How To Fix Domain Trust Issues in Active Directory

Posted on 2014-08-14
Last Modified: 2014-08-22
How To Fix Domain Trust Issues in Active Directory, I tried the below steps no luck. Also need to know the reason for trus relationship error.

1.      Try to reset the computer account and check.
2.      Try to run this PS command on client machine Test-ComputerSecureChannel –Server DC verbose and make sure output returns True.
- If command output returns False, proceed with next step.
- Repair the trust relationship of the client machine using PS command.
- Run Test-ComputerSecureChannel –Server DC -Repair -Verbose
3.      Last option is to disjoin and rejoin the machine manually to

Question by:sureshkumarit
    LVL 24

    Assisted Solution

    by:Sekar Chinnakannu
    try to reset the computer using netdom.exe command,

    netdom resetpwd /s:DOMAINCONTROLLER /ud:domain\USERID /pd:PASSWORD
    LVL 24

    Assisted Solution

    It seems to be dns name resolution issue. The error message "'The trust relationship between this workstation and the primary domain failed or secure channel is broken' indicates that secure channel between the client server and DC is broken. This could be due to multiple reasons.

    (1) Check the DNS & WINS entries?
    DNS configuration on clients and member servers:
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of WS.

    (2) Check whether the Firewall service is ON of OFF?
    Refer link this to diable the firewall:

    (3) Check the status of the Browser service?
    It should be started.

    (4) Check the status of the machines account in the AD?(It may be disabled)
    If the Machine account is disable enable the same.

    (5) Try using netdom utility to reset the secure channel between the client & the domain controller?

    (6) Else remove the client from the domain & readd it to the domain

    (7)Also check the DNS console for duplicate record for the host machine and remove the same.
    Note:It could be due to AV(McAfee,Symantec, Trend, etc) or 3rd party security application which act as firewall and block AD communuctaion.AV like Symantec,trend,etc have new features to "protect network traffic".Please check AV setting and disable the same if defined.

    Take a look at below hotfix too.A secure channel is broken after you change the computer password on a Windows 7 or Windows Server 2008 R2-based client computer:

    Hope this helps

    Author Comment

    C:\windows\system32>netdom resetpwd /s: DOMAIN CONTROLLER /ud: DOMAIL\USERID /pd:*
    Type the password associated with the domain user:

    The machine account password for the local machine could not be reset.

    Logon failure: unknown user name or bad password.

    The command failed to complete successfully.

    I am sure I am trying correct password. I am getting this output, can you please help, Should I need to use domain admin account to reset computer account from client machine???
    LVL 77

    Accepted Solution

    yes you should use a domain admin

    Author Comment

    Excellent  working

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    At some point in your work you may run into a need to globally assign a specific file type to open using a specific program. I recently was tasked with completing this objective. In my case it was setting the TSV file association to open with Excel.…
    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now