The “trust relationship between this workstation and the primary domain failed”

The “trust relationship between this workstation and the primary domain failed” error typically means that the secure channel between the client (your Windows Server 2008 R2 machine) and the domain controller (DC) is broken. This can happen if the computer’s account password in Active Directory (AD) has become unsynchronized with the password stored on the client computer.

Here are a few methods to resolve this issue:

Method 1: Rejoin the Computer to the Domain

This is the most common fix but requires local administrative access. Here’s how you can do it:

1. Log in with a Local Admin Account (instead of the domain account).
2. Remove the Computer from the Domain:
   • Right-click on Computer > Properties.
   • Click on Change settings next to the computer name.
   • Click Change, then select Workgroup and enter a workgroup name (e.g., WORKGROUP).
   • Restart the server when prompted.
3. Rejoin the Computer to the Domain:
   • After restarting, go back to the System Properties > Change settings > Change.
   • Select Domain and enter the domain name.
   • Provide credentials of a domain admin when prompted.
   • Restart the server again.

Method 2: Use PowerShell to Reset the Computer Account Password

If you have PowerShell installed, you can try resetting the computer account’s password to restore the secure channel without removing and rejoining the domain:

1. Log in with a Local Admin Account.
2. Open PowerShell as an administrator.
3. Run the following command:

   powershell
   Test-ComputerSecureChannel -Repair -Credential (Get-Credential)
   

   • A prompt will appear asking for domain credentials. Enter the credentials of a domain admin.
   • If the secure channel is restored successfully, you should see no errors.

Method 3: Reset the Computer Account in Active Directory

You can also try resetting the computer account directly in AD, then rejoin the domain:

1. Log in to a Domain Controller using a domain admin account.
2. Open Active Directory Users and Computers.
3. Find the Computer Account for the affected server.
4. Right-click the computer account and select Reset Account.
5. Reboot the server and try logging in again.

Method 4: Using Netdom Command (if installed)

If Netdom is available on your server, you can repair the secure channel without needing to remove and rejoin the domain:

1. Open Command Prompt as an administrator.
2. Run the following command:

   cmd
   netdom resetpwd /s:DomainControllerName /ud:Domain\Administrator /pd:*
   

   • Replace DomainControllerName with the name of one of your domain controllers.
   • Replace Domain with your domain name.
   • Enter the domain admin password when prompted.
3. Restart the server and try logging in again.

Method 5: Restore from Backup

If you have a recent system backup of the server, you can restore it to a time when the trust relationship was working. However, this should be a last resort as it might result in data loss if newer changes were made.

Recommendation

Start with Method 2 (PowerShell repair) as it’s the least intrusive. If that doesn’t work, proceed with Method 1 (rejoin the domain). These steps should help re-establish the trust relationship between the server and the domain.

For Windows server 2008 R2 Follow the below steps

In Windows Server 2008 R2, the -Credential parameter is not supported with the Test-ComputerSecureChannel cmdlet, which is why you are seeing the error. You can try the following methods to repair the secure channel:

Alternative PowerShell Method (without -Credential)

Since -Credential is not available, you can run the following command without specifying credentials, as long as you are logged in with an account that has local administrative rights:

powershell
Test-ComputerSecureChannel -Repair

Make sure to run PowerShell as an administrator. If your current logged-in user has sufficient permissions, this might repair the trust relationship.

Use the Netdom Command (Preferred for Windows Server 2008 R2)

Since Test-ComputerSecureChannel might be limited in older PowerShell versions, Netdom can be a better option if available:

1. Open Command Prompt as an administrator.

2. Run the following command:

   cmd
   netdom resetpwd /s:DomainControllerName /ud:Domain\AdminUser /pd:*
   

   • Replace DomainControllerName with the name of a domain controller.
   • Replace Domain with your domain name.
   • Replace AdminUser with a domain admin user.
   • Enter the password when prompted.

3. Restart the Server after the command runs.

Use Nltest Command

If Netdom is not available, you can use Nltest as an alternative:

1. Open Command Prompt as an administrator.

2. Run the following command:

   cmd
   nltest /sc_reset:DomainName
   

   • Replace DomainName with your domain name.

3. Restart the Server and try logging in again.

Rejoin the Domain (Last Resort)

If the above methods don’t work, you might need to remove the server from the domain and rejoin it as described in Method 1 earlier.