www.it-connect.fr
Windows : how to fix the approval relationship error ? Here’s how!
Table of Contents
I. Introduction
For administrators of Windows workstations with machines integrated into an Active Directory domain, the error message "The approval relationship between this workstation and the primary domain has failed" is a classic. It's the kind of mistake we all make at least once, even if we'd like to do without it! There are various ways of getting out of this mess... In particular, manually via the graphical interface, but also on the command line.
In this tutorial, I'm going to answer a simple question: how do I correct the error "The trust relationship between this workstation and the primary domain failed"? On an English machine, the corresponding error message is: "The trust relationship between this workstation and the primary domain failed".
II. The principle of "computer" passwords
When a Windows machine is integrated into an Active Directory domain, an object belonging to the"computer" class is created in the directory. This object is then a computer account for the machine in question. In addition to the name, a password is associated with this account: this password is known to both the Windows machine and the Active Directory. By default, this password is valid for 30 days. After 30 days, it is renewed automatically, without any action on your part.
By modifying a Group Policy on your environment, for example, the native"Default Domain Policy" GPO, you can find the "Domain member: maximum password age for computer account" setting, which shows that the default value is 30 days.
When this error message occurs, it's as if the trust between the two parties has suddenly disappeared. In many cases, this is because the password on the local computer (the Windows machine integrated into the AD) does not match the password stored in the Active Directory. In other words, the password renewal didn't go as planned...
Password renewal is initiated by the Windows machine, using the Netlogon service. This is done at startup, or when authenticating to the domain controller. The password is then stored in the Windows Registry under "HKLMSECURITYPolicySecrets" in the Windows Registry. The Active Directory also stores this new secret. In the vast majority of cases, this process is carried out correctly: fortunately, otherwise every 30 days would be hellish.
Sometimes, this operation fails and the error "The approval relationship between this workstation and the main domain has failed" occurs! Sometimes, on the same machine, this error recurs quite regularly. I think there are several errors that can occur, several different cases, to arrive at this message. For example, if the password is updated in the Active Directory but not in the local database, you end up with a different secret. This can also happen if the object corresponding to this computer is deleted from the Active Directory.
That's all there is to it, now let's take a look at some PowerShell-based methods for correcting this error. In case one method doesn't work, you can try another.
III. Troubleshooting - "The approval relationship between this workstation and the main domain has failed"
A. The manual method
The manual method is familiar to many system administrators. It works, but is not practical, as it requires you to disconnect the machine from the network. It involves performing the following actions, bearing in mind that the aim is to remove the machine from the domain and reintegrate it:
1 - Disconnect the computer from the network
2 - Log on as local administrator
3 - Remove the computer from the domain
Remove-Computer -UnjoinDomaincredential IT-ConnectAdmin -PassThru -Verbose -Restart
4 - Reset computer object in Active Directory
5 - Restart the computer
6 - Reconnect the network cable
7 - Add the computer to the domain
Add-Computer -DomainName it-connect.local -Restart
The main disadvantage of this method is that it requires a physical presence, as the machine must be disconnected from the network. To remove the machine from the domain and add it again, you can use the Windows GUI or the PowerShell commands"Remove-Computer" and"Add-Computer".
B. The PowerShell method: Test-ComputerSecureChannel
For several years now, it has been possible to correct this error with PowerShell! This is great news, because it means you can do it remotely, which is much more convenient. The Test-ComputerSecureChannel command has existed since Windows 10, and is still available on Windows 11. Personally, I recommend this method.
On a machine where the approval relationship is broken, simply log in and run this command in a PowerShell console:
Test-ComputerSecureChannel
It is also possible to target a specific domain controller, as with Active Directory module commands. For example:
Test-ComputerSecureChannel -Server "SRV-ADDS.it-connect.local"
This command simply returns true or false to indicate the status of the approval relationship between the computer and the directory (with the -Verbose parameter). In the event of an approval relationship error, the command will return "false". Therefore, you'll need to add the -Repair parameter, which repairs the approval relationship and the identifiers.
Test-ComputerSecureChannel -Repair -Credential florian@it-connect.local
We can also do :
Test-ComputerSecureChannel -Repair -Credential (Get-Credential)
The user account can be an Administrator account, or simply an account with the right to add machines to the Active Directory domain.
Since this is PowerShell, you can also act remotely on one or more machines with Invoke-Command. Here's an example:
Invoke-Command -ComputerName PC-01 -ScriptBlock { Test-ComputerSecureChannel }
Note: whether using this method or the one that follows, if the computer object doesn't exist in Active Directory, it's best to create it first. Using the"Active Directory Users and Computers" console (or another method), right-click"New" then"Computer". Assign the same name.
C. The PowerShell bis method: Reset-ComputerMachinePassword
When the error occurs, there's a second PowerShell command that can help you out: Reset-ComputerMachinePassword, available with Windows PowerShell 5.1. This command resets the password of the local machine's computer account.
Again, this command is run from the computer where the error is located.
Here's how to use this command:
Reset-ComputerMachinePassword -Credential florian@it-connect.local
You can also specify the name of the target domain controller:
Reset-ComputerMachinePassword -Credential florian@it-connect.local -Server "SRV-ADDS.it-connect.local"
The operation will be automatic, so it's not up to you to set the password. This method also allows you to correct the approval error.
D. The netdom method
Netdom has been around for a long time on Windows, even before PowerShell came along. It can also be used to reset computer account passwords from the command line.
Here's an example where I contact the "SRV-ADDS" domain controller, using the "florian" account and without specifying the password in clear text (hence the "*").
netdom resetpwd /s:SRV-ADDS /ud:florian /pd:*
IV. Conclusion
Now we've come to look at different ways of correcting the "The approval relationship between this workstation and the main domain has failed" error on your Windows machines! With PowerShell for recent machines, and with netdom (or the manual method) for machines with older systems, because we all know there are still some in circulation!
If you know of another method, please let us know with a comment! 🙂
