Solved

Cannot change Domain Password on Windows 7 Server

Posted on 2011-09-13
5
996 Views
Last Modified: 2012-05-12
PLEASE NOTE: THIS IS A DIFFERNT ISSUE THEN THE OTHER ISSUES WITH THE SAME ERROR AND I HAVE LOOKED AND TRIED THE MAJORITY OF THOSE SOLUTIONS!

I am running Windows Server 2008 with the domain at Windows Server 2003 functional level and the forest is also Windows Server 2003 functional level.  There is an empty root and a child domain with the resources in the child domain.

The issues is that on ANY server running Windows Server 2008 including the domain controllers, when you try to change the password for the account that is logged on to the domain, the error message of "The security database on the server does not have a computer account for this workstation trust relationship".

I have removed and readded a member server after removing all traces of the server from AD.  I have added it using the NETBIOS name as well as the DNS name, both get the same result.  I have checked the servicePrincipalName (SPN) and all of the correct records are there:
HOST/COMPUTERNAME
HOST/COMPUTERNAME.dns.zone
RestrictedKrbHost/COMPUTERNAME
RestrictedKrbHost/COMPUTERNAME.dns.zone
TERMSRV/COMPUTERNAME
TERMSRV/COMPUTERNAME.dns.zone
WSMAN/COMPUTERNAME
WSMAN/COMPUTERNAME.dns.zone
When I use network monitor on the member server that I am trying to change the password from I the following KerberosV5 traffic:
FROM MEMBER to DOMAIN CONTROLLER - KerberosV5: As Request Cname: <username> Realm: <domainname> Sname: kadmin/changepw
FROM DOMAIN CONTROLLER to MEMBER - KerberosV5:KRB_ERROR - KDC_ERR_PREAUTH_REQUIRED (25)
This is following by a few payload TCP Packets then
FROM MEMBER to DOMAIN CONTROLLER - KerberosV5: As Request Cname: <username> Realm: <domainname> Sname: kadmin/changepw
FROM DOMAIN CONTROLLER to MEMBER - KerberosV5:KRB_ERROR - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)

I have placed the member server in the Computers container so it is getting the default domain policy applied that only has the account policy being applied.
0
Comment
Question by:MaloneConsulting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36533112
restart the NTDS services by executing: net stop ntds && net start ntds

If that doesnt do it run: dcdiag.exe /fix
0
 

Author Comment

by:MaloneConsulting
ID: 36549769
Sorry for the delay, I will get back to you as soon as I get a result.
0
 

Accepted Solution

by:
MaloneConsulting earned 0 total points
ID: 36957221
I put in a ticket to Microsoft.   It turned out that we had a rogue record in AD.  Here is a little more information on the troubleshooting and resolution:
•      Captured the password change using Netmon on the member server
•      Found the error 01:47:32 12-10-2011 34.8187800 targetip sourceip KerberosV5 KerberosV5:KRB_ERROR – KDC_ERR_S_PRINCIPAL_UNKNOWN (7) {TCP:20, IPv4:18}
•      Executed the follow command on the PDC server: “ldifde –f c:\spn.txt –t 3268 –d dc=domainname,dc=com –l “serviceprincipalname” –r “(serviceprincipalname=kadmin/changepw)” –p subtree > c:\spn_process.txt”
•      Checked the SPN.txt file and found that we had a rogue name
•      Deleted the rogue name using ADSIEDIT
0
 

Author Closing Comment

by:MaloneConsulting
ID: 36978212
Solved with Microsoft Support.  Posted for others
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question