2025 Trust Relationship KB ID 0001917
Problem
Following a full upgrade of all domain controllers (DCs) to Windows Server 2025, organisations may experience trust relationship failures between domain-joined workstations and the domain. This issue predominantly affects clients running Windows 10/11 versions up to 23H2. Notably, environments retaining at least one older DC do not encounter this problem.
Symptoms
-
Users unable to log in to their workstations.
-
Event ID 4771 logged in the Security event log: “Kerberos pre-authentication failed.”
-
Access to domain resources is denied.
Solution : 2025 Trust Relationship
In Active Directory, each computer account maintains a secure channel with the domain, utilising a password that changes every 30 days by default. Windows Server 2025 introduces changes that interfere with this password change process. Specifically, client devices are unable to update their machine account passwords, leading to trust relationship failures. The exact mechanism causing this issue remains under investigation.
2025 Trust Relationship Temporary Workaround
To prevent the issue from affecting additional machines, implement the following Group Policy settings:
On Domain Controllers:
- Navigate to
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
-
Policy: Domain controller: Refuse machine account password changes
-
Setting: Enabled
On Domain Members:
- Navigate to
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
-
Policy: Domain member: Maximum machine account password age
-
Setting: 0
Note: This is a temporary measure. Revert these settings once a permanent fix or update is available.This composmises machine securiy and is a work around only.
Related Articles, References, Credits, or External Links
Windows: ‘Trust Relationship Failed’
roken trust relationship between a domain-joined device and its domain due to secure channel issues
