CIAD Support
asked on
Windows 7, passwords changes error with DC
Hi dear,
We actually encouter a strange problem with our WIndows 7 clients.
We have a 2003 domain, with only one forest, we have added a 2008 R2 domain controller a few days ago, everything works well.
Today, when we try to modify users passwords, we recieve the following message : "The security database on the server does not have a computer account for this workstation trust relationship", it appears only on Windows 7 clients.
I've found some solutions (this one for example, https://www.experts-exchange.com/questions/23258126/The-security-database-on-the-server-does-not-have-a-computer-account-for-this-workstation-trust-relationship.html) but they doesn't work.
Microsoft give us some solution too (http://technet.microsoft.com/en-us/library/ee849847(WS.10).aspx)
but with no resluts too.
Any idea ?
Thanks
We actually encouter a strange problem with our WIndows 7 clients.
We have a 2003 domain, with only one forest, we have added a 2008 R2 domain controller a few days ago, everything works well.
Today, when we try to modify users passwords, we recieve the following message : "The security database on the server does not have a computer account for this workstation trust relationship", it appears only on Windows 7 clients.
I've found some solutions (this one for example, https://www.experts-exchange.com/questions/23258126/The-security-database-on-the-server-does-not-have-a-computer-account-for-this-workstation-trust-relationship.html) but they doesn't work.
Microsoft give us some solution too (http://technet.microsoft.com/en-us/library/ee849847(WS.10).aspx)
but with no resluts too.
Any idea ?
Thanks
I think the pc has lost its computer account from the dc try removing and rejoining the pc to the domain.
The MS article seems to be around joining PCs to a domain, rather than PWD changes.
2 suggestions:
What is your domain functional level? If it's still @ 2000 level then you need to raise it anyway.
Check your policies - your LanMan authentication policy may be having some effect.
LanMan.jpg
2 suggestions:
What is your domain functional level? If it's still @ 2000 level then you need to raise it anyway.
Check your policies - your LanMan authentication policy may be having some effect.
LanMan.jpg
Check your domain suffix policies, esp in DHCP.
This article indicates that it has solved the problem:
http://social.technet.microsoft.com/Forums/en-US/itprovistasp/thread/31905c1a-5c25-4426-ac8d-677004c21f5d
A more labour-intensive suggestion from other forums is to disjoin the machine from the domain and re-join it again.
This article indicates that it has solved the problem:
http://social.technet.microsoft.com/Forums/en-US/itprovistasp/thread/31905c1a-5c25-4426-ac8d-677004c21f5d
A more labour-intensive suggestion from other forums is to disjoin the machine from the domain and re-join it again.
ASKER
Our domain is 2003 full, no 2000. We have controlled the DHCP and the suffix policies, everything is in order !
When we stop de 2008R2 controller, it works and our Win 7 clients could change their passwords and logon correctly direct after, so it seems that the 2008 DC is the source of the problem.
This event could be linked with our problem ?
"The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server."
Thanks for our answers
When we stop de 2008R2 controller, it works and our Win 7 clients could change their passwords and logon correctly direct after, so it seems that the 2008 DC is the source of the problem.
This event could be linked with our problem ?
"The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server."
Thanks for our answers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So we try to change Local security settings to "Use LM and NTLM - use NTLM v2 session security if negotiated." on both DC and client but nothing change...
I continue my investigations
I continue my investigations
ASKER
Problem solved, some bad replications between the DCs, everything's work now
ASKER
Help us to find problem