Troubleshoot a failed trust relationship in an Azure Windows VM

This article shows how to troubleshoot a failed trust relationship between the workstation and primary domain in an Azure Windows virtual machine (VM).

If your Azure issue isn't addressed in this article, visit the Azure forums on MSDN and Stack Overflow. You can post your issue in these forums, or post to @AzureSupport on Twitter. You also can submit a Microsoft Azure support request.

To submit a support request, go to the Azure support page and select Get support.

Symptom

You're unable to complete a remote desktop protocol (RDP) connection to the VM and you receive the error: "The trust relationship between this workstation and the primary domain failed".

Cause

The Active Directory Secure Channel between this VM and the primary domain is broken. This error shows that the machine can't establish a secure communication with a domain controller in its domain, because the secret password isn't set to the same value in the domain controller.

Solution

Complete the following steps on the VM. If available, try to connect to the VM via remote desktop connection (RDC) using a local user. If you can't connect to the VM using RDC, try an alternate remote troubleshooting tool for Azure VMs.

Check the connectivity to the domain controller

1. To find the domain controller that your VM is using, enter the following command in CMD.exe.

   set | find /i "LOGONSERVER"

2. Check network connectivity to the domain controller. For example, you can use the Test-Connection cmdlet to test connectivity to the Fully Qualified Domain Name (FQDN) of the domain controller identified in step 1.

3. If there is no connectivity to the domain controller from your VM, troubleshoot the network path. Network Watcher diagnostics may help in this troubleshooting.

Check the health of the secure channel

1. Using PowerShell, execute the 'Test-ComputerSecureChannel' cmdlet to see if the secure channel is healthy.

   Example:

   Test-ComputerSecureChannel -verbose

2. If the secure channel is healthy, attempt to RDP to the VM using your domain user. If the secure channel isn't healthy, attempt to repair the secure channel.

Repair the secure channel

If the secure channel isn't healthy, either try to fix it, or rejoin the VM to the domain.

1. Using PowerShell, execute the 'Test-ComputerSecureChannel' cmdlet to repair the secure channel.

   Test-ComputerSecureChannel -Repair

2. If the secure channel is not repaired, reset the machine password.

Reset the machine password

If you couldn't repair the secure channel, try to reset the machine password.

1. Using PowerShell, execute the 'Reset-ComputerMachinePassword' cmdlet to reset the machine password of the VM.

   Example:

   $cred = Get-Credential
   Invoke-Command -ComputerName "Server01" -ScriptBlock {Reset-ComputerMachinePassword -Credential $using:cred}
   

2. If this doesn't re-establish the secure channel, remove the VM from the domain and re-join the domain.

Remove the VM from the domain and re-join the domain

As a last option, remove the VM from the domain and then re-join the domain.

1. Using PowerShell, execute the 'Remove-Computer' cmdlet to remove the VM from the domain.

   Example:

   'Remove-Computer -UnjoinDomaincredential Domain01\Admin01 -PassThru -Verbose -Restart'
   

2. Using PowerShell, execute the 'Add-Computer' cmdlet to re-join the VM to the domain.

   Example:

   'Add-Computer -ComputerName Server01 -LocalCredential Server01\Admin01 -DomainName Domain02 -Credential Domain02\Admin02 -Restart -Force'
   

Additional resources

Detailed Concepts: Secure Channel Explained

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.