• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 695
  • Last Modified:

Trust relationship failed between workstation and server

Hi Experts
As usual i'm in a pickle and have attempted to work it out for myself but failing. Any advice and help would be appreciative

Issue:
After joining a XP PRO SP2 laptop to SBS 2003 network using http://<servername>/connectcomputer, all fine and reboots twuice (creating the sb_instal profile) but will not logon on to the domain with any credentials and get errors saying domain not available etc.
server reports error netlogon 5722 Accerss is denied when attempting to logon from newly joined laptop.

Background Info:
The SBS server is inherited but I have maintained it for about 2 years now. Fully patched and only 4 machines on network. Have joined machines correctly through connectcomputer. Exchange sP2. Handles mail delivery for 2 domains and using PDA to sync with exchange using utilities in SP2.
Client document redirection enabled redirecting to default shared folder for users.

Laptop in question was running very slow so I gave it a good clean up. It then lost connectivity to server via VPN. VPN is not sbs but directly to watchguard firebox and works fine on other machines.
Brought laptop in to the office and connected on LAN, would not login to the domain. Researched netlogon 5722 and thought that profile on laptop corrupted. Rebuilt laptop from scratch and reinstalled applications. created machine account in wizard. Joined domain through connectcomputer.
machine rebooted twice. Would not logon to domain.

In AD Domains and Trusts then domain name is city123limited,local but th pre windows 2000 name is city123
In AD Sites and services the full name is server.city123limited.local
When a machine joins the domain the domain in the logion box is listed as city123

Results of nltest that are puzzling me

C:\WINDOWS\system32>
C:\WINDOWS\system32>nltest /sc_query:city123
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

BUT

C:\WINDOWS\system32>nltest /dsgetdc:city123
           DC: \\MAIL
      Address: \\192.168.0.2
     Dom Guid: 7fc6b60f-df84-4def-bef8-a016b50fe902
     Dom Name: city123
  Forest Name: city123limited.local
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_S
ITE
The command completed successfully

From what I can see there seems to be an issue with the secure channel between newly joined machine and server but all google results bring me to issue with trusts in 2K and 2003 but this is a standalone SBS2003

Many thanks for taking the time to read this and I will respond as quickly as possible to any further questions athough my internet access is limited from tonight through to Sunday night.

Regards
Robin
0
RobKanj
Asked:
RobKanj
  • 5
  • 4
  • 2
2 Solutions
 
KCTSCommented:
Try removing the computer from the domain again.
Check the computer account has been removed fro active directory - if not delete it manually
Add the computer back into the domain
0
 
RobKanjAuthor Commented:
Hi KCTS
Thanks for your response
I have done this multiple times and I still have the issue...any further thoughts?
Regards
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
you can't simply remove a workstation from an SBS domain and rejoin it if you wan it to work correctly.  Please follow all the steps oulined in http://sbsurl.com/rejoin

Jeff
TechSoEasy
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
RobKanjAuthor Commented:
Jeff
Thanks for your response  - when removing workstations from a SBS domain I always follow the procedure outlined in the link.  Additionally referring to my narrrative above, the laptop was rebuilt completely so it was in workgroup mode with no program files\sbs client directory and although it joined the domain and rebooted twice I still received the 5722 error message on the server and the error statement: "domain unavilable......" on the laptop
Do you have any thoughts on the discrepancy within nltest...becoming desperate as one quarter of the workforce is down
Regards
Robin

0
 
KCTSCommented:
Check the DNS settings - make sure that the preferred DNS server on all clients points to the domain controller.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
nltest /sc_query should be pointed to your DOMAIN, not the NETBIOS name.  So if you ran nltest /sc_query:city123limited.local, you would have not gotten the error message.

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
The issue is that you've used a separate NETBIOS name that doesn't match your AD Domain Name.  I'm not sure why you chose to do this, but it does cause a few things to behave differently...

For instance, you said, "When a machine joins the domain the domain in the logion box is listed as city123"

This is fine, because the logon box domain name would list the NETBIOS name, not the full domain.  However, if you entered administrator@city123limited.local in the username box you'd see that the domain box would grey out.

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I should point out as well, that using nltest in an SBS environment is generally not done because most of the things it checks for aren't supported on SBS (primarily trusts).

Jeff
TechSoEasy
0
 
RobKanjAuthor Commented:
Jeff -
Agree completely with the whole NetBIOS and AD naming convention - as stated in the post, its a inherited network. Also makes sense what you've said as regards to nltest in a SBS domain.

KCTS -
I will rejoin the domain using the advice of entering static DNS which makes me think maybe putting an entry into the Hosts file

Will update you both within 36hours to see if its worked as the laptop has gone back to the user and he is using OWA to access mail rather than through VPN and being on the domain.

0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Please do not just unjoin and rejoin the machine without following the steps I detailed in the link posted above.

Jeff
TechSoEasy
0
 
RobKanjAuthor Commented:
Resolved through resetting the IP stack on the server, rejoining the machine to the domain again.
Thanks
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now