Windows – “The trust relationship between this workstation and the primary domain failed”

KB ID 0000504


Seen on Windows clients in a domain environment.

What’s Happened?

Put simply, just like you have a password for your user account, the computer you log onto also has a password (you just never see it), it gets reset (by default) every thirty days, and all this runs in the background. For a lot of different reasons the computer password has got “Out of Sync” between the computer and the domain controller.


1. Firstly, lets try and reset the password, on your domain controller, in administrative tools, launch “Active Directory Users and Computers” > Find the computer object that is having problems > Right click > Reset Account.

reset computer account

2. Then try to login again (to be honest this usually does not work!). If it does then stop reading and have a nice day. Go back to the broken machine (remove any network cables, and turn off Wireless etc, so it has no network connections) > Try either to login with an administrative account, or log in as the local administrator (or an account that has local administrative privileges).

Note: On Windows 7 the local administrator account is usually disabled, if you forgot the password or need it enabling you will need to do the following…

Windows Administrator “Lost Password” / “Password Reset”

local admin login

3. In the Search/Run box type sysdm.cpl {enter}.


4. On the Computer Name tab > Change > In the workgroup section type in TEMP > OK.

Note: If leaving the domain is NOT an option, i.e. you have this error on a mission critical server, of you fear leaving the domain might break something, go to the end and see how to fix the problem with netdom.

change workgroup

5. Take note of this Warning! – If you just logged on as the local admin then you know the password, if you DONT then reset it FIRST (Don’t reboot this machine till you either know or have changed the password to a password you know). Note: To reset > Right click computer > Manage > Local Users and Groups > Users > Right click administrator > Reset Password. Warning over click OK.

need local admin

6. OK > OK > Close > Reboot.

join workgroup

7. Back at the domain controller > in administrative tools, launch “Active Directory Users and Computers” > Find the computer object that is having problems > Right click > Delete.

Note: if you don’t have access to the domain controller > you can rename the PC when it’s rebooted so it has a different computer name, if you do that then skip this step.

delete computer account

8. Run sysdm.cpl again and re-join your domain again.

delete computer account

9. Supply domain credentials Note: I’ve used the domain admin account here but a domain user can join up to 10 machines to a domain.

join domain

10. All being well (providing the password was correct and your DNS works) you should join the domain and need to reboot again. Post reboot the computer password will be reset.

welcome to domain

Using NETDOM to fix the trust relationship

Sometimes leaving the domain is NOT an option, if that’s the case, remove all network cables form the affected machine (remember wireless ones as well). Then log on (you should be able to log on as either the local administrator, or a domain user that has ‘cached credentials’.

The issue the following command;

netdom.exe resetpwd /s:{domain controller name} /ud:{username} /pd:*

User netdom to reset computer password

Note: Windows 7 does not have netdom (by default). You need to install the RSAT, Turn Windows features on or off > Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools.


Related Articles, References, Credits, or External Links

Original Article Written 15/09/11

Author: Migrated

Share This Post On