Fix: The trust relationship between this workstation and the primary domain failed

There are two ways how can you manage your client and server machines in home or business environment, including Workgroup and Domain infrastructure. The workgroup is decentralized network infrastructure used for home and small business networks up to 10 machines. Workgroup does not require a dedicated server for managing machines, every machine has a different user account. On another side, domain infrastructure is centralized network infrastructure which supports thousands of machines. For the implementation of domain infrastructure, you will need to purchase minimum one server which will act as Active Directory Domain Services and Domain Name Services. After you implement AD DS and DNS you will need to join all machines in the network to your domain and create domain user accounts for every user. Next time, the user will log on using domain user account, and not the local user account. There are a lot of benefits by using domain infrastructure, including centralized and simplified management, fault tolerance, one user account for many services, and others. Few users encouraged problem when logging to the domain, including error: The trust relationship between this workstation and the primary domain failed.

This issue occurs on client and server operating system, from Windows XP to Windows 10 and from Windows Server 2003 to Windows Server 2016. There are different reasons why this issue occurs, including a problem with a user account, the problem with the relationship between client and domain server and others. For this article, I created domain infrastructure appuals.com on Windows Server 2008 R2 and Windows Server 2016.

There are seven methods which will help you to solve this issue.

Method 1: Check DHCP configuration

Did you add new DHCP server or reconfigure your current DHCP pool? If not, please read next method. If yes, please continue reading this method. There are two ways how you can assign IP addresses to hosts in your computer network, including static and dynamic addressing. Static addressing is manually assigning IP addresses to your machines which consume much more time and decrease the productivity of IT Administrator. We are recommending you to use dynamic addressing using DHCP (Dynamic Host Computer Protocol) protocol. The best practice will include static addressing for servers, storage and network printers, and dynamic addressing to other hosts in the network. Few users encouraged problem after they added another DHCP server in the current network. The problem was wrong DHCP pool for hosts in the network. Based on that, we are recommending you to check is DHCP working properly and are you using right network subnet. We will show you how to check DHCP on Windows Server 2016 and router TP-Link TL-ER6120. Imagine, the right network is working in C class, 192.168.1.0/24. So, let’s start.

  1. Hold Windows logo and press R
  2. Type dhcpmgmt.msc and press Enter to open DHCP Management tool
  3. Expand your server as following appuals.com\IPv4\Scope. As you can see this DHCP is not configured properly. Our network is 192.168.1.0/24, and configured network is 192.168.100.1/24. In that case, you will need to change DHCP configuration.
  4. Close Device Management

In the second example, we will show you how to check DHCP configuration on TP-Link router. If you do not know how to access your router, please read the technical documentation of your router.

  1. Open Internet browser (Google Chrome, Mozilla Firefox, Edge or other)
  2. Type router IP address to access router
  3. Under Network tab choose LAN, and then DHCP to check your DHCP configuration. In our example, DHCP is enabled and configured as following 192.168.1.100 – 192.168.1.200, which is OK.
  4. Close Edge

Method 2: Rejoin a Computer from a Domain

In this method, you will need to rejoin your client machine from a domain. For this action, you need to use Domain Administrator account which has permission to do changes like join or rejoin machine from the domain. We will show you how to rejoin Windows 10 Pro from Windows Server 2016 Standard. The same procedure is compatible with other client and server operating system, including client operating system from Windows XP to Windows 8 and server operating system from Windows Server 2003 to Windows Server 2012 R2.

  1. Log on Windows 10 using local Administrator account
  2. Hold Windows logo and press E to open File Explorer
  3. On the right side of the File Explorer right click on This PC and choose Properties
  4. Click Advanced System Settings
  5. Choose Computer Name tab
  6. Click Change to add machine to Workgroup
  7. Choose Workgroup and type Workgroup In our example, the Workgroup name is WORKGROUP. You can type whatever you want.
  8. Click OK
  9. Type domain Administrator account and password and then click OK
  10. Click OK and then OK
  11. Close System Properties
  12. Restart your Windows machine
  13. Log on Windows 10 using local Administrator account
  14. Hold Windows logo and press E to open File Explorer
  15. On the right side of the File Explorer right click on This PC and choose Properties
  16. Click Advanced System Settings
  17. Choose Computer Name tab
  18. Click Change to add machine to domain
  19. Choose a domain and type the domain In our example it is appuals.com.
  20. Click OK
  21. Type domain Administrator account and password and then click OK
  22. Click OK and then OK
  23. Close System Properties
  24. Restart your Windows machine
  25. Log on Windows 10 using domain user account
  26. Enjoy working on your machine

Method 3: Reestablish trust through PowerShell

In this method, we will reestablish trust between the domain controller and client using PowerShell. You will need to log on using a local Administrator account.

  1. Log on Windows 10 using local Administrator account
  2. Click on Start menu and type PowerShell
  3. Right click on PowerShell and choose Run as Administrator
  4. Press Yes to confirm running as Administrator
  5. Type $credential = Get-Credential and press Enter
  6. Enter domain admin account and password and then click OK
  7. Type Reset-ComputerMachinePassword -Credential $credential and press Enter
  8. Close PowerShell
  9. Restart your Windows machine
  10. Log on Windows 10 using domain user account

Method 4: Add domain controller to Credential Manager

In this method, you will use Credential Manager where you will add domain controllers account in Windows Credential. We will show you how to do in on Windows 10.

  1. Log on Windows 10 using local Administrator account
  2. Hold Windows logo and press R
  3. Type control.exe /name Microsoft.CredentialManager and press Enter to open Credential Manager
  4. Choose Windows Credential
  5. Type the address of the website or network location and your credentials
  6. Click OK
  7. Close Credential Manager
  8. Restart your Windows machine
  9. Log on Windows 10 using domain user account

Method 5: Use Netdom.exe to Reset a Machine Account Password

This method is compatible with Windows Server 2003 and Windows Server 2008 R2. If you are using a newer version of server operating systems, please read next method. We will show you how to reset a machine account password on Windows Server 2008 R2.

  1. Log on Windows Server using domain Administrator account
  2. Hold Windows logo and press R
  3. Type cmd and press Enter to open Command Prompt
  4. Type netdom resetpwd /s:server /ud:domain\User /pd:* and press Enter, where s is the name of domain server, domain is domain name and User is user account which can not connect to domain controller
  5. Close Command Prompt
  6. Move to Windows client machine
  7. Restart Windows machine
  8. Log on Windows machine using domain user account
  9. Enjoy working on your machine

Method 6: Reset Computer Account

In this method, you will need to reset computer account using Active Directory User and Computers tool which is integrated into servers with Active Directory Domain Services role. The procedure is simple and compatible with server operating systems from Windows Server 2003 to Windows Server 2016.

  1. Hold Windows logo and press R
  2. Type dsa.msc and press Enter to open Active Directory User and Computers
  3. Expand domain name. In our example it is appuals.com
  4. Choose Computer
  5. Navigate to the computer account which can not connect to a domain. In our example, it is computer Jasmin
  6. Right click on computer (Jasmin) and choose Reset Account
  7. Click Yes to confirm resetting computer account
  8. Click OK
  9. Close Active Directory User and Computers
  10. Restart Windows 10 machine
  11. Log on to your domain user account
  12. Enjoy working on Windows machine

Method 7: Perform a System Restore

We talked so much time about System Restore because it helped us so many times in troubleshooting issues with system or application. Also, system restore can help you to solve the issue with reverting your system to the previous state when everything worked properly. Please note that you can not restore your Windows machine to the previous state if System Restore is turned off. Please read how to perform a System Restore.

ABOUT THE AUTHOR

Jasmin Kahriman


Jasmin is a tech-savvy Systems Engineer with over 15 years of experience in IT infrastructure, holding multiple IT certifications including CNIP, MTA, MCP, MCSA, MCT, Server+, and Network+.