Every laptop and desktop joined to a domain attempts to change its password with the domain every 30 days. The Netlogon service uses the local security authority (LSA) secret to logon to the domain, which establishes a secure channel with a domain controller using RPC. If a consultant’s laptop has been off the domain for more than 30 days, and then they come into a Catapult office, they could sometimes receive an error message "The trust relationship between this workstation and the primary domain failed.” The reason why this does not happen every time is because this is a client side process, read here for more info.

In the past, Catapult IT would respond by removing the computer from the domain, joining a workgroup and then re-joining the domain solves this problem, but it is not the best practice. The reason why this method is not advisable is because the object in AD will lose its group memberships, resulting in the loss of 802.1x wireless authentication. The preferred way is to use the netdom command as follows:

netdom reset machineName /domain Domainname /userO username /passwordO *

This resets the secure channel and syncs the password on both the computer and the domain, so it does not require rejoining or rebooting.  Otherwise, using the ‘reset account’ within Active Directory Users and Computers would require rejoining the domain (but at least this method does not lose group memberships).

Source: Configuring Windows Server 2008 Active Directory, Microsoft Press, page 216