Solved

Cannot change Domain Password on Windows 7 Server

Posted on 2011-09-13
5
939 Views
Last Modified: 2012-05-12
PLEASE NOTE: THIS IS A DIFFERNT ISSUE THEN THE OTHER ISSUES WITH THE SAME ERROR AND I HAVE LOOKED AND TRIED THE MAJORITY OF THOSE SOLUTIONS!

I am running Windows Server 2008 with the domain at Windows Server 2003 functional level and the forest is also Windows Server 2003 functional level.  There is an empty root and a child domain with the resources in the child domain.

The issues is that on ANY server running Windows Server 2008 including the domain controllers, when you try to change the password for the account that is logged on to the domain, the error message of "The security database on the server does not have a computer account for this workstation trust relationship".

I have removed and readded a member server after removing all traces of the server from AD.  I have added it using the NETBIOS name as well as the DNS name, both get the same result.  I have checked the servicePrincipalName (SPN) and all of the correct records are there:
HOST/COMPUTERNAME
HOST/COMPUTERNAME.dns.zone
RestrictedKrbHost/COMPUTERNAME
RestrictedKrbHost/COMPUTERNAME.dns.zone
TERMSRV/COMPUTERNAME
TERMSRV/COMPUTERNAME.dns.zone
WSMAN/COMPUTERNAME
WSMAN/COMPUTERNAME.dns.zone
When I use network monitor on the member server that I am trying to change the password from I the following KerberosV5 traffic:
FROM MEMBER to DOMAIN CONTROLLER - KerberosV5: As Request Cname: <username> Realm: <domainname> Sname: kadmin/changepw
FROM DOMAIN CONTROLLER to MEMBER - KerberosV5:KRB_ERROR - KDC_ERR_PREAUTH_REQUIRED (25)
This is following by a few payload TCP Packets then
FROM MEMBER to DOMAIN CONTROLLER - KerberosV5: As Request Cname: <username> Realm: <domainname> Sname: kadmin/changepw
FROM DOMAIN CONTROLLER to MEMBER - KerberosV5:KRB_ERROR - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)

I have placed the member server in the Computers container so it is getting the default domain policy applied that only has the account policy being applied.
0
Comment
Question by:MaloneConsulting
  • 3
5 Comments
 
LVL 5

Expert Comment

by:warddhooghe
Comment Utility
restart the NTDS services by executing: net stop ntds && net start ntds

If that doesnt do it run: dcdiag.exe /fix
0
 

Author Comment

by:MaloneConsulting
Comment Utility
Sorry for the delay, I will get back to you as soon as I get a result.
0
 

Accepted Solution

by:
MaloneConsulting earned 0 total points
Comment Utility
I put in a ticket to Microsoft.   It turned out that we had a rogue record in AD.  Here is a little more information on the troubleshooting and resolution:
•      Captured the password change using Netmon on the member server
•      Found the error 01:47:32 12-10-2011 34.8187800 targetip sourceip KerberosV5 KerberosV5:KRB_ERROR – KDC_ERR_S_PRINCIPAL_UNKNOWN (7) {TCP:20, IPv4:18}
•      Executed the follow command on the PDC server: “ldifde –f c:\spn.txt –t 3268 –d dc=domainname,dc=com –l “serviceprincipalname” –r “(serviceprincipalname=kadmin/changepw)” –p subtree > c:\spn_process.txt”
•      Checked the SPN.txt file and found that we had a rogue name
•      Deleted the rogue name using ADSIEDIT
0
 

Author Closing Comment

by:MaloneConsulting
Comment Utility
Solved with Microsoft Support.  Posted for others
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now