Symptoms
A Windows machine that is a member of an Active Directory domain displays the below error when a user attempts to log in to the domain. The user is then returned to the login prompt, so no domain login is possible.
The trust relationship between this workstation and the primary domain failed.
Cause
This error occurs when the secure channel between the affected machine and Active Directory is broken. The secure channel is the mechanism by which domain-joined machines communicate securely with domain controllers, and it relies upon the password associated with a computer account.
Every domain-joined computer has an account in Active Directory, and every computer account has a password associated with it. These computer account passwords are separate from user account passwords and are managed, synchronized, and updated automatically with no need for user interaction. In some situations, however, the computer's own copy of its password becomes unsynchronized with the copy that is stored in Active Directory. When this happens, the secure channel cannot be established, and the above error is displayed when a user attempts to log in to the domain.
Resolution
The quickest way to resolve this issue is to remove the affected machine from the domain by adding it to a workgroup, then readd it to the domain. This can be accomplished with the following steps:
Note: The following steps assume that the affected machine can be removed from the domain with no adverse consequences. Depending on the machine's functional role and the software installed on it, this may not be true. Also, these steps require logging into a local administrative account on the affected machine. If logging into a local administrative account is not possible, restoring the system from a backup is likely to be the only option.
- Log in to a local administrative account on the affected machine.
- Launch the System Properties window. Depending on the version of Windows running on the machine, there are multiple ways to accomplish this.
- In Windows Server, launch Server Manager, click Local Server in the left pane, and click the name of the domain in the main pane.
- On a Windows client, click the Start icon and begin typing advanced system settings. Select View advanced system settings when the option appears.
- In the Computer Name tab, click the Change button.
- Select Workgroup and type the name of a workgroup. The specific name does not matter, as this is a temporary workgroup. Click OK.
- Click OK to acknowledge the dialog boxes that appear.
- Click Close to close the System Properties window. Reboot the computer when you can do so.
- At the login prompt, log in to the same local administrative account as before.
- Launch the System Properties window.
- In the Computer Name tab, click the Change button.
- Select Domain and type the name of the Active Directory domain. Click OK.
- Supply the credentials of a domain user account that has permission to add the computer to the domain. Click OK.
- Click OK to acknowledge the dialog boxes that appear.
- Click Close to close the System Properties window. Reboot the computer when you can do so.
- At the login prompt, confirm that you can now log in to a domain account without receiving an error.
Microsoft Windows Server 2016, Microsoft Windows Server 2019, Microsoft Windows Server 2022, Microsoft Windows 2012 Server, Microsoft Windows 2012 Server R2