The Trust Relationship between this workstation and the Primary Domain Failed

The Trust Relationship between this workstation and the Primary Domain failed

This is one of the errors that most administrators has seen nowadays. Unfortunately it is not well documented as why this issue arises, though it is known that when the computer in question fails to agree/change/synchronise with Active Directory the password of the computer, this happens.

The quickest fix is to:

1. Login as Local Admin of the PC or Server

2. Open Command Prompt as Administrator

3. Type the following: NETDOM RESETPWD /Server:”name of domain controller” /UserD:”administrative user” /PasswordD:”password”

4. Restart Computer

or

1. Remove Computer From Domain
2. Reset or Remove Computer Account from Active Directory
3. Re-join to Domain and all is well again.

Question is for how long?

By default 30 days is the time that it needs to change the computer name again. If a successful change has been made you continue to work normally.

By default Server 2008 and Windows 7 do not change the computer name unless they contact a Directory Server.

So if that is the case, then why do Windows 7 always get that error?

I’ve come up with a few possible theories myself.

1. When having multiple sites, it might take time for a DC to replicate all settings to the BDCs. So when a user trying to log on a DC which has not been replicated they get an error about bad password. Sometimes the password does not replicate at all and then this dreaded error.
2. The secure channel between the Workstation and the Domain Controller has failed, causes could be network issue or even a workstation that hasn’t been in the office for long.

These are just possibilities am assuming.

Now the real life scenario, when you know that the workstation was working well last night and you came in this morning to find this error. As stated above, you can remove and re-join and it fixes it. Although I cannot be certain permanently.

What Happens when it happens on a large scale?

1. Figure out what is causing it which can be a great pain, as you will need to troubleshoot Active Directory, Network, Naming and others.
2. Disable the password change policy.

Disable the password change policy as a fix for this on a large scale.

Do it at your own risk: If you disable machine account password changes, there are security risks because the security channel is used for pass-through authentication. If someone discovers a password, he or she can potentially perform pass-through authentication to the domain controller.

This can be achieved either by Windows Registry or Group Policy

1. Group Policy:

Computer Configuration\windows Settings\Security settings\Local Policies\Security Options
Domain member: Disable machine account Password changes

1. Registry:

Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
Value = DisablePasswordChange REG_DWORD
Default = 0

Although it has been unclear about what is causing these on a large scale, I am still uncertain about the cause of this.

I have myself tried the Group Policy disabling and can say that I haven’t been bothered for almost a year now about that.

Hope this helps you…