SBS 2003 and XP Workstations - re-establishing trust relationship after new install

ellisdav44
ellisdav44 used Ask the Experts™
on
I have a small network that comprises a SBS Windows Server 2003 server and XP workstations.

Due to a server problem the SBS 2003 software had to be re-installed from scratch. On the re-install the same domain name (e.g. business.local) was used and the same user accounts and passwords were re-entered into AD.

However, the trust relationship between the XP workstations nad the server has been broken due to the new SID on the server. In the System Log then I am seeing NETLOGON errors Event Id 5805 and 5513 saying that computers failed to authenticate and to re-establish the trust relationship. (I have posted these at the bottom of the question.)

The users are able to logon using their user accounts and get access to server resources as normal. However, the system log is getting the regular computer authtication errors.

For one of the XP clients I have changed the network back to a workgroup type and then re-joined the domain. This has fixed the authentication issues for this one workstation but I have needed to redo all the client accounts on the workstation. With the original SBS configuration I have accounts on the client workstation of "john", "fred" etc. but after rejoining the domain I have "john.BUSINESS" & "fred.BUSINESS".

To redo all the accounts on all the workstations would be a lot of work and therefore I am looking for anything that is a smarter option.

NB I can't use any of the SBS wizards for configuring the clients - the reason for this is that I also have a SCO Unix server that requires static IP addressing as part of the security - so my network has been configured manually.

Can any one help ?

ID 5805
The session setup from the computer SALES failed to authenticate. The following error occurred:
Access is denied.

ID 5513
The computer SALES tried to connect to the server \\SERVER using the trust relationship established by the BUSINESS domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship.


Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
You need to remove and rejoin the workstations properly using http://<servername>/connectcomputer.  This will not only fix the NETLOGON errors, but this method also has a profile migration component that will automatically migrate over the previous user profiles.

Follow these steps EXACTLY to fix the problems:

At the client machine:
1.  Log in with THAT machine's LOCAL administrator account.
2.  Unjoin the domain into a WORKGROUP
3.  Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients
5.  Delete the following Registry Key entirely:  HKLM\Software\Microsoft\SmallBusinessServer
6.  Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
7.  Reboot

Then on the server, from the Server Management Console:
1.  Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2.  Add the client with it's NEW name using the Setup Client Computers wizard

Then, go back to the client machine, log back in with the local Administrator account.
1.  If there is more than one network interface, make sure that the only one that's enabled is the one connected to the SBS.
2.  Open IE and enter http://<servername>/connectcomputer in the address bar
3.  Supply the domain Administrator credentials when requested and assign appropriate user to the machine
4.  After the machine reboots the second time, log in with the assigned user's credentials to complete the process.

Jeff
TechSoEasy
Have you tried to restore the System States data from a backup? If you don;t have any backup I am afraid you have no choice but to redo all workstations.

Author

Commented:
Jeff, I followed the steps as you described - but without the desired outcome.

I ran the ConnectComputer wizard, supplied the administrator credentials and then picked the appropriate user from the list.

The wizard also showed me two local accounts on the machine which I could import (local administrator plus one other) - neither of these were the previous client account that I was trying to preserve. I picked neither of the two accounts offered - the wizard completed buy the result was the same as when I manually un-joined and re-joined the domain e.g. a new account "username.BUSINESS".

Looking inside Docs&Settings I see various user accounts still listed e.g. administrator, administrator.BUSINESS, username, username.BUSINESS etc.

Any additional thoughts ?

Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

Principal Consultant
Most Valuable Expert 2016
Top Expert 2014
Commented:
The proper way to do it if the list of accounts shown does not include your user is to choose NONE.   That would normally just pick up the username folder.  However, if username.BUSINESS already existed, then you should have deleted that one first.  For more information on profile migration with connectcomputer, see this article:

http://www.certmag.com/content/A_-_Community_Networking_(Article)/819/158/default.asp

Jeff
TechSoEasy

Author

Commented:
Jeff, sorry for taking so long to add to the problem history.

When I ran the ConnectComputer wizard the account I was trying to preserve was not listed - only two local accounts, adminitrator plus one other.  At this stage an account called username.BUSINESS did not exist on the machine.

As your suggested, I picked the wizard option "none" and the wizard completed normally but in doing so created the username.BUSINESS account. This of course had none of the setttings I was trying to retain.

Given the number of machines I had already disconnected from the domain and then re-joined the domain, I continued and converted all the remaining workstations manually.

In preparation for the next server failure, I'll make sure we have a reliable backup of the system state.

Thanks again for your help.
Dave
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
"At this stage an account called username.BUSINESS did not exist on the machine"

Just FYI, an account called username.BUSINESS would NEVER exist on the local machine.  The profile might be there, but the account is a DOMAIN account and therefore the account exists on the Domain Controller (your SBS) as a user account.  If there is still a folder called username.BUSINESS that you want to have used as that particular user's profile, you should continue with ConnectComputer, and select "None" and allow a profile to be built automatiaclly.

You can then copy the contents from "username.BUSINESS" into the new "username" or "username.BUSINESS.001" folder.  This is most easily done while nobody is logged into that workstation, using Windows Explorer from the Server.

Jeff
TechSoEasy

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial