Solved

Cannot change Domain Password on Windows 7 Server

Posted on 2011-09-13
5
972 Views
Last Modified: 2012-05-12
PLEASE NOTE: THIS IS A DIFFERNT ISSUE THEN THE OTHER ISSUES WITH THE SAME ERROR AND I HAVE LOOKED AND TRIED THE MAJORITY OF THOSE SOLUTIONS!

I am running Windows Server 2008 with the domain at Windows Server 2003 functional level and the forest is also Windows Server 2003 functional level.  There is an empty root and a child domain with the resources in the child domain.

The issues is that on ANY server running Windows Server 2008 including the domain controllers, when you try to change the password for the account that is logged on to the domain, the error message of "The security database on the server does not have a computer account for this workstation trust relationship".

I have removed and readded a member server after removing all traces of the server from AD.  I have added it using the NETBIOS name as well as the DNS name, both get the same result.  I have checked the servicePrincipalName (SPN) and all of the correct records are there:
HOST/COMPUTERNAME
HOST/COMPUTERNAME.dns.zone
RestrictedKrbHost/COMPUTERNAME
RestrictedKrbHost/COMPUTERNAME.dns.zone
TERMSRV/COMPUTERNAME
TERMSRV/COMPUTERNAME.dns.zone
WSMAN/COMPUTERNAME
WSMAN/COMPUTERNAME.dns.zone
When I use network monitor on the member server that I am trying to change the password from I the following KerberosV5 traffic:
FROM MEMBER to DOMAIN CONTROLLER - KerberosV5: As Request Cname: <username> Realm: <domainname> Sname: kadmin/changepw
FROM DOMAIN CONTROLLER to MEMBER - KerberosV5:KRB_ERROR - KDC_ERR_PREAUTH_REQUIRED (25)
This is following by a few payload TCP Packets then
FROM MEMBER to DOMAIN CONTROLLER - KerberosV5: As Request Cname: <username> Realm: <domainname> Sname: kadmin/changepw
FROM DOMAIN CONTROLLER to MEMBER - KerberosV5:KRB_ERROR - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)

I have placed the member server in the Computers container so it is getting the default domain policy applied that only has the account policy being applied.
0
Comment
Question by:MaloneConsulting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36533112
restart the NTDS services by executing: net stop ntds && net start ntds

If that doesnt do it run: dcdiag.exe /fix
0
 

Author Comment

by:MaloneConsulting
ID: 36549769
Sorry for the delay, I will get back to you as soon as I get a result.
0
 

Accepted Solution

by:
MaloneConsulting earned 0 total points
ID: 36957221
I put in a ticket to Microsoft.   It turned out that we had a rogue record in AD.  Here is a little more information on the troubleshooting and resolution:
•      Captured the password change using Netmon on the member server
•      Found the error 01:47:32 12-10-2011 34.8187800 targetip sourceip KerberosV5 KerberosV5:KRB_ERROR – KDC_ERR_S_PRINCIPAL_UNKNOWN (7) {TCP:20, IPv4:18}
•      Executed the follow command on the PDC server: “ldifde –f c:\spn.txt –t 3268 –d dc=domainname,dc=com –l “serviceprincipalname” –r “(serviceprincipalname=kadmin/changepw)” –p subtree > c:\spn_process.txt”
•      Checked the SPN.txt file and found that we had a rogue name
•      Deleted the rogue name using ADSIEDIT
0
 

Author Closing Comment

by:MaloneConsulting
ID: 36978212
Solved with Microsoft Support.  Posted for others
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A procedure for exporting installed hotfix details of remote computers using powershell
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question