0X000006FD

Fix 0X000006FD: Trust Relationship Failure in Under 5 Minutes

Network & Connectivity Intermediate 👁 1 views 📅 May 28, 2026

This error means your PC lost its domain trust. It's usually caused by a password mismatch. Here's how to fix it fast.

Quick answer: Run this from an elevated command prompt on the affected machine: netdom resetpwd /server:YourDomainController /userd:DOMAIN\Admin /passwordd:* — but you'll need a valid domain admin account that still works. If that doesn't fly, you're re-joining the domain.

Why This Happens

Every domain-joined computer has a machine account password that's automatically changed every 30 days by default. When that password gets out of sync between the workstation and the domain controller, you get error 0X000006FD. Common triggers: restoring from a backup older than 30 days, cloning a VM without running Sysprep, or a DC failure on the last password change. I've seen this most often with laptops that come back from a long vacation — the domain password rotated while they were offline.

Fix Step-by-Step

  1. Identify a working DC — From a command prompt on the affected machine, run nltest /dsgetdc:YOURDOMAIN to find a DC that's reachable. If it fails, your network connection might be the real issue — check DNS first.
  2. Log in as local admin — You'll need the local administrator password. If you don't have it, you're going to need to boot from a password reset disk or use a tool like Hiren's Boot CD.
  3. Open an elevated command prompt — Right-click Command Prompt and select Run as administrator.
  4. Reset the machine password — Run this command, replacing values for your environment:
    netdom resetpwd /server:YOUR_DC_NAME /userd:YOURDOMAIN\AdminUser /passwordd:*
    It'll ask for the admin password. If it succeeds, reboot and test.
  5. If that fails — The account might be locked. From a working DC, open Active Directory Users and Computers, find the computer account, right-click, and select Reset Account. Then reboot the workstation and try to log in with a domain account.
  6. Still stuck? — You're re-joining the domain.
    Unjoin the domain: Right-click This PC > Properties > Rename this PC (Advanced) > Change. Select Workgroup, enter WORKGROUP, and reboot.
    Rejoin the domain: Same path, select Domain, enter your domain name, provide admin credentials, reboot again.

Alternative Fixes If the Main One Fails

  • Check time sync — Kerberos is extremely picky about time. Run w32tm /query /status and verify the time is within 5 minutes of the DC. Had a client last month whose CMOS battery was dead — time drifted by 4 years.
  • DNS check — The workstation must point to a DNS server that knows about the domain. Run ipconfig /all and verify the DNS server listed is a domain controller. If not, fix it in your network adapter settings.
  • Use PowerShell — If netdom isn't available, install it via RSAT or use: Test-ComputerSecureChannel -Repair -Credential YOURDOMAIN\AdminUser
  • Offline NT password reset — As a last resort before re-joining, you can boot from a Linux live USB, mount the SAM hive, and reset the local admin password directly if you lost it. NTPWEdit works for this.

Prevention Tips

The real fix is not having to fix this again. Here's what I tell every small business IT guy I work with:

  • Back up the local admin password — Store it in a password manager. When this error hits, that's your lifeline.
  • Don't revert VMs — If you're using Hyper-V or VMware, never restore a domain-joined VM from a snapshot older than 30 days without resetting the machine account first.
  • Enable verbose logon messages — Set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\VerboseStatus to 1. Next time, you'll see more detail about where the failure happens.
  • Run a weekly trust check — Schedule a PowerShell script on each workstation: Test-ComputerSecureChannel. If it fails, log it. Catch it before the user can't log in.
  • Use Group Policy to extend the machine password rotation — In a pinch, you can set the machine account password to not rotate automatically, though that's a security risk. Better to keep a tight backup of the machine account.

If you hit this error at 5 PM on a Friday, you're not alone. I've been there. Take a breath, grab a coffee, and follow the steps above. Most of the time, the netdom reset is your 90-second save. If not, the re-join process is boring but bulletproof.

Was this solution helpful?

0X000006FD trust relationship failure domain trust error workstation domain error fix domain trust netdom reset repair domain trust Windows domain error domain join error active directory trust fix 0x000006fd domain password mismatch workstation trust fix Windows 10 domain trust Windows Server domain trust