePoint Products and Technologies
    http://social.technet.microsoft.com/Forums/en-US/category/sharepoint/

    There are two methods to rejoin the domain:

     You can join the domain from the client if at the same time you can provide an administrator username and password on the domain.
     You can delete the existing computer account in Server Manager, recreate the computer account, synchronize the domain, and then on the client rejoin the domain.

    For details, you can refer to:
    Trust Relationship Between Workstation and Domain Fails
    http://support.microsoft.com/kb/162797

    If it does not work, I also would like to suggest you reset the member security channel by using the following command:
     
    netdom reset 'machinename' /domain:'domainname

    For more information, please also read the following Microsoft KB article:

    Resetting computer accounts in Windows
    http://support.microsoft.com/kb/216393

    Regards,


    Arthur Li

    TechNet Community Support

    Thursday, March 01, 2012 1:08 PM
    Moderator
  •  "The following error occured attempting to join domain "abc.com":
    The Network path was not found." I am sure this problem is not from DNS because my DNS is on same machine where i installed AD and i can ping this  server from my workstation. I did nslookup to this server i get all information of server successfully all firewall is off on both server and workstation, in my scenario where am I wrong??  

    Hi,

    • Make it sure that your Dns is configured properly and verify your SRV records.
    • Turn off the firewall from both side or manually allow the client computer to access your server.
    • Temporary disable if any antivirus application running on DC or server.
    • Perform DCDIAG test on domain controller for any error.
    • Multihomed DC is not recommended, being a VPN Server and even simply running RRAS makes it multi-homed.
    • If multiple NICs are present on DC, disable unused NIC.
    • Check the NIC binding on member server as well as on DC.

    Perform above steps and let us know the result.


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, March 02, 2012 10:00 AM
  • Now i am able to join that machine on domain, thanks Abhijit, there was an error on NIC binding, when i correct them, i added that machine in to domain, thanks you all, but that machine is sharepoint 2010 hosted machine, i am having trouble while accessing my sharepoint administration page, looking for how to solve it.

    Sanjibk MCSE

    You are welcome, Sanjibk.

    You may ask the sharepoint related question in SharePoint Forum. Here is a link: http://social.msdn.microsoft.com/Forums/pl-pl/category/sharepoint


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, March 06, 2012 10:24 AM

All replies

  • Restart the server and than try again.
    Post the update...

    Gulab Prasad,
    MCITP: Exchange Server 2010 | MCITP: Exchange Server 2007
    MCITP: Lync Server 2010 | MCITP: Windows Server 2008
    My Blog | Z-Hire Employee Provisioning App

    Thursday, March 01, 2012 11:41 AM
  • Hi,

    This problem should be caused by the computer's machine account has the incorrect role or its password has become mismatched with that of the domain database. You can log on locally as local administrator. In the Network tool of Control Panel, select Change and enter a Workgroup name, leaving the domain. Restart the computer and log on locally as a local administrator.

    Based on the current situation, please confirm with SharePoint forum to check if the SharePoint Server can rejoin the domain.

    SharePoint Products and Technologies
    http://social.technet.microsoft.com/Forums/en-US/category/sharepoint/

    There are two methods to rejoin the domain:

     You can join the domain from the client if at the same time you can provide an administrator username and password on the domain.
     You can delete the existing computer account in Server Manager, recreate the computer account, synchronize the domain, and then on the client rejoin the domain.

    For details, you can refer to:
    Trust Relationship Between Workstation and Domain Fails
    http://support.microsoft.com/kb/162797

    If it does not work, I also would like to suggest you reset the member security channel by using the following command:
     
    netdom reset 'machinename' /domain:'domainname

    For more information, please also read the following Microsoft KB article:

    Resetting computer accounts in Windows
    http://support.microsoft.com/kb/216393

    Regards,


    Arthur Li

    TechNet Community Support

    Thursday, March 01, 2012 1:08 PM
    Moderator
  • Sanjibk;

    Are you using Windows Server "8" Beta or are you using Windows 2008 R2?  I just want to make sure you're posting in the proper forum.


    --Joseph [MSFT] http://blogs.technet.com/b/joscon/

    Thursday, March 01, 2012 1:08 PM
  • Take a look at below hotfix.

    A secure channel is broken after you change the computer password on a Windows 7 or Windows Server 2008 R2-based client computer

    http://support.microsoft.com/kb/979495


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, March 01, 2012 1:22 PM
    Moderator
  • Why can't you rejoin the machine to the domain?  The system has lost it account password, this happens from time to time and you should be able to rejoin this machine to the domain.  Event though when you are local it asks you to restart the machine after you modify the domain membership you should be able to leave the domain and rejoin the domain w/o rebooting.

    You should also be able to reset the secure channel (apssword) via netdom
    http://www.howtonetworking.com/vista/resetsecurechannel.htm

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, March 01, 2012 1:24 PM
    Moderator


  • Did you verify the SPN on this machine?  Follow this procedure - http://portal.sivarajan.com/2010/05/workstation-trust-relationship-issue.html



    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Thursday, March 01, 2012 4:59 PM
  • Since this is a Win2008R2 client, open PowerShell consoll (as administrator) on the client and run the cmdlet: Test-ComputerSecureChannel -repair

    It might bring you back.

    Thursday, March 01, 2012 8:38 PM
  • My Friend, you can try :-

    1) Open the Active Directory Users & Computers Console and go to Computer; where you will have urs client1 computer.

         (a) Right click reset and try to logon on client computer now.

         (b) In the properties of Computer account (client1) there is delegation tab. where you need to select "Trust this computer for Delegation to any Service (Kerborose only)"

        (c)  Delete this computer account and manually create on more time the same name computer account.

        (d) Go to the client computer and logon as  local administrator, rename the compter and restart it. After the restart completes, you can now try to logon as domain / enterprise administrator

       (e) Dejoin the comptuer from the domain and rejoin it back to the domain.

    Once you dejoin and rejoin the computer with a new name; it works. Actaullay I have already faced the same problem many times. So fianlly you can dejoin the computer from the domain and rejoin it bact to the domain; it starts to work. Thats the final step but before you do the last (e) step.

    Try the above all steps. other wise finally you can use (e) step. it will work.


    Kamal Sharma

    Friday, March 02, 2012 4:00 AM
  • I tried many techniques given by you all, but i am unable to establish the trusted connection between my AD server and my workstation,i followed following stuffs.

    1. I used netdom utility to reset user account.

    2. Disable my computer from AD computer and users, and re-enable, 

    3. I checked security computer channel from powershell, it gave me result: true, and when i use -repair switch it gave me access denied error.

    Finally i decided to disconnect from domain and rejoin process, actually my workstation is on hyper-v , i had taken the snapshot, and going to disconnect this computer from domain, it is okay, and i deleted all information of this workstation from AD computer and users, now i am again adding this workstation to this domain, i find the following error.

     "The following error occured attempting to join domain "abc.com":
    The Network path was not found." I am sure this problem is not from DNS because my DNS is on same machine where i installed AD and i can ping this  server from my workstation. I did nslookup to this server i get all information of server successfully all firewall is off on both server and workstation, in my scenario where am I wrong??  


    Sanjibk MCSE


    • Edited by sanjibk Friday, March 02, 2012 7:22 AM remaining
    Friday, March 02, 2012 7:16 AM
  • Are there any multiple NIC's on your Workstation,

    If yes please disable unused NIC's and then check.

    If possible please do a ipconfig /all and post the result here and check any events are getting generated on your workstation and post them if you are finding some.

    Apart from that you can refer below link for better understanding.

    http://www.chicagotech.net/pathnotfound.htm

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, March 02, 2012 7:25 AM
  •  "The following error occured attempting to join domain "abc.com":
    The Network path was not found." I am sure this problem is not from DNS because my DNS is on same machine where i installed AD and i can ping this  server from my workstation. I did nslookup to this server i get all information of server successfully all firewall is off on both server and workstation, in my scenario where am I wrong??  

    Hi,

    • Make it sure that your Dns is configured properly and verify your SRV records.
    • Turn off the firewall from both side or manually allow the client computer to access your server.
    • Temporary disable if any antivirus application running on DC or server.
    • Perform DCDIAG test on domain controller for any error.
    • Multihomed DC is not recommended, being a VPN Server and even simply running RRAS makes it multi-homed.
    • If multiple NICs are present on DC, disable unused NIC.
    • Check the NIC binding on member server as well as on DC.

    Perform above steps and let us know the result.


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, March 02, 2012 10:00 AM
  • Please post IPCONFIG/ALL from client machine and DC here.


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Monday, March 05, 2012 3:47 PM
  • I found this and worked very well for me.

    By WorldTech:

    Actually there is another way you can do this without loosing your credential to the domain controller or having to copy all the files to a new user since chances are it might happen because it might see the PC as a new PC ( Maybe ) try the same steps but use the NETWORK ID option right above CHANGE under the system properties and follow the steps. This way it will noticed that the computer you are joining has the same name as one on the domain and it will ask you to if you would like to use the same name. Go ahead and say YES and it will rejoin the computer or laptop back to the domain fixing the connection to the domain and not making any changes to the computer or the users already in the computer. If you remove the computer from the domain and rejoin it you might have to recreate all the accounts and copy all the files in all the different locations of each user. This step will fix the connection issue without make any changes to the computer and this is what you want, not extra work.


    So what do you do when you can't even log on as the local admin? I tried the two admin accounts that I have, the standard Administrator and another.

    If you can't login as a domain user or local admin and can't access the box remotely then it's time to give up. If the drive(s) contain data you want to keep then I would put in a different hard drive, re-install the OS, and then try to mount the drive(s) and recover data

    Monday, March 05, 2012 5:12 PM
  • The error message  "The trust relationship between this workstation and the primary domain failed" indicates that secure channel between the cleint server and DC is broken.

    (1) Check the DNS & WINS entries?
     IP configuration on clients and member servers:
    -----------------------------------
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of WS.

    (2) Check whether the Firewall service is ON of OFF?
    Refer link this to diable the firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

    (3) Check the status of the Browser service?
    It should be started.

    (4) Check the status of the machines account in the AD?(It may be disabled)
    If the Machine account is disable enable the same.

    (5) Remove the server from the domain & readd it to the domain else try using netdom utility to reset the secure channel between the server & the domain controller?
    http://support.microsoft.com/kb/260575

    (6)Also check the DNS console for duplicate record for the host machine and remove the same.

    (7)Check NIC binding the NIC which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC.http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows.

    Note:It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic.

    Regarding the "The following error occured attempting to join domain "abc.com":The Network path was not found

    Ensure that TCP/IP helper service is in started state.

    Make sure that you have enabled NetBIOS over TCP/IP in NIC setting.

    Check the Cleint for MS n/w & File & print sharing for MS n/w is enabled on the n/w setting.

    If member server & workstation are frequently getting disconnect from DC check the health of DC as well.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, March 05, 2012 11:25 PM
  • Now i am able to join that machine on domain, thanks Abhijit, there was an error on NIC binding, when i correct them, i added that machine in to domain, thanks you all, but that machine is sharepoint 2010 hosted machine, i am having trouble while accessing my sharepoint administration page, looking for how to solve it.

    Sanjibk MCSE

    Tuesday, March 06, 2012 3:55 AM
  • Now i am able to join that machine on domain, thanks Abhijit, there was an error on NIC binding, when i correct them, i added that machine in to domain, thanks you all, but that machine is sharepoint 2010 hosted machine, i am having trouble while accessing my sharepoint administration page, looking for how to solve it.

    Sanjibk MCSE

    You are welcome, Sanjibk.

    You may ask the sharepoint related question in SharePoint Forum. Here is a link: http://social.msdn.microsoft.com/Forums/pl-pl/category/sharepoint


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, March 06, 2012 10:24 AM
  • i have successfully been able to join back my sharepoint server to my domain,however,just like you Sanjibk i can't access sharepoint on it,any luck on finding out what happened to the sharepoint on it? and how to recover it?many thanks
    Wednesday, August 08, 2012 12:54 PM
  • I have a easy fix for all users that have the "Trust relationship between the workstation and the primary domain failed".

    - Unplug the Server  or PC from the network

    - Log in as you normally would into the domain as an Admin Account (This will load the cached mode of the Admin account since you are not connected to the network)

    -Disjoin the Server or PC (You will require a local admin account to be able to re-join to the network. If you do not have the password the create one before disjoining from the Domain)

    -Log in as the local admin account and re-join the domain

    Tuesday, September 18, 2012 7:29 PM
  • That worked great!  Nobody knew the password of the local Administrator account (since this was a VMWare virtual machine spun up from a template that someone else had created), but breaking the network connection forced the login to use the account cache, which allowed us to log in, set the local Administrator password, and then go ahead and leave/reboot/rejoin/reboot to get back into the domain.  Thanks!

    Friday, September 21, 2012 7:34 PM
  • To add to Abhijit's comment, I experienced the same error, but the root cause was a too restrictive firewall issues, who was dropping some traffic on 2 specific ports. This was most probably blocking packets when the server was trying to renew / refresh its passwords on its own. There must be some expiration policy, after a certain period (a week in my situation) the server got this error.

    Opening the appropriate ports on the Firewall has instantly resolved the problem.

    Thursday, January 10, 2013 5:35 PM
  • Resolution

     Open ADSI Edit
    

    2. Expand your domain
    3. Expand the DC=<yourdomain>,DC=com
    4. Expand CN=Computers
    5. Find the computer name in question and right click and select Properties
    6. Under the Attribute Editor find SERVICEPRINCIOLENAME
    7. Click Edit
    8. You should at a MINIMUM the following (you might have many others as well, but these

        two entries HAVE to be present to log into the domain)
                  a.  HOST/<servername>
                  b.  HOST/<servername.domainmame.com> 
    

    9. Click OK and then OK again
    10. Close ADSI Edit and reboot the server having the problems logging into the domain.

    Tuesday, February 26, 2013 10:03 AM
  • Hi all,
    I have a problem and wish someone can help.
    I installed a Windows 7 on a computer and have successfully added it to a Windows 2000 AD domain. I then tried to
    add a domain user to the computer as administrator User.  I did the following: -
    1. Start Control Panel.
    2. Select User Accounts icon.
    3. The User Account window appears.
    4. In the middle of the window, click Manage User Accounts.
    5. The User Accounts window appears.
    6. Select Users tab.
    7. Click Add button.
    8. The Add New User window appears.
    9. In User name text box, type the domain username.
    10. In Domain text box, type the domain name.
    11. Click Next
    12. In What level of access do you want to grant this user pane, select administrator user radio button.
    13. Click Finish.
    14. An User Accounts dialog box appears with the following message: -
    The user could not be added because the following error has occurred:
    The trust relationship between this workstation and the primary domain failed.

    Does anyone know what may be causing this problem? Any suggestion is appreciated.
    Friday, April 26, 2013 11:52 AM
  • Please start a new thread.  This thread has been closed.

    -- 
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, April 26, 2013 11:56 AM
    Moderator
  • I have a easy fix for all users that have the "Trust relationship between the workstation and the primary domain failed".

    - Unplug the Server  or PC from the network

    - Log in as you normally would into the domain as an Admin Account (This will load the cached mode of the Admin account since you are not connected to the network)

    -Disjoin the Server or PC (You will require a local admin account to be able to re-join to the network. If you do not have the password the create one before disjoining from the Domain)

    -Log in as the local admin account and re-join the domain

    Legend!!! This worked as a charm!!! I would just add that when you do this :

    - Log in as the local admin account (still unplugged) and re-join the domain, you need to plug in your cable otherwise you cannot establish communication with the DC (domain controller). Maybe too obvious?

    Cheers

    Monday, November 04, 2013 5:05 PM
  • Sometime rejoining to domain also may not fix this issue. This can be a dynamic RPC port issue, if firewalls are blocking Dynamic RPC ports, may get this error. 

    Ensure all SharePoint, SQL servers port range matches with DC's. And are allowed through firewalls.

    Saturday, December 07, 2013 2:40 AM