Having a trust relationship failed with your Windows operating system? Don’t know how to fix it? Head to our article today to find out the solutions.
It is undeniable that Windows has brought to our life many conveniences and advantages. Although possessing many positive features, Windows sometimes presents many problems. One of those issues is the trust relationships failed error, and it generally pops up on your screen in a message form.
If you haven’t found any solution to this problem yet, head to our article today! In this article, we will explain to you more about this failure and how to fix them step by step. Let’s scroll down to read!
What Is A Trust Relationship Failed?
Firstly, we will explain to you the definition of trust relationship failed error. Secondly, we will continue with the reason that causes this issue. Detail as below:
Trust Relationship Failed Error
Well, we must say this is a familiar error with anyone as you might face it once or twice during the time using your PCs. This error is performed by a message saying: The trust relationship between this workstation and the primary domain failed remote desktop.
This problem appears when you sign in to Windows 7 with a domain account. It looks like some parts have collided within the operating system, and it leads to broken trust. From our experience, the unmatched password is the main reason causing this issue.
Also, the restoration of Active Directory reverts to the last version and all the servers in the domain state that the trust between the workstation and primary domain is untrusted. Now, let’s move to our next part to go further with the causes for this problem!
Trust relationship failed error in the form of message
What Causes The Windows 7 Trust Relationship
The main reason for the trust relationship between workstation and primary domain failed error lies in unmatched passwords. In other words, the password of the local computer is not suitable with the desktop’s object that is located in the Active Directory database.
Generally, the trust relationship windows 7 often appears after the process of reinstalling Windows. Furthermore, when your computer is restored from a backup, the password that is assigned for the computer object in the Active Directory domain and the password on the local desktop are various. This difference will lead to this untrusted issue.
On the other hand, if your desktop is reimaged with no working of the Sysprep program, the same problem can occur. Or, when the computer changes the AD account while the local password is unchanged, users might face the trust relationship with this workstation and the domain failed error.
How To Check The Trust Relationship With This Workstation And Domain Failed
When you sense that this error is happening to your computer, don’t guess! There are ways for you to determine it! In this part, we would guide you on how to create a script to track the trust relationship between this workstation and the primary domain failure of the remote desktop and the local one. If the domain verifying doesn’t work, then it is a need for you to possess a local user account within the group of administrators. Below are four methods that help you to track the error:
Nltest (Command-Line Tool)
Nltest is known as an old order statement that helps users do a quick check with trust relationships for a computer. You can install this tool by setting up RSAT directly on a domain controller. The script that you can use to figure out the error here is > nltest /sc_verify:<your domain FQDN>
Netdom (Command-Line Tool)
If you don’t want to use Nltest, opt for the command line netdom. Its function is similar to nltest, except the script is a bit different: > netdom verify MYCOMPUTER /Domain:domain.local /UserO:abertram /PasswordO:*
To apply this method, you need to satisfy the following conditions:
- A name of the computer that you are going to verify
- An username to verify the request, and a password
- Fully qualified in the domain (FQDN)
Test-ComputerSecureChannel (PowerShell)
Using the Test-ComputerSecureChannel cmdlet is one of the great ways to figure out the broken trust relationship. This method gets along with Windows 10, and it is quite simple to apply. To apply it, users are required to log into the computer, go to the PowerShell console and launch the Test-ComputerSecureChannel. This procedure can come up with either True or False value:
PS51> Test-ComputerSecureChannel
True
Users also can verify a particular domain controller here by applying the server parameter:
PS51> Test-ComputerSecureChannel -Server ‘DC.domain.local’
False
Interestingly, if you possess the local administrator password of computers that you want to verify, use the PowerShell Remoting. This program will help you to track as many remote desktops as you want at the same time.
Testing Trust Relationship In Bulk
The testing trust relationship in bulk will help you check all of your AD computer. Remember that the computer account stored in AD ought to be the same with the account located in the local one.
$localCredential = Get-Credential
@(Get-AdComputer -Filter *).foreach({
$output = @{ ComputerName = $_.Name }
if (-not (Test-Connection -ComputerName $_.Name -Quiet -Count 1)) { $output.Status = ‘Offline’
} else {
$trustStatus = Invoke-Command -ComputerName $_.Name -ScriptBlock { Test-ComputerSecureChannel } -Credential $localCredential
$output.Status = $trustStatus
}
[pscustomobject]$output
})
Indeed, understanding the problem is very important. It helps you to choose a better solution. In the next part, we will focus on how to fix this issue in detail.
How To Fix Trust Relationship Failed-Detailed Instruction
Well, there are many ways to help you solve the trust relationship failed error. Many users have tried to reset the password account in Active Directory; others may have tried to do the same with their local accounts. You can even remove the account totally and rejoin the Windows computer later. All may help! Below we will present more solutions and explain them in detail for you:
Check DHCP Configuration
Our first solution today is checking whether you have configured your Dynamic Host Computer Protocol (DHCP) yet? If the answer is “No”, this is a should-read method for you. Generally, you can assign IP addresses to your desktop either by utilizing static or dynamic addresses.
The best implementation is to apply static addressing for servers, network printers, and storage, as opposed to applying dynamic addressing to other types of hosts. This not only requires more time and but also decreases the productivity of the Administrator.
Users are encouraged to better use dynamic addressing. Since there might be a problem when you add a DHCP to the current network, check DHCP to see whether you are using it properly.
Below we will walk you through steps on how to check DHCP. The given conditions are Windows server 2016, networking in C class, 192.168.1.0/24, router TP-Link, TL-ER6120.
- Step the combination of Windows and R keyboards
- Write down dhcpmgmt.msc before pressing on the Enter button to open the management tool of DHCP
- Enlarge the server by route appuals.com\IPv4\Scope. Here, you can see your incorrect DHCP; fix it to 192.168.100.1/24!
Changing the Ip address of the server
- After that, close the management board. Next, check the configuration of DHCP on the router. Then, type the IP address into the router. Details as in the below photo:
Now, you have done all steps, check whether the issue gets fixed!
Rejoin A Computer From Domain
To apply this method, users are required to use a domain administrator account. In this part, we will instruct you to rejoin Windows 10 Pro from a Windows Server 2016 version. Users can apply the same from Windows XP version to Windows 8 from Windows Server 2003 version. Follow the steps below:
– First, press on the combination of Windows and E keyboard to open the Explorer file. Next, right-click on This PC and select the Properties option before choosing the advanced system settings. On the computer’s Name tab, change its name to Workgroup as you want.
Changing the name of the workgroup as you like
After that, choose the okay button. The new screen will pop up on your desktop. It’s time to fill in your Administrator account and password before clicking Ok to save.
Fill in the username and password
At this step, you are required to close the system properties and restart your computer. Then, sign in again with your domain user account!
Using CIM
Customers can choose to join a domain with PowerShell using Win32_ComputerSystem CIM class. This class provides two ways that allow you to join and unjoin a computer: JoinDomainOrWorkGroup and UnJoinDomainOrWorkgroup(). With CIM, you can launch it either locally and remotely. In our experience, we run the service remotely with the following code line:
$computername = ‘PITA’
$instance = Get-CimInstance -ComputerName $computername -ClassName ‘Win32_ComputerSystem’
$invCimParams = @{
MethodName = ‘UnjoinDomainOrWorkGroup’
Arguments = @{ FUnjoinOptions=0;Username=”Administrator”;Password=”mypassword” }
}
$instance | Invoke-CimMethod @invCimParams
At the code line FJoinOptions parameter, we chose the number 3 to put here as it expresses the default gesture when a user takes part in a computer manually.
Using The Remove-Computer And Add-Computer Cmdlets
Utilizing built-in PowerShell cmdlets to unjoin and rejoin a computer can help you solve this issue too. In order to unjoin the computer, you have to sign in to the desktop console before applying the Remove-Computer cmdlet. Here, users are required to provide the credentials’ number and permission to detach the computer. After that, specify the restart parameter and accomplish the process.
PS51> Remove-Computer -UnjoinDomaincredential (Get-Credential) -Restart -Force
When the rebooting process has been done, you can apply the Add-Computer cmdlet to rejoin the computer with PowerShell. The process can be implemented remotely by having the parameter of ComputerName. Use the local user credentials to authenticate and connect with the domain.
$localCredential = Get-Credential
$domainCredential = Get-Credential
Add-Computer -ComputerName PITA -LocalCredential $localCredential -DomainName domain.local -Credential $domainCredential -Restart -Force
Automagial Domain Unjoin and Rejoin
This method is suggested for those who have a good basic knowledge of code writing. It means you can create a PowerShell script that automatically works with the computer name:
- Unjoining the computer
- Rebooting and taking time to get back up
- Joining a computer
- Rebooting and taking time to get back up
We would recommend GitHub as a site for you to have a look at this long script.
Add Domain Controller To Credential Manager
This method can apply to Windows 10. And it might look a bit difficult, but don’t worry! Follow our next steps below:
- Firstly, sign in to Windows 10 with your local account (the administrator one)
- Next, write down control.exe /name Microsoft.CredentialManager before pressing on the Enter keyboard to launch Credential Manager.
Choose the Windows Credentials option!
- Then, write the website address or so and your credentials. Click on the Okay button to finish the process!
Fill in the network address name!
Finally, close all the windows opened on your screen, and restart your computer. When you sign in back, use a domain account!
Use Netdom.exe To Reset A Machine Account Password!
For those who are using Windows Server 2003 and 2008 R2 versions, resetting computer accounts can help them solve lost trust relationship errors finely. With this method, we will guide you on how to reset-computermachinepassword. Let’s have a closer look:
- First, sign in to the Windows server with your domain account. ress on the combination of Windows and R keyboards before entering the command prompt field. Then, write netdom resetpwd /s:server /ud:domain\User /pd:*, and head to Enter keyboard.
Write down the order in the command prompt
After all are set and down, close the opened screen, restart your Windows, and try to sign in again. Good luck with this method!
Reestablish Trust Through PowerShell
Re-establishing trust is also one of the methods we would like to mention today. It will have the involvement of Powershell, and the user needs to sign in with a local administrator account. To do so, you will have to open the Powershell, right-click on it before choosing the Run option as administrator option. Next, write $credential = Get-Credential, then press Enter. A screen will come up on your desktop. After that, type in your admin account and password.
Write your user account and passwords in the required boxes
Next, type Reset-ComputerMachinePassword -Credential $credential, then choose Enter.
Write the next order before choosing Enter option
Like the above method, restart your computer and try to sign in again to see if the problem gets fixed.
Reset Computer Account
Users are suggested to use this method for operating systems from Windows version 2003 to version 2016. The gist of this solution is resetting a computer account with the help of a computer tool and Active Directory user. To apply this unit, you will have to follow these steps:
- First, press on the combination of Windows and R keyboards
- Next, write dsa.msc before choosing Enter to launch Active Directory User
- Then, enlarge the domain name
- After that, choose the computers option before heading to a computer account that can’t connect to a domain (Here, it is a Jasmin account).
- Then, right-click on this account and choose the resetting option
- Accomplish the process by confirming the procedure. Click on the Okay button before restarting your computer.
Active Directory Machine Account Password
When users take part in the Active Directory, the domain join is represented by a domain administrator. And the trust relationship is at the level of this relationship. By default, the password of your computer account is valid for up to 30 days, and then it changes following the configured domain group policy. Here you can configure the password of the machine account via the registry. To do this, launch regedit.exe and join the HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry key. Edit the parameter MaximumPasswordAge and set the maximum validity time of the computer password in the domain (in days). Another method that users can use to disable the change of the password is by setting up the REG_DWORD parameter DisablePasswordChange to 1 value.
Define the time for policy setting
Choose maximum password age!
Users also can make the change to the domain using policy by entering this route Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Here pay more attention to parameters such as domain controller and domain member.
Perform A System Restore
After applying all the above methods, but nothing seems to work, you can try the system restoring method. This procedure not only helps you to pinpoint the technical issue but also assists your computer to recover the previous stage where every program worked finely.
The Bottom Line!
For people who use Windows operating systems, this error can occur anytime. But don’t panic! All you have to do is to check whether you are confronting the trust relationship failed error, follow our article from the third part to the bottom, and you will figure out the solution soon. If there are related questions to this issue, don’t hesitate to send us a message! Good luck!