Runbooks Resources Tools About Consulting →
Home Runbooks Trust Relationship Failed — Fix a Broken Domain Join Without a Reimage
Troubleshooting FREE

Trust Relationship Failed — Fix a Broken Domain Join Without a Reimage

The trust relationship between a workstation and the domain can break without any hardware change. You don't need to reimage — here's the fast fix.

⌛ 7 min read· Updated 2026

What Causes This

Every domain-joined computer has a machine account in AD with a password that rotates every 30 days. If the local machine and the DC fall out of sync — due to a snapshot revert, a long offline period, or a cloned VM — the secure channel breaks. The user sees:

"The trust relationship between this workstation and the primary domain failed."

The fix is resetting the secure channel — not removing and rejoining the domain, which destroys local profiles, BitLocker state, and app data.

Before you startYou cannot log in as a domain user on the broken machine. Log in as the local administrator: .\Administrator or MACHINENAME\Administrator. If the local admin account is disabled, see section 3.

Fix via PowerShell (Fastest)

1
Open PowerShell as administrator on the affected machine
# Reset the secure channel — prompts for domain admin credentials
Test-ComputerSecureChannel -Repair -Credential (Get-Credential) -Verbose

Enter domain admin credentials when prompted. A result of True means the channel was repaired.

2
Restart the machine
Restart-Computer

After the restart, log in as a domain user. The error should be gone.

Fix Remotely From a DC

If you can't log into the machine locally, reset the machine account from a domain controller:

# On a domain controller — reset the machine account password
Reset-ComputerMachinePassword -Server DC01 -Credential (Get-Credential) -ComputerName BROKENPC

# Alternative using AD module
Set-ADComputer -Identity BROKENPC -Reset

After resetting from the DC side, the machine needs to restart before the new password is picked up. Use WMI or SCCM to trigger a remote restart if needed.

Fix via Netdom (Legacy / Fallback)

# On the affected machine — run from CMD as local admin
netdom resetpwd /server:DC01 /userd:CORP\domainadmin /passwordd:*

The * prompts for the password securely. After this command completes, restart the machine.

Verify the Fix

# Test the secure channel after restart
Test-ComputerSecureChannel -Verbose
# Should return: True

# Also verify with nltest
nltest /sc_verify:corp.local

A successful nltest output shows Trusted DC Name and NERR_Success. If it returns ERROR_NO_LOGON_SERVERS, DNS is the problem — check that the machine can reach a DC.

Prevention

  • Don't revert VM snapshots older than 30 days — the machine account password will have rotated since the snapshot was taken
  • Never clone VMs without running sysprep first — cloned machines share a machine account and overwrite each other's passwords
  • Keep machines connected to the network at least monthly — extended offline periods cause the machine account to desync
  • Enable the local Administrator account on all domain machines and use LAPS — so you always have a way in when domain auth fails
Related Runbooks
DNS Resolution Failures in a Windows Domain
Troubleshooting · FREE
AD Replication Errors: What the Event IDs Mean
Troubleshooting · FREE
Group Policy Not Applying — Diagnose and Fix
Troubleshooting · FREE