Thursday, February 7, 2019

Solusi The trust relationship between this workstation and the primary domain failed

Bisa dilakukan dengan disjoin dan join ke domain lagi.

dengan powershell (run as administrator) di windows 7:
$computer = Get-WmiObject Win32_ComputerSystem
$computer.UnjoinDomainOrWorkGroup("AdminPW", "AdminAccount", 0)
$computer.JoinDomainOrWorkGroup("Domain", "AdminPW", "AdminAccount", $null, 3)
Restart-Computer -Force

dengan powershell di windows 10:
Test-ComputerSecureChannel -Repair -Credential (get-credential) 

atau
Reset-ComputerMachinePassword -Server DomainControllerNameHere -Credential (get-credential) 
Windows XP?
coba delete / uninstall beberapa protocol di network adapternya.

strComputer = "."
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
Set objUser = GetObject("WinNT://adminsys/XTeam-wksadm")
On Error Resume Next
Err.Clear
objGroup.Add(objUser.ADsPath)

I had this issue with a Windows Server 2012 180 eval acting as the AD Primary for a Windows 7 client. These are the steps I just followed a few minutes ago to alleviate the issue.

1) I logged into the AD, went into the AD Domains and Trusts area.
2) Found the domain, right clicked and went to manage.
3) Found the machine in question under the "Computers" tab, right clicked, and "Reset Account".
4) Tried logging in the user on the client machine in question.

Upon attempting to login from the client it was successful. The login took about 2 minutes to complete so it must have been reconnecting the "relationship".

-TMinus36

I've struck this issue a few times, always with Windows 7 clients and Server 2003.
If you can't log in locally try logging in as a domain administrator with the network disconnected (unplug LAN and disable wireless), this will allow the use of cached credentials.

Once your in ..
Reset the local administrator password
log off and on as the local administrator to test it
Disjoin the domain (change to a workgroup member instead)
Restart as prompted
Log in as the local administrator
Rejoin the domain

The resolution

  1. Login to the Windows 2003 domain controller, and delete the computer account object from the Active Directory by using Microsoft Management Console (MMC) which you can always access from “Manage Your Server”.
  2. Log-in to the PC workstation as local administrator. If you cannot logon as local administrator, try to unplug the network cable and logon to the computer by using a domain administrator user that used to logon on the PC before, by using cached logon credentials feature.
  3. Go to Control Panel, then click on System icon, then go to Computer Name tab.
  4. Unjoin the computer from the domain by clicking on “Change”. You should see that Domain button is now selected. Remember your domain name in the text box. Select (Click) on “Workgroup” to remove the computer from the domain, and put any workgroup name in the text box (e.g. workgroup).
  5. Click OK to exit.
  6. Restart the computer (optional)
  7. Go back to the Control Panel, launch System properties and then go to Computer Name tab, and click on “Change”.
  8. Rejoin the domain by uncheck the Workgroup button and select (check) Domain button, and put in the domain name noted above into the text box.
  9. Click OK to exit.
  10. Reboot the PC.

This should solve the unable to logon to domain error, without changing or losing the user profiles on AD.


Sorry for the late reply, I finally had some time to look at the laptop. Merv's suggestion worked perfectly. To be precise the sticky keys method (replacing sethc.exe with cmd.exe) gave me the elevated command prompt that I needed for the /active:yes command in the net user program. I was able to activate the local administrator account and am currently busy with taking the laptop out of the domain and reapplying it again.

Had the same issue.....Problem fixed using the following simple steps;

1) Logon the problem machine with local administrator account

2) unjoined the machine form the AD domain

3) on the AD server, delete the machine account thumbstone

4) log back on the problem machine with local administrator account

5) join back the AD domain

et voila!......

problem solved....


  • Make sure that your DHCP Server has DNS configured pointing to the DNS server
  • Rejoin the domain by doing:
    • Go to Active Directory and reset the account of the computer having an issue by right-clicking at the computer name (let say workstation1) and choose Reset Account
    • Restart the workstation1
    • you will not be able to login in the Domain after, and you will receive the following error
      Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance.
    • Login to workstation1 as a local user
    • join workstation1 to Workgroup, then restart the computer
    • go to Active Directory and delete workstation1 as a computer name
    • while in Active Directory, create a new computer name workstation1
    • go back to workstation1 and join the computer to the domain, then restart the computer
    • login to workstation1 as a domain user

By that way, you can still have the same profile already in workstation1. There will be no hazzle of backing up the profile (just do to make sure anyway), copy the profile of the old profile to the new profile because of thinking that there will be a new profile created even though you are using the same login username.


Method 2: Rejoin a Computer from a Domain

Method 4: Add domain controller to Credential Manager

netdom resetpwd /s:server /ud:domain\User /pd:*

Method 6: Reset Computer Account



No comments:

Post a Comment