Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cannot change Domain Password on Windows 7 Server

Posted on 2011-09-13
5
Medium Priority
?
1,011 Views
Last Modified: 2012-05-12
PLEASE NOTE: THIS IS A DIFFERNT ISSUE THEN THE OTHER ISSUES WITH THE SAME ERROR AND I HAVE LOOKED AND TRIED THE MAJORITY OF THOSE SOLUTIONS!

I am running Windows Server 2008 with the domain at Windows Server 2003 functional level and the forest is also Windows Server 2003 functional level.  There is an empty root and a child domain with the resources in the child domain.

The issues is that on ANY server running Windows Server 2008 including the domain controllers, when you try to change the password for the account that is logged on to the domain, the error message of "The security database on the server does not have a computer account for this workstation trust relationship".

I have removed and readded a member server after removing all traces of the server from AD.  I have added it using the NETBIOS name as well as the DNS name, both get the same result.  I have checked the servicePrincipalName (SPN) and all of the correct records are there:
HOST/COMPUTERNAME
HOST/COMPUTERNAME.dns.zone
RestrictedKrbHost/COMPUTERNAME
RestrictedKrbHost/COMPUTERNAME.dns.zone
TERMSRV/COMPUTERNAME
TERMSRV/COMPUTERNAME.dns.zone
WSMAN/COMPUTERNAME
WSMAN/COMPUTERNAME.dns.zone
When I use network monitor on the member server that I am trying to change the password from I the following KerberosV5 traffic:
FROM MEMBER to DOMAIN CONTROLLER - KerberosV5: As Request Cname: <username> Realm: <domainname> Sname: kadmin/changepw
FROM DOMAIN CONTROLLER to MEMBER - KerberosV5:KRB_ERROR - KDC_ERR_PREAUTH_REQUIRED (25)
This is following by a few payload TCP Packets then
FROM MEMBER to DOMAIN CONTROLLER - KerberosV5: As Request Cname: <username> Realm: <domainname> Sname: kadmin/changepw
FROM DOMAIN CONTROLLER to MEMBER - KerberosV5:KRB_ERROR - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)

I have placed the member server in the Computers container so it is getting the default domain policy applied that only has the account policy being applied.
0
Comment
Question by:MaloneConsulting
  • 3
5 Comments
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36533112
restart the NTDS services by executing: net stop ntds && net start ntds

If that doesnt do it run: dcdiag.exe /fix
0
 

Author Comment

by:MaloneConsulting
ID: 36549769
Sorry for the delay, I will get back to you as soon as I get a result.
0
 

Accepted Solution

by:
MaloneConsulting earned 0 total points
ID: 36957221
I put in a ticket to Microsoft.   It turned out that we had a rogue record in AD.  Here is a little more information on the troubleshooting and resolution:
•      Captured the password change using Netmon on the member server
•      Found the error 01:47:32 12-10-2011 34.8187800 targetip sourceip KerberosV5 KerberosV5:KRB_ERROR – KDC_ERR_S_PRINCIPAL_UNKNOWN (7) {TCP:20, IPv4:18}
•      Executed the follow command on the PDC server: “ldifde –f c:\spn.txt –t 3268 –d dc=domainname,dc=com –l “serviceprincipalname” –r “(serviceprincipalname=kadmin/changepw)” –p subtree > c:\spn_process.txt”
•      Checked the SPN.txt file and found that we had a rogue name
•      Deleted the rogue name using ADSIEDIT
0
 

Author Closing Comment

by:MaloneConsulting
ID: 36978212
Solved with Microsoft Support.  Posted for others
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question