Introduction

Windows machines joined to an Active Directory domain maintain a secure channel with the domain using a machine account password that is automatically rotated. When this trust relationship breaks -- due to password mismatch, duplicate computer accounts, or domain controller issues -- the machine cannot authenticate domain users, resulting in login failures and access denials.

Symptoms

  • Windows login shows The trust relationship between this workstation and the primary domain failed
  • User cannot log in with domain credentials, only local accounts work
  • nltest /sc_verify returns Secure channel is broken
  • Event Viewer shows Netlogon errors with secure channel reset failures
  • Error message: ERROR_NO_TRUST_LSA_SECRET (0xC000018B)

Common Causes

  • Machine account password expired and automatic rotation failed
  • Computer account was deleted and recreated in Active Directory
  • Domain controller holding the machine account password is unreachable
  • Virtual machine cloned without properly removing from the domain first
  • Duplicate computer account name in Active Directory causing password conflict

Step-by-Step Fix

  1. 1.Verify the trust relationship status: Check the secure channel.
  2. 2.```powershell
  3. 3.# On the affected machine, log in with a local administrator account
  4. 4.Test-ComputerSecureChannel
  5. 5.# Returns False if trust is broken

nltest /sc_verify:example.com # Returns IASC_VERIFY_FAILED if broken ```

  1. 1.Attempt to repair the trust relationship automatically: Reset the secure channel.
  2. 2.```powershell
  3. 3.# Repair with domain admin credentials
  4. 4.Test-ComputerSecureChannel -Repair -Credential (Get-Credential)
  5. 5.# Should return True if successful
  6. 6.`
  7. 7.If repair fails, remove and rejoin the domain: Re-establish trust from scratch.
  8. 8.```powershell
  9. 9.# Remove from domain (requires local admin)
  10. 10.Remove-Computer -UnjoinDomainCredential (Get-Credential) -Force -Restart
  11. 11.# After restart, log in as local admin and rejoin
  12. 12.Add-Computer -DomainName "example.com" -Credential (Get-Credential) -Restart
  13. 13.`
  14. 14.Check for duplicate computer accounts in AD: Clean up conflicts.
  15. 15.```powershell
  16. 16.# On the domain controller
  17. 17.Get-ADComputer -Filter "Name -eq 'WORKSTATION-NAME'" -Properties *
  18. 18.# If duplicates exist, remove the stale one
  19. 19.Remove-ADComputer -Identity "WORKSTATION-NAME-OLD" -Confirm:$false
  20. 20.`
  21. 21.Verify domain authentication works after the fix: Test user login.
  22. 22.```powershell
  23. 23.whoami /all
  24. 24.# Should show domain user SID
  25. 25.gpupdate /force
  26. 26.# Verify Group Policy applies correctly
  27. 27.`

Prevention

  • Monitor computer account password rotation failures in Event Viewer (Netlogon events)
  • Avoid cloning domain-joined virtual machines without running sysprep first
  • Ensure domain controllers are reachable from all domain-joined machines
  • Use Group Policy to configure computer account password rotation settings
  • Maintain adequate domain controller redundancy to prevent single points of failure
  • Document the trust relationship repair procedure in the IT operations runbook