ISSUE
After restoring a server using Bare Metal Recovery, Instant Recovery, or any other method, you encounter the following error when attempting to log in with domain credentials—provided the machine was previously joined to an Active Directory (AD) domain:
"The trust relationship between this workstation and the primary domain failed."
CAUSE
The most common reason for this error is a mismatch in the computer account password between the restored system and Active Directory. This typically occurs if the password was changed after the last backup was taken.
However, there are several other conditions that can cause trust relationship errors which includes, but are not limited to the following:
- System time differs from the domain controller by more than 5 minutes
- The domain controller is not a Global Catalog server.
- The computer account was deleted from AD
- DNS is not properly configured to point to AD-integrated DNS servers
RESOLUTION
1. Log in with Local Administrator Credentials
- If local admin access is available, log in normally.
- If not, disconnect the network adapter to force cached credentials, then reconnect once logged in.
2. Sync System Time
Ensure the system date and time are in sync with the domain controller. A time difference greater than 5 minutes can cause authentication issues.
3. Reset the Computer Account Password
Open a Command Prompt or PowerShell window as Administrator and run one of the following commands:
Option A: Using PowerShell
Reset-ComputerMachinePassword -Server "<DomainController>" -Credential "Domain01\Admin01"
- -Server: Name of the domain controller to contact
-
-Credential: Domain user in
domain\user
format. You will be prompted for a password.
Option B: Using Command Prompt
netdom resetpwd /s:<DomainController> /ud:<Domain\User> /pd:*
- /s: Name of the domain controller
-
/ud: Domain user account in
domain\user
format - /pd:*: Prompts for password
4. Reboot
After the password is reset, reboot the system.
REFERENCES
Â