Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cannot change Domain Password on Windows 7 Server

Posted on 2011-09-13
5
957 Views
Last Modified: 2012-05-12
PLEASE NOTE: THIS IS A DIFFERNT ISSUE THEN THE OTHER ISSUES WITH THE SAME ERROR AND I HAVE LOOKED AND TRIED THE MAJORITY OF THOSE SOLUTIONS!

I am running Windows Server 2008 with the domain at Windows Server 2003 functional level and the forest is also Windows Server 2003 functional level.  There is an empty root and a child domain with the resources in the child domain.

The issues is that on ANY server running Windows Server 2008 including the domain controllers, when you try to change the password for the account that is logged on to the domain, the error message of "The security database on the server does not have a computer account for this workstation trust relationship".

I have removed and readded a member server after removing all traces of the server from AD.  I have added it using the NETBIOS name as well as the DNS name, both get the same result.  I have checked the servicePrincipalName (SPN) and all of the correct records are there:
HOST/COMPUTERNAME
HOST/COMPUTERNAME.dns.zone
RestrictedKrbHost/COMPUTERNAME
RestrictedKrbHost/COMPUTERNAME.dns.zone
TERMSRV/COMPUTERNAME
TERMSRV/COMPUTERNAME.dns.zone
WSMAN/COMPUTERNAME
WSMAN/COMPUTERNAME.dns.zone
When I use network monitor on the member server that I am trying to change the password from I the following KerberosV5 traffic:
FROM MEMBER to DOMAIN CONTROLLER - KerberosV5: As Request Cname: <username> Realm: <domainname> Sname: kadmin/changepw
FROM DOMAIN CONTROLLER to MEMBER - KerberosV5:KRB_ERROR - KDC_ERR_PREAUTH_REQUIRED (25)
This is following by a few payload TCP Packets then
FROM MEMBER to DOMAIN CONTROLLER - KerberosV5: As Request Cname: <username> Realm: <domainname> Sname: kadmin/changepw
FROM DOMAIN CONTROLLER to MEMBER - KerberosV5:KRB_ERROR - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)

I have placed the member server in the Computers container so it is getting the default domain policy applied that only has the account policy being applied.
0
Comment
Question by:MaloneConsulting
  • 3
5 Comments
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36533112
restart the NTDS services by executing: net stop ntds && net start ntds

If that doesnt do it run: dcdiag.exe /fix
0
 

Author Comment

by:MaloneConsulting
ID: 36549769
Sorry for the delay, I will get back to you as soon as I get a result.
0
 

Accepted Solution

by:
MaloneConsulting earned 0 total points
ID: 36957221
I put in a ticket to Microsoft.   It turned out that we had a rogue record in AD.  Here is a little more information on the troubleshooting and resolution:
•      Captured the password change using Netmon on the member server
•      Found the error 01:47:32 12-10-2011 34.8187800 targetip sourceip KerberosV5 KerberosV5:KRB_ERROR – KDC_ERR_S_PRINCIPAL_UNKNOWN (7) {TCP:20, IPv4:18}
•      Executed the follow command on the PDC server: “ldifde –f c:\spn.txt –t 3268 –d dc=domainname,dc=com –l “serviceprincipalname” –r “(serviceprincipalname=kadmin/changepw)” –p subtree > c:\spn_process.txt”
•      Checked the SPN.txt file and found that we had a rogue name
•      Deleted the rogue name using ADSIEDIT
0
 

Author Closing Comment

by:MaloneConsulting
ID: 36978212
Solved with Microsoft Support.  Posted for others
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question