Active Directory - Windows - Erreur relation d'approbation au domaine

Fix Windows Trust Relationship Error

I. Presentation

For administrators of computers running Windows with machines integrated into an Active Directory domain, the error message “The trust relationship between this workstation and the main domain has failed” is a classic. The type of error that we all encounter at least once, even if we would like to do without it! There are various ways and solutions to get out of trouble… In particular, manually via the graphical interface, but also on the command line.



In this tutorial, I will answer a simple question: how to fix the error “The trust relationship between this workstation and the primary domain has failed”? On an English machine, the corresponding error message is “The trust relationship between this workstation and the primary domain failed“.

The trust relationship between this workstation and the primary domain has failed

Windows 11 - Relation approbation erreur

II. The principle of “computer” passwords

When a Windows machine is integrated into an Active Directory domain, an object belonging to the class “computer” is created in the directory. This object is then a computer account for the machine in question. Beyond the name, there is a password which is associated with this account: this password is known to Windows machine and Active Directory. By default, this password is valid for 30 days. After 30 days, it is renewed automatically, without any action on your part.

By modifying a group policy on your environment, for example the GPO “Default Domain Policy” which is native, you can find the parameter “Domain member: maximum computer account password age” which shows that the default value is 30 days.

Active Directory - Computers password - 30 days

When this error message occurs, it is as if the trust between the two parties has suddenly disappeared. In many cases, this is because the password of the local computer (the Windows machine integrated into AD) does not match the password stored in Active Directory. In other words, the password renewal did not go as planned…

Password renewal is initiated by the Windows machine, from the service Netlogon. This operation is performed at startup, or when authenticating with the domain controller. The password is then stored in the Windows Registry under “HKLM\SECURITY\Policy\Secrets“. For its part, the Active Directory also stores this new secret. In the vast majority of cases, this process is carried out correctly: fortunately, otherwise every 30 days would be hellish.

Sometimes this operation fails and the error “The trust relationship between this workstation and the primary domain has failed” occurs ! It even happens that on the same machine, this error comes up quite regularly. I think there are several errors that can occur, several different cases, to arrive at this message. For example, if the password is updated in the Active Directory but not in the local database: we end up with a different secret. This can also happen if the object corresponding to this computer is deleted from the Active Directory.

That’s it, the scene is set, now we’ll see some powershell based methods to fix this error. I prefer to give several leads, in case one method does not apply, you can try another.

III. Repair – “The trust relationship between this workstation and the primary domain has failed”

A. The manual method

The manual method is familiar to many system administrators. It works, but it is not practical, because it requires disconnecting the machine from the network. It consists in carrying out the following actions knowing that the goal is to remove the machine from the domain and reinstate it :

1 – Disconnect the computer from the network

2 – Log in as a local administrator

3 – Remove the computer from the domain

Remove-Computer -UnjoinDomaincredential IT-Connect\Admin -PassThru -Verbose -Restart

4 – Reset the computer object in the Active Directory

5 – Restart the computer

6 – Reconnect the network cable

7 – Add the computer to the domain

Add-Computer -DomainName it-connect.local -Restart

The main disadvantage of this method is that it involves a physical presence since the machine must be disconnected from the network. To take the machine out of the domain and add it back, one can use the Windows GUI or PowerShell commands”Remove-Computer” et “Add-Computer“.

B. The PowerShell method: Test-ComputerSecureChannel

For several years, it has been possible to correct this error with PowerShell! Very good news, because it means that we can do it remotely, so it’s much more practical. The Test-ComputerSecureChannel command exists since Windows 10, it is still available on Windows 11. Personally, I recommend this method.

On a machine where the trust relationship is brokenyou have to log in and simply run this command in a PowerShell console:

Test-ComputerSecureChannel

It is also possible to target a specific domain controller, as is done with the Active Directory module commands. For instance :

Test-ComputerSecureChannel -Server "SRV-ADDS.it-connect.local"

This command simply returns true (true or false (false) to indicate the status of the trust relationship between the computer and the directory (with the parameter -Verbose). In case you have the trust relationship error, the command will return “false”. Therefore, it will be necessary to add the -Repair parameter which allows to repair the trust relationship as well as the identifiers.

Test-ComputerSecureChannel -Repair -Credential [email protected]

You can also do:

Test-ComputerSecureChannel -Repair -Credential (Get-Credential)

Regarding the user account, it can be an Administrator account or simply an account that has the right to add machines to the Active Directory domain.

Since it’s PowerShell, you can also act remotely on one or more machines with Invoke-Command. Here is an example :

Invoke-Command -ComputerName PC-01 -ScriptBlock { Test-ComputerSecureChannel }

Note : whether with this method or the method which will follow, if the computer object does not exist in the Active Directory, it is better to create it before. With console”Active Directory Users and Computers“(or another method), right-click”Nouveau” then “Computer“. Assign the same name.

C. PowerShell bis method: Reset-ComputerMachinePassword

When the error occurs, there is a second PowerShell command that can help you out: Reset-ComputerMachinePassword, available with Windows PowerShell 5.1. This command resets the computer account password of the local machine.

Again, this command runs from the computer where the error is located.

Here is how this command is used:

Reset-ComputerMachinePassword -Credential [email protected]

You can also specify the name of the target domain controller:

Reset-ComputerMachinePassword -Credential [email protected] -Server "SRV-ADDS.it-connect.local"

The operation will be automatic, it is not up to you to define the password. This method also fixes the trust error.

D. The netdom method

Netdom is a tool that has been around for a very long time on Windows, even before PowerShell came into its own. It also allows you to reset the computer account password from the command line.

Here is an example where I contact the “SRV-ADDS” domain controller, using the “florian” account and without specifying the password in plain text (hence the “*”).

netdom resetpwd /s:SRV-ADDS /ud:florian /pd:*

IV. Conclusion

Here we come to see different ways to fix the error “The trust relationship between this workstation and the primary domain has failed” on your Windows machines! With PowerShell for recent machines, and with netdom (or the manual method) for machines with older systems, because we all know there are still some in circulation!

If you know another method, do not hesitate to let us know with a comment! 🙂

Active Directory,Windows Client,Windows,

#Fix #Windows #Trust #Relationship #Error

Leave a Comment

Your email address will not be published. Required fields are marked *