The Trust Relationship Between This Workstation And The Primary Domain Failed (Solution)
Domain trust issues aren’t necessarily common. But when they occur, it is important that you solve them in a timely manner. One of the reasons that could trigger these problems is the mismatch of passwords. A common example of this is the “The trust relationship between this workstation and the primary domain failed” error message.
To put it in a context, all computers within Active Directory environments have an internal password assigned. Those passwords are stored on the member server and should perfectly match with the password copies from the domain controller. Whenever inconsistencies occur, a trust relationship failed can occur.
What could possibly get the two passwords out of sync, you wonder? Reverting the Active Directory to an older version is a good example. Are you rushing to conclude that this isn’t something you’d normally do; therefore, you shouldn’t bother about it? Let us just mention that even a simple restoration of the domain controller can cause the revert of the trust relationship between this workstation.
Whether you’re doing it in on a domain controller of a larger organization or within a small controller network, the single-domain type, this restoration is possible. And while it can solve most of the issues that made you try the restoration in the first place, it can also cause some unexpected failures. This password mismatch is one of them and it usually manifests by displaying an error message on all the servers in that domain and the “Trust relationship between this workstation and the primary domain failed” is an example of this.
It’s a message telling you that the trust relationship workstation between primary domain failed. It’s the domain trust issue in Active Directory that we were telling you about.
How to fix “Trust relationship between this workstation and the primary domain failed” in Active Directory
Like with many other technical issues, there is more than one way to solve the workstation trust relationship problem. We will start with the first one, the simplest one, followed by a few alternatives. That’s because the simplest fix we could find doesn’t apply to all kinds of computers, but you’ll see what we mean soon enough.
Solution #1 – Remove computer account
One way is to remove the computer account from the Active Directory Users & Computers Console. After that, you simply rejoin that computer to the domain, which should fix that trust relationship failed issue.
We mentioned, however, that this isn’t an all-situations fix. The reason? It can work flawlessly on workstations, but it can do a lot of damage on member servers. That’s because some applications on member servers store some essential configuration information. When deleting a computer account with such an application on it, you will still remain with some orphaned references to that account. Those references will be spread throughout the Active Directory, even after you rejoin the account to the domain.
If you don’t believe that’s possible, you can use the ADSIEdit tool to scan and get a better view on the orphaned references. But hopefully, you won’t get to do that. Just to convince you it’s not such a good idea to remove a computer account from a member server, here’s an example of application that does all of the above: Exchange Server.
This application is responsible for storing messages in a huge database on a mailbox server. Emails are everything that it stores locally, meaning on the Exchange Server. Yet all its configuration data is found in the Active Directory. That’s how you can actually rebuild from scratch an Exchange Server that failed, just by using its configuration data from the Active Directory.
Should you try to fix a domain trust issue by deleting the computer account of Exchange Server, you will lose that entire configuration data from the server!
Don’t do that. Not on a member server, at least. Instead, read on.
Solution #2 for trust relationship between this workstation – Reset computer account
That’s right, in situations like the one described above, it is always better to reset an account than to completely remove it and then rejoin it. Here’s how the reset goes:
- Access the Active Directory Users & Computers Console;
- Select the Computers container;
- Identify the computer you need to troubleshoot;
- Right-click on that computer;
- Click on the command Reset Account;
- In the newly opened prompt, asking you to confirm the reset, click Yes.
That’s one way to reset a computer account.
The second one relates to the PowerShell tool, ideally version 2 or a higher version, through the Reset-ComputerMachinePassword cmdlet.