asked on
SBS 2003 and XP Workstations - re-establishing trust relationship after new install
I have a small network that comprises a SBS Windows Server 2003 server and XP workstations.
Due to a server problem the SBS 2003 software had to be re-installed from scratch. On the re-install the same domain name (e.g. business.local) was used and the same user accounts and passwords were re-entered into AD.
However, the trust relationship between the XP workstations nad the server has been broken due to the new SID on the server. In the System Log then I am seeing NETLOGON errors Event Id 5805 and 5513 saying that computers failed to authenticate and to re-establish the trust relationship. (I have posted these at the bottom of the question.)
The users are able to logon using their user accounts and get access to server resources as normal. However, the system log is getting the regular computer authtication errors.
For one of the XP clients I have changed the network back to a workgroup type and then re-joined the domain. This has fixed the authentication issues for this one workstation but I have needed to redo all the client accounts on the workstation. With the original SBS configuration I have accounts on the client workstation of "john", "fred" etc. but after rejoining the domain I have "john.BUSINESS" & "fred.BUSINESS".
To redo all the accounts on all the workstations would be a lot of work and therefore I am looking for anything that is a smarter option.
NB I can't use any of the SBS wizards for configuring the clients - the reason for this is that I also have a SCO Unix server that requires static IP addressing as part of the security - so my network has been configured manually.
Can any one help ?
ID 5805
The session setup from the computer SALES failed to authenticate. The following error occurred:
Access is denied.
ID 5513
The computer SALES tried to connect to the server \\SERVER using the trust relationship established by the BUSINESS domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship.
Due to a server problem the SBS 2003 software had to be re-installed from scratch. On the re-install the same domain name (e.g. business.local) was used and the same user accounts and passwords were re-entered into AD.
However, the trust relationship between the XP workstations nad the server has been broken due to the new SID on the server. In the System Log then I am seeing NETLOGON errors Event Id 5805 and 5513 saying that computers failed to authenticate and to re-establish the trust relationship. (I have posted these at the bottom of the question.)
The users are able to logon using their user accounts and get access to server resources as normal. However, the system log is getting the regular computer authtication errors.
For one of the XP clients I have changed the network back to a workgroup type and then re-joined the domain. This has fixed the authentication issues for this one workstation but I have needed to redo all the client accounts on the workstation. With the original SBS configuration I have accounts on the client workstation of "john", "fred" etc. but after rejoining the domain I have "john.BUSINESS" & "fred.BUSINESS".
To redo all the accounts on all the workstations would be a lot of work and therefore I am looking for anything that is a smarter option.
NB I can't use any of the SBS wizards for configuring the clients - the reason for this is that I also have a SCO Unix server that requires static IP addressing as part of the security - so my network has been configured manually.
Can any one help ?
ID 5805
The session setup from the computer SALES failed to authenticate. The following error occurred:
Access is denied.
ID 5513
The computer SALES tried to connect to the server \\SERVER using the trust relationship established by the BUSINESS domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship.
Windows Server 2003Windows XPSBS
Last Comment
Jeffrey Kane - TechSoEasy
Have you tried to restore the System States data from a backup? If you don;t have any backup I am afraid you have no choice but to redo all workstations.
ASKER
Jeff, I followed the steps as you described - but without the desired outcome.
I ran the ConnectComputer wizard, supplied the administrator credentials and then picked the appropriate user from the list.
The wizard also showed me two local accounts on the machine which I could import (local administrator plus one other) - neither of these were the previous client account that I was trying to preserve. I picked neither of the two accounts offered - the wizard completed buy the result was the same as when I manually un-joined and re-joined the domain e.g. a new account "username.BUSINESS".
Looking inside Docs&Settings I see various user accounts still listed e.g. administrator, administrator.BUSINESS, username, username.BUSINESS etc.
Any additional thoughts ?
I ran the ConnectComputer wizard, supplied the administrator credentials and then picked the appropriate user from the list.
The wizard also showed me two local accounts on the machine which I could import (local administrator plus one other) - neither of these were the previous client account that I was trying to preserve. I picked neither of the two accounts offered - the wizard completed buy the result was the same as when I manually un-joined and re-joined the domain e.g. a new account "username.BUSINESS".
Looking inside Docs&Settings I see various user accounts still listed e.g. administrator, administrator.BUSINESS, username, username.BUSINESS etc.
Any additional thoughts ?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Jeff, sorry for taking so long to add to the problem history.
When I ran the ConnectComputer wizard the account I was trying to preserve was not listed - only two local accounts, adminitrator plus one other. At this stage an account called username.BUSINESS did not exist on the machine.
As your suggested, I picked the wizard option "none" and the wizard completed normally but in doing so created the username.BUSINESS account. This of course had none of the setttings I was trying to retain.
Given the number of machines I had already disconnected from the domain and then re-joined the domain, I continued and converted all the remaining workstations manually.
In preparation for the next server failure, I'll make sure we have a reliable backup of the system state.
Thanks again for your help.
Dave
When I ran the ConnectComputer wizard the account I was trying to preserve was not listed - only two local accounts, adminitrator plus one other. At this stage an account called username.BUSINESS did not exist on the machine.
As your suggested, I picked the wizard option "none" and the wizard completed normally but in doing so created the username.BUSINESS account. This of course had none of the setttings I was trying to retain.
Given the number of machines I had already disconnected from the domain and then re-joined the domain, I continued and converted all the remaining workstations manually.
In preparation for the next server failure, I'll make sure we have a reliable backup of the system state.
Thanks again for your help.
Dave
"At this stage an account called username.BUSINESS did not exist on the machine"
Just FYI, an account called username.BUSINESS would NEVER exist on the local machine. The profile might be there, but the account is a DOMAIN account and therefore the account exists on the Domain Controller (your SBS) as a user account. If there is still a folder called username.BUSINESS that you want to have used as that particular user's profile, you should continue with ConnectComputer, and select "None" and allow a profile to be built automatiaclly.
You can then copy the contents from "username.BUSINESS" into the new "username" or "username.BUSINESS.001" folder. This is most easily done while nobody is logged into that workstation, using Windows Explorer from the Server.
Jeff
TechSoEasy
Just FYI, an account called username.BUSINESS would NEVER exist on the local machine. The profile might be there, but the account is a DOMAIN account and therefore the account exists on the Domain Controller (your SBS) as a user account. If there is still a folder called username.BUSINESS that you want to have used as that particular user's profile, you should continue with ConnectComputer, and select "None" and allow a profile to be built automatiaclly.
You can then copy the contents from "username.BUSINESS" into the new "username" or "username.BUSINESS.001" folder. This is most easily done while nobody is logged into that workstation, using Windows Explorer from the Server.
Jeff
TechSoEasy
Follow these steps EXACTLY to fix the problems:
At the client machine:
1. Log in with THAT machine's LOCAL administrator account.
2. Unjoin the domain into a WORKGROUP
3. Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4. Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients
5. Delete the following Registry Key entirely: HKLM\Software\Microsoft\Sm
6. Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
7. Reboot
Then on the server, from the Server Management Console:
1. Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2. Add the client with it's NEW name using the Setup Client Computers wizard
Then, go back to the client machine, log back in with the local Administrator account.
1. If there is more than one network interface, make sure that the only one that's enabled is the one connected to the SBS.
2. Open IE and enter http://<servername>/connectcomput
3. Supply the domain Administrator credentials when requested and assign appropriate user to the machine
4. After the machine reboots the second time, log in with the assigned user's credentials to complete the process.
Jeff
TechSoEasy