How to Fix a Broken Windows Domain Trust
Fix a broken Windows domain trust using Netlogon, Windows Time, DNS checks, nltest, and Test-ComputerSecureChannel without rejoining the domain.
When a domain-joined Windows PC suddenly loses connection with Active Directory, the issue is usually not the user account. It is often the computer’s secure channel with the domain controller, combined with DNS, Netlogon, or Windows Time problems.
The quick answer: log in with a local administrator account, confirm the PC can resolve and reach the domain controller, then repair the secure channel with Test-ComputerSecureChannel -Repair. After that, check Netlogon, Windows Time, DNS, and Group Policy results before assuming a GPO caused the break. In the case we handled, the trust repair returned True, Netlogon was stopped, and Windows Time was still using Local CMOS Clock, which is a strong sign that authentication could fail again if time sync was not fixed.
Why This Problem Exists
A Windows domain trust relationship breaks when the workstation and domain controller no longer agree on the secure channel used by the computer account. In Active Directory, every domain-joined computer has its own machine account and password. That machine password is used to maintain a secure relationship with the domain controller. If the password becomes out of sync, the computer may still show as domain joined, but domain authentication starts failing.
Microsoft describes the Netlogon RPC interface as the mechanism used to establish and maintain the secure channel between a client and a domain controller. That means Netlogon is not just another background service. It is part of the core trust path between the workstation and Active Directory. According to Microsoft’s Netlogon protocol documentation, the client attempts to establish this secure channel with a domain controller in its own domain. (Microsoft Learn)
The symptoms usually look familiar. Users may see “The trust relationship between this workstation and the primary domain failed,” “There are currently no logon servers available,” or repeated domain login failures even though the username and password are correct. On the admin side, commands like this may fail or return access-related errors:
nltest /sc_verify:corp.example.com
In our case, the secure channel repair worked immediately:
Test-ComputerSecureChannel -Repair -Credential corp.example.com\Administrator
The command returned:
True
That result matters because Microsoft’s PowerShell documentation states that Test-ComputerSecureChannel returns True when the channel is working correctly, and its -Repair parameter can restore the trust relationship when the connection fails. Microsoft also notes that this cmdlet uses the Netlogon service, similar to NetDom.exe. (Microsoft Learn)
The second issue was time. The client showed this:
Leap Indicator: 3(not synchronized)
Stratum: 0
Last Successful Sync Time: unspecified
Source: Local CMOS Clock
That is a red flag in any Active Directory environment. Microsoft states that the Windows Time service is essential for Kerberos V5 authentication and AD DS-based authentication. Kerberos depends on time agreement between the client and the domain controller. (Microsoft Learn)
The default Kerberos time tolerance is also important. Microsoft’s Windows Server troubleshooting documentation states that Kerberos authentication works when the time interval between the relevant computers is within the maximum enabled time skew, and the default is 5 minutes. (Microsoft Learn)
So the root cause was not “domain user password wrong.” It was a broken trust path: secure channel needed repair, Netlogon needed attention, and Windows Time needed proper domain synchronization.
The Solution — Hitori Domain Trust Repair Runbook
The fastest safe fix is to use a structured repair path instead of randomly removing and rejoining the machine to the domain. We call this the Hitori Domain Trust Repair Runbook because it checks the dependency chain in the same order Windows uses it: local admin access, DNS, domain controller discovery, secure channel, Netlogon, time sync, then Group Policy.
Step 1 is to log in with a local administrator account. If the domain login is broken, you cannot rely on domain credentials at the Windows sign-in screen. Use a local admin account like this:
.\LocalAdminName
or:
COMPUTERNAME\LocalAdminName
Once logged in, open PowerShell as Administrator. This part matters. Running Test-ComputerSecureChannel -Repair from a non-elevated shell can fail with:
Administrator rights are required to reset the secure channel password on the local computer. Access is denied.
Step 2 is to verify that DNS points to the domain controller. A domain-joined PC should normally use the domain controller or internal AD DNS server, not public DNS such as 8.8.8.8.
Run:
ipconfig /all
Check that the DNS server is your domain controller, for example:
DNS Servers . . . . . . . . . . . : 10.10.10.10
Then test domain resolution and domain controller discovery:
nslookup corp.example.com
nltest /dsgetdc:corp.example.com
The nltest command is useful here because Microsoft documents that it can test and reset the secure channel established by Netlogon between clients and the domain controller that logs them on. (Microsoft Learn)
Step 3 is to repair the secure channel:
Test-ComputerSecureChannel -Repair -Credential corp.example.com\Administrator
A successful repair returns:
True
After that, restart the PC:
shutdown /r /t 0
Step 4 is to check Netlogon after reboot:
Get-Service Netlogon
sc.exe query netlogon
If Netlogon is stopped, start it:
Start-Service Netlogon
If you want it to start automatically:
Set-Service Netlogon -StartupType Automatic
or:
sc.exe config netlogon start= auto
In PowerShell, use sc.exe, not just sc, because sc can conflict with PowerShell aliases.
Step 5 is to fix Windows Time. In our troubleshooting session, Windows Time was running but not synchronized. That is not good enough. A running service with Source: Local CMOS Clock can still break Kerberos authentication.
Use domain hierarchy first:
w32tm /config /syncfromflags:domhier /update
Restart-Service W32Time
w32tm /resync /force
w32tm /query /status
If it still does not sync, temporarily point the client directly to the domain controller:
w32tm /config /manualpeerlist:"10.10.10.10" /syncfromflags:manual /reliable:no /update
Restart-Service W32Time
w32tm /resync /force
w32tm /query /status
The goal is to stop seeing:
Source: Local CMOS Clock
and start seeing the domain controller or an internal time source.
Step 6 is to verify the secure channel and domain logon server:
nltest /sc_verify:corp.example.com
$env:LOGONSERVER
In CMD, the logon server command is different:
echo %logonserver%
Do not use %logonserver% syntax in PowerShell. It will print the text literally instead of showing the variable.
Step 7 is to check Group Policy, but only after the trust path is healthy:
gpupdate /force
gpresult /h C:\gpresult-client.html /f
A GPResult report helps prove whether policy processing is failing. In the server-side report we reviewed, Group Policy processing showed success, the LDAP bind to Active Directory completed, and the domain controller was identified correctly. The report also showed three applied GPOs, including the default domain policies and a Windows Update policy, which did not point to a direct policy-caused trust failure.
For a broader Windows and DevOps troubleshooting process, this kind of structured runbook is exactly how we approach production support at Hitori Tech’s DevOps services. If your issue is specifically Netlogon-related, you may also want to read our related guide: How to Fix Netlogon 5719 on Windows 11 24H2.
Secure Channel Repair vs Rejoining the Domain
Repairing the secure channel should usually be attempted before removing and rejoining the PC to the domain. Rejoining works, but it is heavier and can create more cleanup work in Active Directory.
| Approach | What it does | Complexity | Risk | Best use case |
|---|---|---|---|---|
Test-ComputerSecureChannel -Repair | Resets/repairs the workstation secure channel | Low | Low | First-choice fix when the PC is still domain joined |
nltest /sc_verify | Tests the secure channel status | Low | Very low | Diagnosis before and after repair |
netdom resetpwd | Resets the machine account password | Medium | Medium | When PowerShell repair does not work |
| Remove and rejoin domain | Creates a fresh domain join relationship | High | Medium to high | Last resort when repair fails |
| Restore from backup/snapshot | Rolls back the machine state | High | High | Avoid unless you understand machine password age impact |
The biggest mistake is jumping directly to domain rejoin. It can fix the symptom, but it does not tell you why the trust broke. If DNS, time sync, or Netlogon startup is still wrong, the same issue can come back.
Common Mistakes and How to Avoid Them
The most common mistake we see is running the right command in the wrong shell. In PowerShell, this command does not work as expected:
echo %logonserver%
Use this instead:
$env:LOGONSERVER
The second common mistake is typing two commands as one. For example, this is wrong:
nslookup corp.example.comnltest /dsgetdc:corp.example.com
Run them separately:
nslookup corp.example.com
nltest /dsgetdc:corp.example.com
The third mistake is assuming “Windows Time is running” means time sync is healthy. It does not. You need to check the actual source:
w32tm /query /status
If the source is Local CMOS Clock, the workstation is not properly synchronized with the domain hierarchy. Microsoft explains that Windows Time within an AD DS forest uses domain security features and authenticated time data, which is why domain time sync is more than a cosmetic setting. (Microsoft Learn)
The fourth mistake is blaming Group Policy too early. A bad policy can break things, but you need evidence. In our case, the GPResult report showed successful Group Policy processing on the server, including successful Group Policy Infrastructure status and successful Active Directory connectivity. That made a direct GPO-caused trust failure less likely.
The fifth mistake is exposing privileged credentials during troubleshooting. If a domain admin password is shared in a ticket, chat, screenshot, recording, or email, rotate it immediately after the repair. Treat it as compromised. This is not optional housekeeping; it is basic Active Directory hygiene.
Real-World Example
We recently handled a domain-joined Windows workstation that had lost connection with the domain. The machine still showed the correct domain in systeminfo, but secure channel validation failed, and domain login was unreliable.
The first check confirmed that DNS was pointing to the internal domain controller. Then the secure channel repair was run from elevated PowerShell:
Test-ComputerSecureChannel -Repair -Credential corp.example.com\Administrator
It returned:
True
That was the turning point. The machine did not need to be removed from the domain. The secure channel was repaired in place.
After that, we checked services:
Get-Service Netlogon
Get-Service LanmanWorkstation
Get-Service W32Time
The result showed Netlogon stopped, Workstation running, and Windows Time running. That looked partially healthy until we checked time status:
w32tm /query /status
The source was still Local CMOS Clock, with no successful sync time. That explained why domain authentication could remain fragile even after the secure channel repair. The next fix was to set Windows Time to use the domain hierarchy or the domain controller directly, restart W32Time, force a resync, and verify the source.
This is why the final repair was not just one command. The trust repair fixed the immediate break. Netlogon and Windows Time checks reduced the chance of the issue coming back.
If you are managing Windows infrastructure as part of a larger migration, hosting, or automation project, the same discipline applies: diagnose the dependency chain first, then automate the safe fix. We use that approach across Windows servers, cloud deployments, and workflow automation projects at Hitori Tech. For teams building automated remediation workflows, n8n automation can also be used to collect logs, alert admins, and trigger standard diagnostic scripts.
Frequently Asked Questions
What causes a Windows domain trust relationship to break?
A Windows domain trust relationship usually breaks when the workstation’s computer account password no longer matches what Active Directory expects. It can also happen after VM snapshots, long offline periods, DNS changes, time synchronization failures, or domain controller communication problems. The best first fix is usually Test-ComputerSecureChannel -Repair, not removing and rejoining the PC immediately.
How do I check if Netlogon is causing domain login issues?
Check Netlogon with Get-Service Netlogon or sc.exe query netlogon. If it is stopped, start it with Start-Service Netlogon and then verify the secure channel using nltest /sc_verify:yourdomain.com. Netlogon is important because it helps maintain the secure channel between the computer and the domain controller.
Why does Windows Time affect Active Directory login?
Windows Time affects Active Directory login because Kerberos authentication depends on time synchronization between the client and domain controller. If the time difference is too large, authentication can fail even when the username and password are correct. Microsoft documents the default Kerberos time skew tolerance as 5 minutes, which is why w32tm /query /status should be part of every domain trust check. (Microsoft Learn)
How do I repair a domain trust relationship without rejoining the domain?
Repair it from elevated PowerShell using Test-ComputerSecureChannel -Repair -Credential domain\adminuser. If it returns True, restart the PC and verify with nltest /sc_verify:domain.com. This method is cleaner than removing and rejoining the domain because it repairs the existing computer account relationship instead of recreating it.
Can Group Policy break domain trust?
Group Policy can contribute to domain connectivity problems if it changes DNS, security, firewall, time, or authentication settings incorrectly. But you should not assume GPO is the cause without checking gpresult, Event Viewer, and secure channel status. If GPResult shows successful processing and the secure channel repair fixes the machine, the issue is more likely Netlogon, DNS, time sync, or computer account password mismatch.
A broken Windows domain trust relationship looks serious, but in many cases it can be repaired without rebuilding the workstation or rejoining the domain. Start with DNS and domain controller discovery, repair the secure channel, then verify Netlogon and Windows Time before blaming Group Policy. If you want help building a repeatable Windows support runbook for your team, contact Hitori Tech and we’ll help you turn one-off fixes into reliable operations.
