Trust relationship between this workstation and the primary domain

Discussion in 'Active Directory' started by Server Guy, Jan 22, 2007.

  1. Server Guy

    Server Guy Guest

    Have a big problem I sure could use some help with!

    When I try to add a new user account at a workstation previously joined to a
    domain, I get an error saying I can't add the user because

    "the trust relationship between this workstation and the primary domain
    failed ".

    I tried removing the computer object from AD & re-joining but that didn't
    help. This is ocurring on stations that are working fine otherwise. The
    only problem is adding a new user account on the station. Existing accounts
    on the stations are working fine. If I add an existing account to a
    different station, same result. Tried setting up a new account in AD. Same
    error when adding account to station.

    I'm not sure when the problem first ocurred, just that is causing issues of
    not being able to setup new accounts. Big Problem!

    I'm open to suggestions! Is there a security DB or something that's
    corrupted or needs to be sync'ed? I've searched and found referrences to the
    error message but not one generated from trying to add a user to a station.

    Thanks in advance!!!

    Server is W2k SP4, DC, DNS
    Workstation(s) XP-Pro SP2
    Member Win2003 SP1 server
     
    Server Guy, Jan 22, 2007
    #1
    1. Advertisements

  2. Server Guy

    Jorge Silva Guest

    Hi
    Try
    Reset the computer account in AD, then re-add it to the domain.

    --

    I hope that the information above helps you.
    Have a Nice day.
    Jorge Silva
    MCSE
     
    Jorge Silva, Jan 22, 2007
    #2
    1. Advertisements

  3. Paul Bergson [MVP-DS], Jan 22, 2007
    #3
  4. Server Guy

    Server Guy Guest

    Hi, The following is the result of the NLtest from the affected workstation.
    I did get 1 error.

    I checked services on my DC and Net Logon appears to be started. Not sure
    if there is another service not listed that I need.

    Any more thoughts?

    Thanks again!!!

    ============================
    L:\>nltest /server:MYServer
    The command completed successfully

    L:\>nltest /sc_query:ABC.org
    Flags: 30 HAS_IP HAS_TIMESERV
    Trusted DC Name \\MYServer.ABC.org
    Trusted DC Connection Status Status = 0 0x0 NERR_Success
    The command completed successfully

    L:\>nltest /sc_verify:ABC.org
    I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED

    ============================
     
    Server Guy, Jan 23, 2007
    #4
  5. Paul Bergson [MVP-DS], Jan 23, 2007
    #5
  6. This will reset it for the machine you run it on only.



     
    Paul Bergson [MVP-DS], Jan 23, 2007
    #6
  7. Server Guy

    Jorge Silva Guest

    go to ad console right click the computer account choose reset and go to the
    computer and re-add it to the domain.
    Simple and fast.

    --

    I hope that the information above helps you.
    Have a Nice day.
    Jorge Silva
    MCSE

     
    Jorge Silva, Jan 23, 2007
    #7
  8. Server Guy

    Server Guy Guest

    Still no luck, still have the orig. error message when trying to add a user.

    Below are the NLTest commands used. The verify shows no errors now. But
    when trying to add a domain user at the workstation I still get the orig
    error about the "The Trust relationship between this workstation and the
    primary domain failed"

    I did try resetting the account at the DC. Also tried removing it then
    re-joining the domain, still no luck.

    PLEASE HELP!!!


    C:\>nltest /sc_reset:ABC.org
    Flags: 30 HAS_IP HAS_TIMESERV
    Trusted DC Name \\ServerName.ABC.org
    Trusted DC Connection Status Status = 0 0x0 NERR_Success
    The command completed successfully

    C:\>nltest /sc_verify:ABC.org
    Flags: b0 HAS_IP HAS_TIMESERV
    Trusted DC Name \\ServerName.ABCc.org
    Trusted DC Connection Status Status = 0 0x0 NERR_Success
    Trust Verification Status = 0 0x0 NERR_Success
    The command completed successfully

    --------------------------------------------------------------------------------



     
    Server Guy, Jan 25, 2007
    #8
  9. Run diagnostics against your Active Directory domain.

    If you don't have the tools installed, install them from your server install
    disk.
    d:\support\tools\setup.exe

    Run dcdiag, netdiag and repadmin in verbose mode.
    -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
    -> netdiag.exe /v > c:\netdiag.log (On each dc)
    -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

    If you download a gui script I wrote it should be simple to set and run
    (DCDiag and NetDiag). It also has the option to run individual tests
    without having to learn all the switch options. The details will be output
    in notepad text files that pop up automagically.

    The script is located in the download section on my website at
    http://www.pbbergs.com

    Just select both dcdiag and netdiag make sure verbose is set. (Leave the
    default settings for dcdiag as set when selected)

    When complete search for fail, error and warning messages.




     
    Paul Bergson [MVP-DS], Jan 25, 2007
    #9
  10. Server Guy

    Server Guy Guest

    Hi,

    The following came from running DCDiag & NetDiag from both the DC and also a
    W2k-SP4 station. When I tried to run from an XP Pro SP2 station I get a
    NTDSA.dll error saying re-installing the application may help.

    Hopefully this will tell what's going on!

    Many thanks for your help!




    From the DC:

    DCDiag:
    Starting test: Services
    * Checking Service: Dnscache
    * Checking Service: NtFrs
    * Checking Service: IsmServ
    * Checking Service: kdc
    * Checking Service: SamSs
    * Checking Service: LanmanServer
    * Checking Service: LanmanWorkstation
    * Checking Service: RpcSs
    * Checking Service: RPCLOCATOR
    * Checking Service: w32time
    * Checking Service: TrkWks
    * Checking Service: TrkSvr
    * Checking Service: NETLOGON
    * Checking Service: Dnscache
    Could not open IISADMIN Service on [MyServer]:failed with 1060:
    The specified service does not exist as an installed service.
    * Checking Service: NtFrs
    Could not open SMTPSVC Service on [MyServer]:failed with 1060:
    The specified service does not exist as an installed service.
    ......................... MyServer failed test Services



    NetDiag:
    Trust relationship test. . . . . . : Skipped

    Do Negotiate authenticated LDAP call to 'MyServer.ABC.org'.
    Found 1 entries:
    Attr: currentTime
    Val: 17 20070126020239.0Z
    Attr: subschemaSubentry
    Val: 57 CN=Aggregate,CN=Schema,CN=Configuration,DC=ABC,DC=org
    Attr: dsServiceName
    Val: 109 CN=NTDS
    Settings,CN=MyServer,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ABC,DC=org
    Attr: namingContexts
    Val: 44 CN=Schema,CN=Configuration,DC=ABC,DC=org
    Val: 34 CN=Configuration,DC=ABC,DC=org
    Val: 17 DC=ABC,DC=org
    Attr: defaultNamingContext
    Val: 17 DC=ABC,DC=org
    Attr: schemaNamingContext
    Val: 44 CN=Schema,CN=Configuration,DC=ABC,DC=org
    Attr: configurationNamingContext
    Val: 34 CN=Configuration,DC=ABC,DC=org
    Attr: rootDomainNamingContext
    Val: 17 DC=ABC,DC=org
    Attr: supportedControl
    Val: 22 1.2.840.113556.1.4.319
    Val: 22 1.2.840.113556.1.4.801
    Val: 22 1.2.840.113556.1.4.473
    Val: 22 1.2.840.113556.1.4.528
    Val: 22 1.2.840.113556.1.4.417
    Val: 22 1.2.840.113556.1.4.619
    Val: 22 1.2.840.113556.1.4.841
    Val: 22 1.2.840.113556.1.4.529
    Val: 22 1.2.840.113556.1.4.805
    Val: 22 1.2.840.113556.1.4.521
    Val: 22 1.2.840.113556.1.4.970
    Val: 23 1.2.840.113556.1.4.1338
    Val: 22 1.2.840.113556.1.4.474
    Val: 23 1.2.840.113556.1.4.1339
    Val: 23 1.2.840.113556.1.4.1340
    Val: 23 1.2.840.113556.1.4.1413
    Attr: supportedLDAPVersion
    Val: 1 3
    Val: 1 2
    Attr: supportedLDAPPolicies
    Val: 14 MaxPoolThreads
    Val: 15 MaxDatagramRecv
    Val: 16 MaxReceiveBuffer
    Val: 15 InitRecvTimeout
    Val: 14 MaxConnections
    Val: 15 MaxConnIdleTime
    Val: 16 MaxActiveQueries
    Val: 11 MaxPageSize
    Val: 16 MaxQueryDuration
    Val: 16 MaxTempTableSize
    Val: 16 MaxResultSetSize
    Val: 22 MaxNotificationPerConn
    Attr: highestCommittedUSN
    Val: 6 639883
    Attr: supportedSASLMechanisms
    Val: 6 GSSAPI
    Val: 10 GSS-SPNEGO
    Attr: dnsHostName
    Val: 19 MyServer.ABC.org
    Attr: ldapServiceName
    Val: 32 ABC.org:[email protected]
    Attr: serverName
    Val: 92
    CN=MyServer,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ABC,DC=org
    Attr: supportedCapabilities
    Val: 22 1.2.840.113556.1.4.800
    Val: 23 1.2.840.113556.1.4.1791
    Attr: isSynchronized
    Val: 4 TRUE
    Attr: isGlobalCatalogReady
    Val: 4 TRUE
    [WARNING] Failed to query SPN registration on DC 'MyServer.ABC.org'.
    ---------------------------


    Workstation
    DCDiag
    Starting test: Services
    * Checking Service: Dnscache
    * Checking Service: NtFrs
    * Checking Service: IsmServ
    * Checking Service: kdc
    * Checking Service: SamSs
    * Checking Service: LanmanServer
    * Checking Service: LanmanWorkstation
    * Checking Service: RpcSs
    * Checking Service: RPCLOCATOR
    * Checking Service: w32time
    * Checking Service: TrkWks
    * Checking Service: TrkSvr
    * Checking Service: NETLOGON
    * Checking Service: Dnscache
    Could not open IISADMIN Service on [MyServer]:failed with 1060:
    The specified service does not exist as an installed service.
    * Checking Service: NtFrs
    Could not open SMTPSVC Service on [MyServer]:failed with 1060:
    The specified service does not exist as an installed service.
    ......................... MyServer failed test Services




    Netdiag:
    Trust relationship test. . . . . . : Passed
    Test to ensure DomainSid of domain 'HHWP' is correct.
    Secure channel for domain 'HHWP' is to '\\MyServer.ABC.org'.
    Secure channel for domain 'HHWP' was successfully set to DC
    '\\MyServer.ABC.org'.


    Kerberos test. . . . . . . . . . . : Failed
    Server: ldap/MyServer.ABC.org/ABC.org
    End Time: 1/28/2007 1:38:43
    Renew Time: 2/3/2007 15:38:43
    [FATAL] Kerberos does not have a ticket for MIPTEMPORARY$.


     
    Server Guy, Jan 28, 2007
    #10
  11. Server Guy

    Server Guy Guest

    Hi,

    I did try that. ALso tried leaving the domain, renaming the station &
    rebooting, then joining the domain. Same issue. Seems to be something
    deeper wrong here.

    Thanks for trying! I appreciate any thoughts or help!




     
    Server Guy, Jan 28, 2007
    #11
  12. Server Guy

    Herb Martin Guest

    The other main reason for things like this is incorrect DNS settings.

    Client computers (actually ALL internal computers) must use STRICTLY
    the INTERNAL DNS servers which can resolve your DCs and other
    internal services -- they cannot mix in the ISP or firewall/gateway DNS
    on the NIC->IP Properties.
     
    Herb Martin, Jan 28, 2007
    #12
  13. Server Guy

    Server Guy Guest

    Thanks for the information. I'm looking at any and all causes/soultions.

    I currently have an ISP router listed as the default gateway. I have a
    forwarder from the DC/DNS pointing to it and a route back from the router.
    All has been working well as far as this issue goes for some time now.
    Something has changed that but I don't have a clue at this point what it is.

    Are you saying I should remove the default GW from the NIC > IP Properties?
    I'm willing to try that to see what happens.

    Should I have routing and remote acces setup? This would then eliminate the
    ISP router being listed as the default GW for the stations and also the
    DC/DNS box.

    In the pat, I've had issues with a remote site via a T1 and Cisco 2620
    routers. That issue is about to take care of itself soon. The other site is
    dropping the T1 and we will have VPN access if needed.

    Many thanks!
     
    Server Guy, Jan 28, 2007
    #13
  14. Server Guy

    Herb Martin Guest

    Setting external routers is a VERY common mistaked, exacerbated by the
    fact that it SEEMS to work, and will work intermittently but never reliably.
    Yes, and it isn't a matter of trying it -- this is a problem, even if not
    your only (or main) problem.

    DNS clients must NEVER have a DNS server listed that cannot resolve
    the internal resources, especially the DCs (i.e., must not have a DNS
    server listed that bypasses the DNS zone.)

    Putting it in as the alternated is NOT sufficient to getting reliably
    results
    since machines will occasionally "latch onto it" and stay latched for
    unpredicatable times.
    No, that isn't necessar (from what you are telling me) and using the gateway
    DNS as your FORWARD is a VERY GOOD practice.
     
    Herb Martin, Jan 28, 2007
    #14
  15. From reading th reply to Herb, you should have the problem found.

    Make the AD DNS server the only DNS server and forward all requests to your
    ISP.



     
    Paul Bergson [MVP-DS], Jan 28, 2007
    #15
  16. Server Guy

    Server Guy Guest

    I may have more than one issue here, not quite sure yet. Both the
    workstation and DC only have the DC/DNS server listed, no alternet DNS
    servers anywhere in AD.

    I agree with Herb that I need to do a few more things to make DNS more
    stable. But does this cause the Kerberos failed message?

    I'm just trying to make sure I'm tracking down the right thing and not
    breaking something else in the process by me experimenting. I would like to
    fix the "trust Issue" first then move to the DNS side like Herb mentioned
    unless you guys think they are related and both need to be addressed at the
    same time.

    Thanks again Paul & Herb for your time on this very complex issue!!!



     
    Server Guy, Jan 30, 2007
    #16
  17. Server Guy

    Server Guy Guest

    If I remove the ISP router from the Default Gateway, I lose access to the
    Internet. Not sure why that is if everything else seems to be ok. I do have
    a forwarder to the ISP router & a route from the ISP router back. Maybe one
    of those are a problem? If you are saying that should be blank, then I must
    need a change in there.
     
    Server Guy, Jan 30, 2007
    #17
  18. Server Guy

    Herb Martin Guest

    No one wants you to remove the "default gateway" entry; you have conflated
    the GATEWAY function with using this machine DIRECTLY as a DNS
    server by the clients.

    To repeat:
    "Client computers (actually ALL internal computers) must use STRICTLY
    the INTERNAL DNS servers which can resolve your DCs and other
    internal services -- they cannot mix in the ISP or firewall/gateway DNS
    on the NIC->IP Properties."
    Can you route by IP address? (You can always try tracert 4.2.2.1 or
    tracert ISP.DNS.Server.Address)

    If you can ping and tracert then ROUTING is not your problem. It
    is trivial to distinguish between name resolution and routing: Just try
    something by NAME and then NUMBER, if number works and name
    fails then you have a routing problem.
     
    Herb Martin, Jan 30, 2007
    #18
  19. If you have dns issues, you can have all kinds of problems. Fix DNS and
    then see what else might be wrong.



     
    Paul Bergson [MVP-DS], Jan 30, 2007
    #19
  20. Server Guy

    Server Guy Guest

    I only have a single DC/DNS. If I remove the default GW on both the server
    and a workstation, do an ipconfig /flushdns then ipconfig /registerdns on
    both, would you say that would rule out DNS as being the issue for the orig
    problem of not being able to add a domain user account at a workstation
    because of the trust relationship error?



     
    Server Guy, Jan 30, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.