The trust relationship between this workstation and the primary domain failed

Mohd Arif 871 Reputation points
2022-02-02T06:51:07+00:00

The computer was in the normal network then I moved it to DMZ network and got this login error "The trust relationship between this workstation and the primary domain failed"

  1. Test-ComputerSecureChannel -Server dc01 -- OK
  2. Test-ComputerSecureChannel -Repair -- Not helped
  3. Rejoined the computer in domain but no luck
  4. Reset-ComputerMachinePassword -Credential xyz.com\ID -Server DC01 -- Did not fix170429-trust.jpg
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,849 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,936 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
436 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gary Reynolds 8,821 Reputation points
    2022-02-02T07:32:10.19+00:00

    Hi @Mohd Arif ,

    It looks like the firewall doesn't have the ports open to allow the workstation to talk to the domain controllers. Have a look at this article which lists the ports that need to be opened.

    Gary.

  2. Mohd Arif 871 Reputation points
    2022-02-02T09:18:49.363+00:00

    I was thinking the same but since I am able to rejoin the computer in the domain, I was confused.

  3. Mohd Arif 871 Reputation points
    2022-02-03T11:19:02.55+00:00

    So now even firewall rules are in place as MS doc. I ran portquery application "Domain and Trusts", I see all the required ports are open except 636 is looking as filtered. but 389 is listening. But weird things is that, my DC is not able to translate my local administrator group member's name, I see only SIDs. I think something is causing communication issue between client and DC.

    UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.

    UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.

    TCP and UDP Port 464 for Kerberos Password Change

    TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

    UDP Port 88 for Kerberos authentication

    TCP Port 139 and UDP 138 for File Replication Service between domain controllers.

    TCP and UDP Port 445 for File Replication Service

    TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
    170928-ad-error.jpg