Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How to prevent "The Trust relationship between this workstation and the primary domain failed"

Posted on 2009-04-03
Medium Priority
Last Modified: 2012-06-21
I got a call from a user who is not able to login to Domain. The error message was " The Trust relationship between this workstation and the primary domain failed".
I tried local Administrator and other domain users and got the following message" Account is disabled". I then login as Domain administrator and I was able to login and I noticed that the local administrator account is indeed was disabled. I then enabled it  and before I remove this Laptop from Domain and rejoint to domain I was woundering if this is the solution and if someone knows why this had happened.

Thank you AsgharE
Question by:AsgharE
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 1600 total points
ID: 24062307
That error message indicates a problem with the computer's domain account. It's hard to say positively, but I don't think that disabling the local admin account would cause that problem, at least I have never heard of that being the case.  I would guess that the reason you were able to get in with the domain admin account is that that account was the only other account that had admin privileges on the local workstation.
LVL 18

Assisted Solution

Americom earned 400 total points
ID: 24062327
Simply having the local Administrator account of the machine disabled should not affect other local or domain account from logon on the the machine or logon to the domain from the machine.
The message probably was due to other thing also disabled such as the computer account.

As far as why the local Administrator account was disabled it could be from someone manually disabled it or from GPO policy. If from GPO, then you could have more machine with the local Administrator disabled. Whcih you can verify from other workstations.

btw, If you rejoin the domain the computer account in the Active will be active again. But again, if there is a GPO still active to disable the Administrator account, you would see thisAdministrator account gets disabled again on next GPO refresh.

Author Comment

ID: 24062656
There was another local user with administrator privilage that I could not login as that user either with the same issue as local admininstratoe (was disabled).
I also noticed that when I checked the property of local administrators group "Member of" it shows bounch of numbers rather domain\administrator as a member, usually in the past I remove the computer from domain and re jointed to resolve the issue but never had seen local administrator and local users account to be disabled. btw, there is no GPO therefore it was not impacted by GPO. But at the domain event viewer there has been alot of login failiur regarding this workstation last several days but users had no problem login till today..
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

LVL 38

Accepted Solution

Hypercat (Deb) earned 1600 total points
ID: 24063130
At this point, you really need to remove that workstation from the domain, delete the AD computer account, and then rejoin the domain.  That should resolve these issues.  The reason you see that "bunch of numbers" instead of the name of the account is that you are seeing the local SID of the domain administrator account.  Because of the problem with the computer account, it cannot properly read the attributes of the domain admin account and therefore is just displaying the local SID.  Once you rejoin it to the domain properly, you will one again see the domain administrator account name there.

Author Comment

ID: 24063400
hypercat, I almost did what you have recommended except did not delete the computer account from AD before re joining the computer to Domain. (I just got your comment).
Surprisingly to my expectation when I added the domain user to local administrator group and login as the user to domain,  all the privious profile was accessible, I mean that I did not even had to recreate Outlook profile.
I lunch outlook icon and the user got to the inbox, where in the past the windows xp recreate another profile like user01.domain.
I will whatch this laptop and logs on the Domain and DNS next week to see if I have to repeat the process and take your complete and clean steps.
Thank you.
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 1600 total points
ID: 24063589
Glad to help - I hope it works consistently for you.  I recommended deleting the computer account because I've found in some cases that just unjoining and rejoining the domain with the same AD account does not quite do the trick.  However, it sounds like it worked in your case, so that's even better.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question