The trust relationship between this workstation and the primary domain failed

Mohd Arif 946 Reputation points
2022-02-02T06:51:07+00:00

The computer was in the normal network then I moved it to DMZ network and got this login error "The trust relationship between this workstation and the primary domain failed"

  1. Test-ComputerSecureChannel -Server dc01 -- OK
  2. Test-ComputerSecureChannel -Repair -- Not helped
  3. Rejoined the computer in domain but no luck
  4. Reset-ComputerMachinePassword -Credential xyz.com\ID -Server DC01 -- Did not fix170429-trust.jpg
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Gary Reynolds 9,621 Reputation points
    2022-02-02T07:32:10.19+00:00

    Hi @Mohd Arif ,

    It looks like the firewall doesn't have the ports open to allow the workstation to talk to the domain controllers. Have a look at this article which lists the ports that need to be opened.

    Gary.

    0 comments No comments

  2. Mohd Arif 946 Reputation points
    2022-02-02T09:18:49.363+00:00

    I was thinking the same but since I am able to rejoin the computer in the domain, I was confused.

    0 comments No comments

  3. Mohd Arif 946 Reputation points
    2022-02-03T11:19:02.55+00:00

    So now even firewall rules are in place as MS doc. I ran portquery application "Domain and Trusts", I see all the required ports are open except 636 is looking as filtered. but 389 is listening. But weird things is that, my DC is not able to translate my local administrator group member's name, I see only SIDs. I think something is causing communication issue between client and DC.

    UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.

    UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.

    TCP and UDP Port 464 for Kerberos Password Change

    TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

    UDP Port 88 for Kerberos authentication

    TCP Port 139 and UDP 138 for File Replication Service between domain controllers.

    TCP and UDP Port 445 for File Replication Service

    TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
    170928-ad-error.jpg


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.