Trust relationship failed between workstation and server
Hi Experts
As usual i'm in a pickle and have attempted to work it out for myself but failing. Any advice and help would be appreciative
Issue:
After joining a XP PRO SP2 laptop to SBS 2003 network using http://<servername>/connectcomput
server reports error netlogon 5722 Accerss is denied when attempting to logon from newly joined laptop.
Background Info:
The SBS server is inherited but I have maintained it for about 2 years now. Fully patched and only 4 machines on network. Have joined machines correctly through connectcomputer. Exchange sP2. Handles mail delivery for 2 domains and using PDA to sync with exchange using utilities in SP2.
Client document redirection enabled redirecting to default shared folder for users.
Laptop in question was running very slow so I gave it a good clean up. It then lost connectivity to server via VPN. VPN is not sbs but directly to watchguard firebox and works fine on other machines.
Brought laptop in to the office and connected on LAN, would not login to the domain. Researched netlogon 5722 and thought that profile on laptop corrupted. Rebuilt laptop from scratch and reinstalled applications. created machine account in wizard. Joined domain through connectcomputer.
machine rebooted twice. Would not logon to domain.
In AD Domains and Trusts then domain name is city123limited,local but th pre windows 2000 name is city123
In AD Sites and services the full name is server.city123limited.loca
When a machine joins the domain the domain in the logion box is listed as city123
Results of nltest that are puzzling me
C:\WINDOWS\system32>
C:\WINDOWS\system32>nltest
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
BUT
C:\WINDOWS\system32>nltest
DC: \\MAIL
Address: \\192.168.0.2
Dom Guid: 7fc6b60f-df84-4def-bef8-a0
Dom Name: city123
Forest Name: city123limited.local
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_S
ITE
The command completed successfully
From what I can see there seems to be an issue with the secure channel between newly joined machine and server but all google results bring me to issue with trusts in 2K and 2003 but this is a standalone SBS2003
Many thanks for taking the time to read this and I will respond as quickly as possible to any further questions athough my internet access is limited from tonight through to Sunday night.
Regards
Robin
As usual i'm in a pickle and have attempted to work it out for myself but failing. Any advice and help would be appreciative
Issue:
After joining a XP PRO SP2 laptop to SBS 2003 network using http://<servername>/connectcomput
server reports error netlogon 5722 Accerss is denied when attempting to logon from newly joined laptop.
Background Info:
The SBS server is inherited but I have maintained it for about 2 years now. Fully patched and only 4 machines on network. Have joined machines correctly through connectcomputer. Exchange sP2. Handles mail delivery for 2 domains and using PDA to sync with exchange using utilities in SP2.
Client document redirection enabled redirecting to default shared folder for users.
Laptop in question was running very slow so I gave it a good clean up. It then lost connectivity to server via VPN. VPN is not sbs but directly to watchguard firebox and works fine on other machines.
Brought laptop in to the office and connected on LAN, would not login to the domain. Researched netlogon 5722 and thought that profile on laptop corrupted. Rebuilt laptop from scratch and reinstalled applications. created machine account in wizard. Joined domain through connectcomputer.
machine rebooted twice. Would not logon to domain.
In AD Domains and Trusts then domain name is city123limited,local but th pre windows 2000 name is city123
In AD Sites and services the full name is server.city123limited.loca
When a machine joins the domain the domain in the logion box is listed as city123
Results of nltest that are puzzling me
C:\WINDOWS\system32>
C:\WINDOWS\system32>nltest
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
BUT
C:\WINDOWS\system32>nltest
DC: \\MAIL
Address: \\192.168.0.2
Dom Guid: 7fc6b60f-df84-4def-bef8-a0
Dom Name: city123
Forest Name: city123limited.local
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_S
ITE
The command completed successfully
From what I can see there seems to be an issue with the secure channel between newly joined machine and server but all google results bring me to issue with trusts in 2K and 2003 but this is a standalone SBS2003
Many thanks for taking the time to read this and I will respond as quickly as possible to any further questions athough my internet access is limited from tonight through to Sunday night.
Regards
Robin
ASKER
Hi KCTS
Thanks for your response
I have done this multiple times and I still have the issue...any further thoughts?
Regards
Thanks for your response
I have done this multiple times and I still have the issue...any further thoughts?
Regards
you can't simply remove a workstation from an SBS domain and rejoin it if you wan it to work correctly. Please follow all the steps oulined in http://sbsurl.com/rejoin
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
Jeff
Thanks for your response - when removing workstations from a SBS domain I always follow the procedure outlined in the link. Additionally referring to my narrrative above, the laptop was rebuilt completely so it was in workgroup mode with no program files\sbs client directory and although it joined the domain and rebooted twice I still received the 5722 error message on the server and the error statement: "domain unavilable......" on the laptop
Do you have any thoughts on the discrepancy within nltest...becoming desperate as one quarter of the workforce is down
Regards
Robin
Thanks for your response - when removing workstations from a SBS domain I always follow the procedure outlined in the link. Additionally referring to my narrrative above, the laptop was rebuilt completely so it was in workgroup mode with no program files\sbs client directory and although it joined the domain and rebooted twice I still received the 5722 error message on the server and the error statement: "domain unavilable......" on the laptop
Do you have any thoughts on the discrepancy within nltest...becoming desperate as one quarter of the workforce is down
Regards
Robin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
nltest /sc_query should be pointed to your DOMAIN, not the NETBIOS name. So if you ran nltest /sc_query:city123limited.l
Jeff
TechSoEasy
Jeff
TechSoEasy
The issue is that you've used a separate NETBIOS name that doesn't match your AD Domain Name. I'm not sure why you chose to do this, but it does cause a few things to behave differently...
For instance, you said, "When a machine joins the domain the domain in the logion box is listed as city123"
This is fine, because the logon box domain name would list the NETBIOS name, not the full domain. However, if you entered administrator@city123limit
Jeff
TechSoEasy
For instance, you said, "When a machine joins the domain the domain in the logion box is listed as city123"
This is fine, because the logon box domain name would list the NETBIOS name, not the full domain. However, if you entered administrator@city123limit
Jeff
TechSoEasy
I should point out as well, that using nltest in an SBS environment is generally not done because most of the things it checks for aren't supported on SBS (primarily trusts).
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
Jeff -
Agree completely with the whole NetBIOS and AD naming convention - as stated in the post, its a inherited network. Also makes sense what you've said as regards to nltest in a SBS domain.
KCTS -
I will rejoin the domain using the advice of entering static DNS which makes me think maybe putting an entry into the Hosts file
Will update you both within 36hours to see if its worked as the laptop has gone back to the user and he is using OWA to access mail rather than through VPN and being on the domain.
Agree completely with the whole NetBIOS and AD naming convention - as stated in the post, its a inherited network. Also makes sense what you've said as regards to nltest in a SBS domain.
KCTS -
I will rejoin the domain using the advice of entering static DNS which makes me think maybe putting an entry into the Hosts file
Will update you both within 36hours to see if its worked as the laptop has gone back to the user and he is using OWA to access mail rather than through VPN and being on the domain.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Resolved through resetting the IP stack on the server, rejoining the machine to the domain again.
Thanks
Thanks
Check the computer account has been removed fro active directory - if not delete it manually
Add the computer back into the domain