Fix Trust Relationship Between Computer and Primary Domain

Sometimes the trust relationship between a computer (physical server, VM, Hyper-V Host, etc) and the domain controller fails.  This is usually evident when you attempt to sign in to the server via RDP and you receive an authentication related message or time mismatch error.  

First, you will want to check the obvious such as making sure the time is the same on both computers, verifying that the computer account on AD exists and is not disabled and that your credentials are valid and not expired among other things.  When all of those check out it may mean that kerberos authentication is broken.  Also, if you manage the server from another computer you may receive a detailed kerberos authentication error.

Often times, this can be resolved by signing into the server locally and de-joining/re-joining the computer to the domain.  However, this requires at least one reboot, and potentially other problems, so you may not want to do that.  You may be able to fix the problem with Powershell 3.0 as follows.  If you do not have Powershell 3.0 you will need to install it or try alternate method #2.
  1. Sign In to the Computer locally (not the domain controller) - you may still be able to RDP into the computer using the IP (instead of name) and you must sign in with a local Administrator account
  2. Open Powershell
  3. Type $cred = Get-Credential
  4. Enter a Domain Administrator account when prompted.
  5. Type Reset-ComputerMachinePassword -Credential $cred -Server [domain name of primary DC ex- dc-hostname.domain]
Alternate Method #1
  1. Sign In to the Computer locally (not the domain controller) - you may still be able to RDP into the computer using the IP (instead of name) and you must sign in with a local Administrator account
  2. Open Powershell
  3. Type Test-ComputerSecureChannel -Repair -Credential (get-credential)
Alternate Method #2
  1. Download and install the Remote Server Administration Tools from Microsoft onto the Computer - not the domain controller.
  2. Open an elevated command prompt on the Computer.
  3. Type netdom.exe resetpwd /s:dc-hostname.domain /ud:domainadminusername /pd/*
  4. Enter a Domain Administrator account when prompted
  • 8 Users Found This Useful
Was this answer helpful?

Related Articles

.NET 4.0 in IIS7 on Windows 2008 R2

Windows 2008 R2 (all editions) are packaged with .NET 4.0 on the servers provisioned at CeraNet....

.NET 4.0 in IIS7 on Windows 2008 R2

Windows 2008 R2 (all editions) are packaged with .NET 4.0 on the servers provisioned at CeraNet....

Configuring RD Licenses on Windows Server

Microsoft Windows 2012 R2 Server might display an unlicensed status warning even after the...

Configuring RD Licenses on Windows Server

Microsoft Windows 2012 R2 Server might display an unlicensed status warning even after the...

Disable Microsoft DNS Version Query

Running the following command from the Microsoft DNS Server will disable the Version Query...