2008 R2 DCPromo with strange authentication and workstation issues

Posted on 2011-05-03
Medium Priority
Last Modified: 2012-05-11
I DCPromo'd 4 new domain controllers in the last 2 weeks.  I am seeing some intermittent issues and I wanted to see if anyone could help.

We have an empty forest root.  "ad.example.com".  I obviously ran the R2 schema updates for the forest and domain.  We have actually had a 2008 R2 DC in the forest root for 7 months without issue.  

We have child domains for each country.  For example, "us.ad.example.com".  I also promoted 2 DC's in this domain within the past 2 weeks.  This domain has the majority of our users.  The majority of our users are XP based with about 15-20% Windows 7.  

A couple things I have noticed personally and in my group.  After my dcpromo on the us.ad.example.com domain, i had an issue where my Windows 7 Desktop had the following issue:

We login to our systems with our regular user accounts.  For administration we run as our user-admin accounts.  

I clicked "Run as another user" and entered my us.ad.example.com\user-admin account.  I got the following error: "The security database on the server does not have a computer account for this workstation trust relationship."  This happened with anything I ran as my US\user-admin account.  If I used the forest root admin account or my regular user account, they were fine. I only saw this running as US\user-admin.  The computer object existed and looked fine.  

Today I had a co-worker with the EXACT same issue on Windows 7.  His system also stated "The trust relationship between this workstation and the primary domain failed."  He ended up rejoining his system to the domain to get it working again.  I did nothing and after 30 minutes or so it started working again.  

I want to troubleshoot this further since we have had 2 issues already and i dont want this widespread.  We are also seeing strange issues with authentication on our Cisco ACS Wireless in remote domains but that may be unrelated.  

DCDiags and all the typical troubleshooting has looked fine.  Has anyone seen this before?  It is very strange that it works fine, except for those few users.  
Question by:STEHelp
  • 3
  • 2

Accepted Solution

Osmoze earned 2000 total points
ID: 35516104
both domain are distant or located in the same LAN ?are there any approbation relationship between the two domain ? is it bidirectionnal ?  are there any role delegation  for users to the other domain ?

Author Comment

ID: 35516140
The AD.example.com and US.AD.example.com domains are in the same LAN.  There are some US DC's around the country with T1 links.

The trust type is parent-child, two way, transitive.  

The accounts we are trying to "run as another user" with are US Domain Admins.  


Expert Comment

ID: 35516230
It could be a domain suffix ,
take alook at the GPO entry  :
 computer configuration/administrative templates/network/dns client/primary DNS suffix  if it's set correctly . (on both domain)

did you make any update earlier ?
what are sp installed ?

can you also check the forest fonctionnal level ?  and the domain fonctionnal level .
did you get any of the domain upgraded from older win NT or 2000 domain ?? (just in case )

Author Comment

ID: 35708086
I have SP1 on the 2008 R2 DC's and both Windows 7 boxes with the issue are at SP1.  I am using "Append primary and connection specific DNS Suffixes.  Append parent suffixes of the primary DNS Suffix".

This won't be an issue for a while so I am going to close this.  We ended up having an issue with our version of Cisco ACS.  We had some older wireless handhelds and wireless label printers that could not authenticate with 2008 R2 DC's.  Cisco said that we have to replace our appliances before they can support 2008 R2... So have to demote these DC's and put this on hold :(.  

Thank  you for the help.  

Author Closing Comment

ID: 35708096
This wasnt really the solution but i didnt see any other way to award points.

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question