Error on Windows Server or Client Machine "Trust Relationship Between Workstation and Primary Domain Failed" (2024)

A Windows machine that is a member of an AD domain displays the below errorwhen a user attempts to log in to the domain. The user is then returned to the login prompt, so no domain login is possible.

The trust relationship between this workstation and the primary domain failed.

This error occurs when the secure channel between the affected machine and AD is broken.The secure channel is the mechanism by which domain-joined machines communicate securely with domain controllers, and it relies upon the password associated with a computer account.

Every domain-joined computer has an account in AD, and every computer account has a password associated with it. These computer account passwords are separate from user account passwords and are managed, synchronized, and updated automatically with no need for user interaction. In some situations, however, the computer's own copy of its password becomes unsynchronized with the copy that is stored in AD. When this happens, the secure channel cannot be established, and the above error is displayed when a user attempts to log in to the domain.

This issue is often resolved by removing the affected machine from the domain by adding it to a workgroup, then readding it to the domain. This can be accomplished with the following steps:

Note: The following steps assume that the affected machine can be removed from the domain with no adverse consequences. Depending on the machine's functional role andthe software installed on it, this may not be true. Also, these steps require logging into a local administrative account on the affected machine. If logging into a local administrative account is not possible, restoring the system from a backup is likely to be the only option.

1. Log in to a local administrative account on the affected machine.
2. Launch the System Properties window. Depending on the version of Windows running on the machine, there are multiple ways to accomplish this.
   • In Windows Server, launch Server Manager, click Local Server in the left pane, and click the name of the domain in the main pane.
   • On a Windows client, click the Start icon and begin typing advanced system settings. Select View advanced system settings when the option appears.
3. In the Computer Name tab, click the Change button.
4. Select Workgroup and type the name of a workgroup. The specific name does not matter, as this is a temporary workgroup. Click OK.
5. Click OK to acknowledge the dialog boxes that appear.
6. Click Close to close the System Properties window. Reboot the computer when you can do so.
7. At the login prompt, log in to the same local administrative account as before.
8. Launch the System Properties window.
9. In the Computer Name tab, click the Change button.
10. Select Domain and type the name of the AD domain. Click OK.
11. Supply the credentials of a domain user account that has permission to add the computer to the domain. Click OK.
12. Click OK to acknowledge the dialog boxes that appear.
13. Click Close to close the System Propertieswindow. Reboot the computer when you can do so.
14. At the login prompt, confirm that you can now log in to a domain account without receiving an error.

If the issue persists after the above steps have been completed, there may be a problem with AD replication in the domain. Replication problems can be complex and are outside the scope of this article.