daknetworks.com

You are here: Blog The Trust Relationship Between This Workstation and the Primary Domain Has Failed

The Trust Relationship Between This Workstation and the Primary Domain Has Failed

Saturday, 05 August 2017 12:00

The Trust Relationship Between This Workstation and the Domain Has Failed

Reset-ComputerMachinePassword

Just as a USER-ACCOUNT is an object in AD, a COMPUTER-ACCOUNT is an object in AD. This has a password but the password isn't working. Let's reset the password.

  • $credential = Get-Credential
    (enter the domain admin account when prompted)
  • -type: Reset-ComputerMachinePassword -Server ClosestDomainControllerNameHere -Credential $credential

Test-ComputerSecureChannel

Now, let's test the secure channel

  • -start > programs > powershell (as administrator)
  • -type: Test-ComputerSecureChannel

It will come back either TRUE or FALSE. If it's false, let's try and repair it.

  • -login to localadmin-account on local system and type: Test-ComputerSecureChannel -repair
  • -if that didn't work, try: Test-ComputerSecureChannel -Repair -Credential
    (Use the username/password of the domain admin account)
  • -if you need to run remotely: Invoke-Command -ComputerName REMOTE-COMPUTER-NAME-HERE -ScriptBlock { Test-ComputerSecure Channel } -Credential (Get-Credential -UserName 'admin-here' -Message 'User')
  • -if you need a one-liner: Test-ComputerSecureChannel -Repair -Credential (New-Object System.Management.Automation.PSCredential 'domain\adminaccounthere',(convertto-securestring $('password-here') -asplaintext -force))

What I usually find is that I can't run the commands remotely because the trust is broken. And when I run locally, it simply runs "False."

So I copy a powershell script onto the computer with the file name rejoin-domain.ps1

==================
$computer = Get-WmiObject Win32_ComputerSystem
$computer.UnjoinDomainOrWorkGroup("password-here", "administrator", 0)
$computer.JoinDomainOrWorkGroup("domain.tld", "password-here", "administrator", $null, 3)
Restart-Computer -Force
==================

Then run the powershell through a remote command line like this:
powershell c:\path-to-file\rejoin-domain.ps1

Netdom

An older way of fixing this was with NETDOM

-type: netdom reset computer /domain:domainname /userd:domainadmin /passwordd:password

What Lead Me Here

I found out the relationship failed by:

  • -right-click a folder that is a shared folder for a group on the domain.
  • -click properties
  • -click security tab (at the top)
  • -click advanced button (at the bottom)
  • -effective-access tab
  • -select a user
  • -click VIEW-EFFECTIVE-ACCESS

Contact Dak Networks

We are not taking on new clients at this time.