Announcement

Collapse
No announcement yet.

Trust Relationships with domain/Windows 7

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Trust Relationships with domain/Windows 7

    Hello! I hope I'm posting this is the correct forum?
    A little background-

    -Server 2003 SP2
    -Windows 7 SP1

    I'm having issues with certain folks logging into the domain. They receive the following error-
    "the security database on the server does not have a computer account for the workstation trust relationship."
    I usually can fix this by removing the computer from Active Directory, taking the computer off the domain and rejoining to the domain. My question is however, why is this happening and how can I prevent it from happening?

    Thanks for any help!
    JS

  • #2
    Re: Trust Relationships with domain/Windows 7

    Does it happen after a certain number of days? It would be worth reviewing the health of Active Directory. DCDIAG is a good starting point.

    Comment


    • #3
      Re: Trust Relationships with domain/Windows 7

      Does the computer account in AD still exist for these machines?
      Are they on and working one day and then just randomly fail the next or are they something like laptops that don't come onto the network regularly?

      Can you run
      nltest /SC_QUERY:domain.local
      on a failed machine?
      cheers
      Andy

      Please read this before you post:


      Quis custodiet ipsos custodes?

      Comment


      • #4
        Re: Trust Relationships with domain/Windows 7

        First of all, thank you for your replies! I tried on Monday, removing the computer with this issue from the domain, removing the AD account for that computer and then rejoining to the domain. This creates a new instance in AD for that computer. This worked for 2 days and then it broke again. Hope that answers your question?

        I'll do the dcdiag and see where that leads me. Thanks! And the next time this breaks, I'll try to run the query. What am I looking for when the query runs?

        Thanks again!

        Comment


        • #5
          Re: Trust Relationships with domain/Windows 7

          I just wanted to determine if the machine account still existed in AD when you saw the problem.
          Along with DCDiag do you also see anything in the local event logs/the DC event logs?

          The query should show something like this:

          nltest /SC_QUERY:domain.local
          Flags: 30 HAS_IP HAS_TIMESERV
          Trusted DC Name \\DNNAME.domain.local
          Trusted DC Connection Status Status = 0 0x0 NERR_Success
          The command completed successfully


          I would also check for things like time skew issues etc
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: Trust Relationships with domain/Windows 7

            In fact, good point raised as well, check the time on the Client OS and ensure it is the same as the DCs.

            Comment


            • #7
              Re: Trust Relationships with domain/Windows 7

              Thank you all VERY much for your replies!

              The account in AD for the computer did exist for a few and a for a few others it didn't. Once I rejoined to the domain however, they still didn't exist in AD. ??

              As far as the time, they do match.

              Comment


              • #8
                Re: Trust Relationships with domain/Windows 7

                How many DCs in your domain? They all replicating ok?
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: Trust Relationships with domain/Windows 7

                  Originally posted by janstan View Post
                  Thank you all VERY much for your replies!

                  The account in AD for the computer did exist for a few and a for a few others it didn't. Once I rejoined to the domain however, they still didn't exist in AD. ??

                  As far as the time, they do match.
                  I wonder that computer account doesn't exist even after joining it to the domain.

                  Does it successfully joins the domain or gives any error?
                  If it successfully joins the domain!!

                  How many DCs do you have in your environment?

                  Where do you check if the computer account is generated or not? There could be a replication delay. It is worth checking the computer account on the logon server from the client got authenticated [run "set l" on command prompt to identify the logon server and check on that DC if the computer account is been created or not].

                  I guess you should be able to see the computer account on the logon server. If that gets deleted again, it's worth using DCDiag, repadmin tool and see what they come up with.
                  Last edited by shankerhari; 22nd October 2012, 22:31.
                  Hari Shanker
                  VCP, MCTS, MCSE 2003, MCSA:


                  " Think beyond and you will go beyond."
                  (Your thoughts create your reality. Widen your expectations and thought process and you'll be amazed at how thinking bigger will bring on bigger things.)

                  Comment


                  • #10
                    Re: Trust Relationships with domain/Windows 7

                    Sounds like maybe you have cloned some PCs without resetting their SIDs or have PCs with the same name as other PCs? These 2 reasons are the most common for machines being knocked off the domain. Every time you add a new cloned PC it will knock some of the others off, we used to see this all the time when we used Norton Ghost to build PCs from a base image that was already on the domain - once we started using SCCM to automate building PCs from scratch rather than from an image then it stopped happening.
                    Software for IT Pros that I've written: http://www.cjwdev.co.uk/Software.html

                    My blog: http://cjwdev.wordpress.com

                    Comment


                    • #11
                      Re: Trust Relationships with domain/Windows 7

                      Seen this?

                      http://blogs.technet.com/b/markrussi...3/3291024.aspx
                      cheers
                      Andy

                      Please read this before you post:


                      Quis custodiet ipsos custodes?

                      Comment


                      • #12
                        Re: Trust Relationships with domain/Windows 7

                        If that was aimed at me - yeah I saw that a long time ago, and whilst I do understand the technical reasons why Mark says it shouldn't cause problems, in th real world I've seen lots of people have problems like this when they clone PCs and as soon as they stop cloning PCs the issues go away.
                        Software for IT Pros that I've written: http://www.cjwdev.co.uk/Software.html

                        My blog: http://cjwdev.wordpress.com

                        Comment


                        • #13
                          Re: Trust Relationships with domain/Windows 7

                          Hi JS,

                          We noticed similar behavior in our environment too, especially for some users who VPN in. They got exactly the same error.

                          We recommended that they log off, then shut down their system, and then restart their computers, and doing so fixed the problem for us.

                          It appears that this problem may be related to the trust relationship temporarily breajing down between the domain joined machine and the DC and I believe this can sometimes happen based on the secret password of the domain joined machine, which is used to create the trust relationship.

                          As far as possible, you should NOT unjoin machines from the domain, and then join them back, because when you do so, they get a new SID, and any access provisioned for that machine, whether directly or indirectly, would be lost, leaving you to reprovision it.

                          I would highly recommend trying to have those users log off, then shut those machines down, and then restart them. The problem should go away.

                          Comment


                          • #14
                            Re: Trust Relationships with domain/Windows 7

                            Originally posted by JCraig View Post

                            As far as possible, you should NOT unjoin machines from the domain, and then join them back, because when you do so, they get a new SID, and any access provisioned for that machine, whether directly or indirectly, would be lost, leaving you to reprovision it.
                            AFAK the SID is tied to the computer account in AD, so as long as that is intact there will be no issues with disjoining and rejoining (or even joining a new PC build under an existing account) and retaining any AD permissions assigned to the computer
                            More here:http://blogs.msdn.com/b/aaron_margos...main-sids.aspx
                            Tom Jones
                            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                            PhD, MSc, FIAP, MIITT
                            IT Trainer / Consultant
                            Ossian Ltd
                            Scotland

                            ** Remember to give credit where credit is due and leave reputation points where appropriate **

                            Comment

                            Working...
                            X