How to Fix the Trust Relationship Broken Error

Resetting a Machine Account password could fix the error

Fix ยป Laptop & PC

Reading time icon 6 min. read

Calendar icon Updated on

by Loredana Harsana 

updated on

Share this article

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Key notes

  • The trust relationship broken error typically occurs when your workstation cannot communicate securely with the AD domain.
  • Incorrect credentials, system time discrepancies, overcrowded secure channels, etc, mainly cause this.
  • You can fix the issue by resetting your machine account password or rejoining your machine to the AD domain.
fux trust relationship broken

But when domain users encounter an error message indicating a broken or failed trust relationship, it signifies that the computer is either offline or has lost its membership with the Active Directory domain, resulting in network access issues.

A trust relationship between a workstation and the primary domain is a secure link allowing a computer to access resources across Windows-based network environments. Hence, this guide will provide you with a detailed guide on fixing the issue.

What is Broken Trust Relationship error?

The trust relationship between a workstation and the primary domain error can occur when a workstation joins an Active Directory (AD) domain if there are issues with the computer’s domain membership.

Possible reasons for the error include any of the following:

When any of these issues arise, the workstation may fail to establish a secure trust relationship with the primary domain, leading to authentication and access problems.

What are the common scenarios for the error?

IT professionals report a few common scenarios about where this error can occur. Below are a few instances:

Above are some of the common scenarios for the occurrence of the trust relationship between a workstation and the primary domain failed error.

What are the potential causes of Trust Relationship error?

While we have covered common causes of trust relationship errors, it could be valuable to elaborate on less common triggers, such as:

  • System clock discrepancies – If the system clocks of the involved devices (workstation and domain controller) don’t match, it can lead to authentication failures and trust issues.
  • Overcrowded secure channel – When an excessive number of open sessions and unused SIDs accumulate, it can overwhelm the secure channel, leading to trust relationship issues due to resource exhaustion and authentication problems.

Now that you know some of the possible reasons behind the trust relationship broken error, let’s proceed to how to fix the issue.

How do I fix the Broken Trust Relationship error?

1. Checking the Trust Relationship

  1. Press the Windows key, type powershell in the search bar, and click Run as administrator.
  2. Type the following command and press Enter: Test-ComputerSecureChannel -verbose
  3. The command will check the secure channel status and provide the following outcomes: True or False.

Running this command in PowerShell helps users assess the trust relationship’s health and determine if any actions are needed.

2. Reset the Machine Account Password

2.1 Using Netdom

  1. Open PowerShell with admin privileges.
  2. Run the following command: netdom resetpwd /s:<domain_controller> /ud:<domain>\<username> /pd:*
  3. Type the password for the specified user account and press Enter.

2.2 Using Reset-ComputerMachinePassword cmdlet

  1. Open PowerShell with admin privileges.
  2. Run the following command: Reset-ComputerMachinePassword -Server <domain_controller> -Credential (Get-Credential)
  3. Enter the username and password of an account with sufficient permissions, and press Enter.

2.3 Using Active Directory Users and Computers

  1. Log in to a computer with Active Directory administrative tools installed.
  2. Open Active Directory Users and Computers.
  3. Locate the computer account in the Organizational Unit, right-click on it, and choose Reset Account.
  4. Confirm the reset. Restart the workstation for changes to take effect.

Whichever method you choose to use from the 3 above, the computer account password will be reset, resolving potential trust relationship issues.

3. Rejoin your Machine to the Active Directory Domain

3.1 Using PowerShell cmdlets (Remove-Computer and Add-Computer)

  1. Open PowerShell as administrator.
  2. Remove the computer from the domain using the command below: Remove-Computer -UnjoinDomainCredential (Get-Credential) -Force
  3. Input the username and password, then click OK to restart it when prompted.
  4. Now, add the computer back to the domain using the command below: Add-Computer -DomainName "YourDomainName" -Credential (Get-Credential) -Restart
  5. Replace “YourDomainName” with the name of your Active Directory domain and enter the credentials of a Domain Administrator when prompted.
  6. The computer will join the domain and restart once again.

3.2 Using GUI (Windows Settings) with a Domain Administrator account

  1. Press the Windows + I keys to open the Settings app.
  2. Navigate through the following: System\About\Advanced system settings\Computer Name tab\Change
  3. Choose Workgroup, provide a name, and restart your PC.
  4. Repeat steps 1 and 2 and select Domain instead.
  5. Enter the domain name, click OK, and provide the credentials of a Domain Administrator when prompted.
  6. Restart your PC.

By following any of the above steps, you can successfully rejoin the maximum machine to the Active Directory domain and resolve trust relationship issues.

4. Use the NLTest utility

  1. Launch Command Prompt with administrator privileges.
  2. Run the following command: nltest /sc_query:<domain_name>
  3. Replace <domain_name> with the name of your Active Directory domain.
  4. The result will indicate whether the secure channel is valid (successful or trusted) or not (failed).
  5. If it fails, run the command below to reset the computer account password: nltest /sc_reset:<domain_name>
  6. Restart the workstation to apply the changes.
  7. Now run the first command in step 2 above again.

The NLTest utility is a command-line tool used in Windows to test and troubleshoot healthy relationship issues between a workstation and a domain.

5. Restoring an old system state

Restoring an old system state can resolve issues in situations such as the following: Software installations, configuration errors, malware infections, driver conflicts, registry corruption, data loss, and performance problems.

However, caution is advised, as compatibility, recent changes, and data backup should be considered before proceeding with the restoration.

What are the implications of Broken Trust Relationships?

  • The impact on user productivity and business operations – Unresolved trust relationship issues can lead to user authentication failures, access restrictions, and network resource inaccessibility, disrupting domain user productivity and hindering smooth business operations.
  • Also, untrusted workstations may pose security risks, allowing unauthorized access to sensitive data and compromising the entire network’s security.
  • Unresolved trust relationship issues can hinder productivity and network functionality. Mitigating costs involves timely troubleshooting, proper system monitoring, regular backups, and ensuring efficient IT support to address issues promptly.

How do I preventing Trust Relationship errors?

Try the following options to prevent the error altogether:

  • Regularly monitoring and maintaining Active Directory health will help you proactively identify and address issues.
  • Regularly reviewing and managing system clocks will prevent time discrepancies that can cause trust relationship issues.
  • Implementing Group Policies to manage computer account passwords – enables automatic and regular password updates, reducing the risk of trust relationship issues due to password mismatches and expirations.
  • Reset the registry DWORD RefusePasswordChange to value data 1.

And that’s it on how to fix the trust relationship issues. You can also explore our similar guide on fixing the trust relationship between this workstation and the primary domain failed for further information.

If you have any questions or suggestions, do not hesitate to use the comments section below.

More about the topics: Active Directory

Loredana Harsana

Loredana Harsana Shield

Windows Software Expert

Loredana is a passionate writer with a keen interest in PC software and technology. She started off writing about mobile phones back when Samsung Galaxy S II was on top of the world and she fell in love with tech of all sorts. Whenever sheโ€™s not at her work desk, you'll find her enjoying refreshing tea flavors, spilling stories on paper, and listening to the radio.